CVE-2026-52908

The CVE-2026-52908 entry concerns the Linux kernel RDMA path and a compatibility issue during rereg_mr. The root cause is that if IB_MR_REREG_ACCESS changes from RO to RW, the umem must be re-evaluated to ensure proper RW pinning. The fix adds a per-driver hook ib_umem_check_rereg() (to be called...

CVE-2026-55884

Technical details for CVE-2026-55884 are not publicly available in the provided documents. The entry is reserved/placeholder. Monitor for future updates for description, affected products, impact, and remediation.

CVE-2026-55883

Technical details for CVE-2026-55883 are not publicly available in the provided documents. Monitor for updates as additional information is released.

CVE-2026-55882

Technical details for CVE-2026-55882 are not publicly available in the provided documents. No affected products, root cause, impact, or remediation details are provided. Monitor for updates.

CVE-2026-9143

CVE-2026-9143 describes an incorrect conversion between numeric types in NI grpc-device due to missing range checks in CodeGen, potentially discarding high bits when a size value exceeds the target type’s range. Affected: NI grpc-device ≤ 2.17.0. Metrics: CVSSv3.1 base 3.7 (LOW); CVSSv4.0 base 6....

CVE-2026-54762

Technical details are not publicly available in the provided documents. Monitor for updates.

CVE-2026-12104

Bondix by SIMA GmbH (Linux) up to version 1.25.7.5 is affected by an authenticated OS command injection in environment and tunnel configuration handling. An attacker with configuration write access can pass crafted values to server-side scripts to execute arbitrary OS commands. The vulnerability ...

CVE-2026-9142

NI grpc-device versions prior to 2.17.0 are affected by an insecure default credentials vulnerability when TLS configuration is absent and the server binds beyond the loopback interface. This could allow an unauthenticated access to the server on the local network. No exploit details or fixes are...

CVE-2026-48141

NI grpc-device contains a memory leak in BeginSidebandStream that may lead to denial of service via memory exhaustion. Affected product: NI grpc-device 2.17.0 and earlier. The provided documents do not specify an available fix or remediation; no exploitation details are provided. Monitor for upda...

CVE-2026-54051

Technical details for CVE-2026-54051 are not publicly available in the provided documents. No affected products, root cause, or remediation are specified. Monitor for updates and additional disclosures.

CVE-2026-48140

NI grpc-device contains an unchecked enum cast vulnerability in BeginSidebandStream affecting version 2.17.0 and earlier. The issue allows triggering invalid enum states and undefined behavior, potentially leading to a denial of service. Exploitation requires sending a specially crafted message w...

CVE-2026-48139

CVE-2026-48139 describes a NULL pointer dereference in NI grpc-device’s data moniker service that may allow a remote attacker to cause a denial of service by triggering a crash. Exploitation requires providing an unknown value to the data moniker service; affected versions are NI grpc-device 2.17...

CVE-2026-49872

CVE-2026-49872 involves an improper authentication flaw in the Apache APISIX cas-auth plugin. When the plugin is used in a route, an attacker may authenticate using credentials from a different source, potentially bypassing proper identity checks. Affected versions are 3.0.0 through 3.16.0 of API...

CVE-2026-49871

The CVE-2026-49871 entry describes a CSRF vulnerability in the cas-auth plugin under default configurations, affecting Apache APISIX releases 3.0.0 through 3.16.0. A remote attacker who can lure a victim to a controlled webpage can cause the victim’s browser to be authenticated as a different ide...

CVE-2026-47341

CVE-2026-47341 describes an authentication bypass in Apache APISIX due to a capture-replay flaw in the hmac-auth configuration. The issue allows an attacker to reuse a token indefinitely, bypassing expiry, with affected versions 3.11.0 through 3.16.0. The advisory recommends upgrading to 3.17.0, ...

CVE-2026-48895

Apache APISIX versions 3.0.0–3.16.0 are affected by an Open Redirect vulnerability that can be triggered by manipulating certain client headers, potentially exposing session tokens. Remediation: upgrade to version 3.17.0 (fix applied in that release).

CVE-2026-48138

CVE-2026-48138 affects NI’s grpc-device streaming API and is an out-of-bounds read caused by a missing bounds check. Affected versions are NI grpc-device 2.17.0 and earlier. The vulnerability can lead to denial of service when an attacker sends a specially crafted write request. Exploitation deta...

CVE-2026-4027

CVE-2026-4027 affects FlexNet Manager Suite 2025 R1 and R2, where insufficient access control could allow unauthorized access to attachment files. The vulnerability is described as an access-control weakness that could expose attachments to users without proper privileges. The description and met...

CVE-2026-49231

CVE-2026-49231 describes an Authentication Bypass by Spoofing in the APISIX opa plugin. Affected software: Apache APISIX versions 3.5.0 through 3.16.0. Root cause: spoofed identity headers relayed to upstream due to non-default configuration in the opa plugin. Impact: an attacker could assume hig...

CVE-2026-49230

CVE-2026-49230 affects Apache APISIX via the jwe-decrypt plugin in default configuration, causing authentication bypass. Vulnerable versions: 3.8.0–3.16.0. Mitigation: upgrade to version 3.17.0 or later, which fixes the issue. Original descriptions confirm the flaw as Improper Validation of Integ...

CVE-2026-44915

CVE-2026-44915 is an open redirect vulnerability in Apache APISIX caused by an unsanitized cookie value in the cas-auth plugin. Affected versions are 3.0.0 through 3.16.0. The issue can enable phishing/credential theft. Mitigation: upgrade to version 3.17.0, which contains the fix.

CVE-2026-44087

CVE-2026-44087 describes an insufficient verification of data authenticity in Apache APISIX related to the openid-connect plugin under default configuration. The vulnerability allows an attacker to spoof identity headers, enabling unauthorized access to protected resources. Affected versions are ...

CVE-2026-49357

CVE-2026-49357 affects line-desktop-mcp (LINE Desktop MCP). In --http-mode, the MCP server binds to 0.0.0.0 and exposes the /mcp endpoint without MCP authentication, enabling any network client on the port to initialize a session, list tools, and call tools that read LINE Desktop chat history or ...

CVE-2026-47339

Affected software: Apache APISIX (versions 2.14.1–3.16.0). Vulnerability: Incorrect Authorization in the authz-casdoor plugin, allowing an attacker to authenticate using credentials from another source under default configuration. Impact: Authentication bypass vector in practice; upgrade required...

CVE-2026-44046

Apache APISIX is affected by CVE-2026-44046 due to a Less Trusted Source vulnerability in the wolf-rbac plugin under default configuration. Affected versions: 1.2.0 through 3.16.0. Attackers can pollute logs by spoofing identity information and potentially abuse IP-based access control rules. The...

CVE-2026-39999

CVE-2026-39999 affects Apache APISIX (v2.2–v3.16.0) via the jwt-auth plugin. The issue enables an authentication bypass by spoofing due to a JWT algorithm confusion/configuration, allowing a network attacker with no privileges to bypass auth (NONE -> HIGH impact on confidentiality/integrity). ...

CVE-2026-48137

Summary: CVE-2026-48137 is an untrusted pointer dereference in the NI grpc-device sideband streaming API affecting NI grpc-device 2.17.0 and earlier. A attacker can cause an arbitrary memory dereference and potentially remote code execution by sending a specially crafted Moniker protobuf message....

CVE-2026-39998

CVE-2026-39998 is an Improper Input Validation vulnerability in Apache APISIX . The issue arises from a configuration issue in the forward-auth plugin that allows spoofing of identity headers. Affected versions are APISIX 2.12.0 through 3.16.0 . The advisory recommends upgrading to version 3.17.0...

CVE-2026-4026

The CVE-2026-4026 entry affects FlexNet Manager Suite 2025 R1. An authenticated user with read-only access to account settings can escalate privileges to Administrator. The issue has a CVSS 4.0 base score of 8.7 (HIGH) with attack vector Network, low attack complexity, and no user interaction req...

CVE-2026-44939

An input validation flaw in Rancher Manager's import endpoint (/v3/import/{token}_{clusterId}.yaml) allows command injection via unsanitized YAML parameters in versions prior to 2.14.2. Impact: remote attackers could break out of the container image and execute arbitrary code inside containers. R...

CVE-2026-50242

JetBrains Hub is affected by an authentication bypass vulnerability in versions listed (before 2026.1.13757; 2025.3.148033; 2025.2.148048; 2025.1.148120; 2024.3.148430; 2024.2.148429). The issue allows bypass via direct database access, leading to administrative access. The CVSS metrics indicate ...

CVE-2026-56141

JetBrains Hub contains a critical vulnerability (CVE-2026-56141) allowing account takeover via predictable restore codes in multiple releases prior to 2026.1.13757 (including 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429). The CVSS 3.1 base score is 9.8 (CRITICAL) with...

CVE-2026-56142

In JetBrains Hub, prior to 2026.1.13757, and across versions 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429, there is a privilege escalation vulnerability described as: attaching authentication details to accounts enables elevation of privileges. The sources (NVD, CVE l...

CVE-2026-53915

CVE-2026-53915 : In JetBrains GoLand prior to 2026.1.3, remote code execution is possible through untrusted project configuration. According to CVSS 3.1 data, the vulnerability has a base score of 7.1 (HIGH) with network attack vector, no privileges required, user interaction required, and both c...

CVE-2026-12706

CVE-2026-12706 , in FFmpeg’s RASC video decoder, is a heap use-after-free in the decode_move() path. The decoder initializes a read pointer into a decompressed buffer, but the buffer is reallocated during move-table processing, leaving the pointer dangling. An attacker could craft an AVI file wit...

CVE-2026-11941

Cloudflare Quiche contains two use-after-free flaws in the FFI path for connection IDs. The issues affect the quiche_connection_id_iter_next and quiche_conn_retired_scid_next functions, where a owned ConnectionId is returned to the application via an argument but is dropped at the end of the func...

CVE-2026-41156

CVE-2026-41156 concerns GPU DDK where a CPU-thread driver frees a memory page used by a GPU firmware thread, causing a write-after-free (UAF) due to the GPU still accessing the resource. The issue references a SYNC_PRIMITIVE_BLOCK firmware address without holding a reference in the kernelfirmware...

CVE-2026-34192

CVE-2026-34192 affects GPU driver components (GPU DDK) where MMU page tables are freed without proper cleanup in an error path, allowing a non-privileged user to trigger use-after-free of physical memory. The issue is caused by _MMU_AllocLevel error recovery paths that leave dangling page table e...

CVE-2026-8296

CVE-2026-8296 affects Octopus Server. Affected versions permit embedding a Cross-Site Scripting (XSS) payload via artifacts when an attacker has high privileges and certain access levels; exploitation requires user interaction. CVSSv4 base score 5.6 (MEDIUM); attack vector NETWORK; attack complex...

CVE-2026-56023

The CVE entry CVE-2026-56023 is connected to a Broken Access Control vulnerability in the WordPress plugin “UPI QR Code Payment Gateway for WooCommerce” (versions

CVE-2026-56025

Affected product: WordPress Paymob for WooCommerce plugin. Vulnerability: Broken Access Control in versions ≤ 4.1.2. The connected document confirms the issue is a security flaw in the plugin, discovered by Sajjad Haqi. No root-cause details or exploit information are provided beyond the classifi...

CVE-2026-56014

Affected software: WordPress Master Slider plugin (versions <= 3.11.2). Vulnerability: Cross Site Scripting (XSS). Discoverer/credit: Kinorth (João Pedro S Alcântara). The issue is described in the connected PatchStack entry for Master Slider

CVE-2026-56013

Summary: The connected source reports an Insecure Direct Object References (IDOR) vulnerability in the WordPress Plugin License Manager for WooCommerce, versions ≤ 3.0.15. Details on root cause, impact, and mitigation are not provided in the documents; no remediation is specified. Monitor for upd...

CVE-2026-56005

The CVE entry relates to a Cross Site Scripting (XSS) vulnerability in the WordPress WP Activity Log plugin, affected <= version 5.6.3.1. The connected PatchStack entry attributes the vulnerability to discovery by the researcher “daroo.” The description in the CVE initial document is reserved/...

CVE-2026-54844

The Connected document identifies a Broken Access Control vulnerability in the WordPress CheckView Automated Testing plugin, affecting version

CVE-2026-56011

CVE-2026-56011 : Connected data shows a Cross Site Scripting (XSS) vulnerability in WordPress Plug-in MapPress Maps for WordPress, versions

CVE-2026-11576

The CVE-2026-11576 entry concerns eclipse-threadx NetX Duo. The issue arises from a refactor of error handling in the HTTP server PUT path, where a unified cleanup path unconditionally calls fx_file_close() even if no file was successfully opened. Multiple error branches jump to the shared cleanu...

CVE-2026-56010

The connected Patchstack entry identifies a Privilege Escalation vulnerability in WordPress Abandoned Cart Pro for WooCommerce plugin (versions

CVE-2026-56138

CVE-2026-56138 affects the AIL framework. A path traversal vulnerability exists in the /objects/item/diff endpoint, where an authenticated user can supply item identifiers via the s1 and s2 query parameters. Before the fix, the service could read gzip-compressed files accessible to the AIL proces...

CVE-2026-46461

Dell Server Hardware Manager, versions prior to 3.2.2, contains an Improper Access Control vulnerability. A low-privileged attacker with local access could potentially exploit this to achieve Elevation of Privileges (CVE-2026-46461). Root cause: improper access control in the service/component ha...