📄 V8 BigInt String Conversion Stress Test Conceptual Sandbox

This is a V8 Sandbox Escape vulnerability in BigInt::Allocate where buffers are shuffled outside the sandbox. The vulnerability allows for writes outside the boundaries of the allocated buffer within the sandbox outbound write by manipulating data during the MultiplyFFT process...

📄 Vienna Assistant 1.2.542 macOS Privilege Escalation

A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection...

CVE-2026-7039 tufantunc ssh-mcp index.ts shell.write command injection

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed...

CVE-2026-7039 tufantunc ssh-mcp index.ts shell.write command injection

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed...

CVE-2026-7039

The CVE-2026-7039 issue affects tufantunc ssh-mcp up to version 1.5.0. The vulnerability is tied to the function shell.write in src/index.ts, where manipulation of the Description argument enables command injection. The exploit requires local access. Public disclosure exists and the vendor has no...

KVM: x86: Use scratch field in MMIO fragment to hold small write values

...

BinExploit-Bench

BinExploit-Bench: Binary Exploitation Capability Benchmark for...

PT-2026-35222

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed...

SSH MCP Server 注入漏洞

SSH MCP Server is a tool developed by Tufan Tunç for remotely executing Shell commands via SSH. Versions of SSH MCP Server 1.5.0 and earlier have a vulnerability due to improper handling of the Description parameter in the shell.write function of the src/index.ts file, which may lead to command...

zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

Summary The zrok WebDAV drive backend davServer.Dir restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without...

CVE-2026-41681

A flaw was found in rust-openssl, a library providing OpenSSL bindings for the Rust programming language. The EVPDigestFinal function, used for cryptographic hashing, can write past the end of its intended output buffer if the buffer is too small. This out-of-bounds write can corrupt the program'...

CLSA-2026-1776956583 bzip2: Fix of 2 CVEs

CVE-2019-12900: fix out-of-bounds write in BZ2decompress when many selectors are present - CVE-2016-3189: fix use-after-free in bzip2recover...

CVE-2026-41166

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the...

CVE-2026-23751

Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 other versions may be affected exposes a deprecated .NET Remoting HTTP channel on port 2424 via the Ascent Capture Service that is accessible without authentication and uses a default, publicly known endpoint identifier. An...

SUSE CVE-2026-31598

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible deadlock between unlink and dioendiowrite ocfs2unlink takes orphan dir inodelock first and then ipallocsem, while in ocfs2dioendiowrite, it acquires these locks in reverse order. This creates an ABBA lock...

PT-2026-37189

Name of the Vulnerable Software and Affected Versions zrok versions prior to 2.0.2 Description The zrok WebDAV drive backend davServer.Dir restricts path traversal through lexical normalization but fails to prevent symlink following. If a symbolic link within the shared DriveRoot points to a...

CLSA-2026-1777070517 Fix CVE(s): CVE-2026-33900, CVE-2026-33905

SECURITY UPDATE: integer truncation in VIFF encoder leading to out-of-bounds heap write - debian/patches/CVE-2026-33900.patch: add truncation check before AcquireVirtualMemory call in WriteVIFFImage in coders/viff.c - CVE-2026-33900 SECURITY UPDATE: out-of-bounds read in SampleImage via...

CVE-2026-41473

CyberPanel before 2.4.4 is affected by an authentication bypass in the AI Scanner worker API endpoints. The endpoints /api/ai-scanner/status-webhook and /api/ai-scanner/callback allow unauthenticated remote writes to the database, enabling storage exhaustion DoS, corruption of scan history, and p...

CVE-2026-31607

A flaw was found in the Linux kernel's USB/IP subsystem. A malicious USB/IP server could exploit a vulnerability in the usbippackretsubmit function by sending a specially crafted RETSUBMIT response. This response, containing an oversized numberofpackets value, could cause a heap out-of-bounds...

CVE-2026-41475

BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an out-of-bounds read vulnerability in bacnet-stack's WritePropertyMultiple service decoder allows unauthenticated remote attackers to read past allocated buffer boundaries by sending a truncated W...