CVE-2026-48982

CVE-2026-48982 affects pam_usb prior to version 0.9.2, where updating a one-time pad file creates a temporary file with open() lacking O_EXCL, enabling a race between concurrent processes to update the same pad. This non-atomicity can cause the stored pad to diverge from expectations, potentially...

CVE-2026-48981

The CVE-2026-48981 issue affects pam_usb for Linux, where in versions prior to 0.9.2 the module loads its configuration via xmlReadFile() with flags=0. This allows libxml2 to process external entity references (XXE) during XML parsing, potentially causing outbound network connections or local fil...

CVE-2026-48716

CVE-2026-48716 involves nanobot prior to version 0.1.5.post4, where the WhatsApp bridge (bridge/src/whatsapp.ts) constructs a filesystem path from documentMessage.fileName without sanitization. The code concatenates a prefix with the raw fileName and passes it to path.join(mediaDir, outFilename),...

CVE-2026-47846

Bitnami Cassandra container images are affected by a retained default superuser vulnerability: when CASSANDRA_USER is customized, the init script creates a new superuser but may not drop the built-in cassandra account, leaving cassandra:cassandra active as an unintended access path. This can allo...

CVE-2026-47847

Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential in the Galera replication health-check user. The environment variables MARIADB_REPLICATION_USER and MARIADB_REPLICATION_PASSWORD default to monitor and monitor , granting the user REPLICATION CLI...

CVE-2026-12390

CVE-2026-12390 affects AzeoTech DAQFactory versions 21.1 and prior. A Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files to achieve code execution. The available documents confirm the affected product and the underlying flaw mechanism, but do not provi...

CVE-2026-47833

The CVE-2026-47833 issue affects bpm-release (all versions prior to v1.4.30). A compromised process inside a bpm container can trigger setupBpmLogs to follow a symlink for bpm.log, then perform chown on a host file to the user vcap, enabling container-to-host privilege escalation via the host’s /...

CVE-2026-48937

A vulnerability in Node.js HTTP/2 server API can cause servers to continue accepting data after sending a GOAWAY frame. Affected release lines are Node.js 22 and Node.js 24. The issue is documented across multiple feeds (NVD, CVE-2026-48937 and HackerOne report) and is addressed in the June 2026 ...

CVE-2026-55392

CVE-2026-55392 affects NILFS utilities up to version 2.3.0. The root cause is nilfs_sb_is_valid() not validating s_log_block_size in the NILFS2 superblock before bit-shift operations, enabling undefined behavior from oversized shifts and potential out-of-memory conditions that can crash tools lik...

CVE-2026-9692

Summary (CVE-2026-9692): Mojolicious::Sessions::Storable in Perl versions up to 0.05 generates insecure session IDs. The default generator seeds a SHA-1 hash with a mix of low-entropy sources: built-in rand, epoch time, heap address of an anonymous hash, and the process ID, making IDs predictable...

CVE-2026-54390

Technical details are not publicly available in the provided documents. Monitor for updates from the connected sources.

CVE-2026-48985

pam_usb (Linux hardware authentication) contains a NULL dereference in pusb_is_loginctl_local() when parsing loginctl output in versions ≤ 0.9.1. If the Remote field is just a newline, strtok_r(...) returns NULL and a subsequent strcmp(is_remote, "no") dereferences NULL, causing undefined behavio...

CVE-2026-48986

CVE-2026-48986 affects pam_usb (Linux hardware authentication with removable media). In versions up to 0.9.1, the usb_get_process_parent_id() routine can cause an infinite loop DoS because it does not initialize *ppid on failure. In pusb_local_login(), the same variable is reused in a process-tre...

CVE-2026-54319

Technical details for CVE-2026-54319 are not publicly available in the provided documents. Monitor for updates; the initial description indicates the candidate is reserved with no published details.

CVE-2026-48984

pam_usb for Linux (affected: v0.9.1 and earlier) has a memory handling flaw where xfree() frees buffers without zeroing contents, potentially leaving sensitive data (including one-time pad bytes) in freed heap memory. On systems with use-after-free or heap inspection capabilities, this could perm...

CVE-2025-53114

Affected software: CometD server implementations. A vulnerability arises when clients consistently set ext.ack to 1 during /meta/connect while the acknowledgement extension is enabled, causing the unacknowledged message queue to grow without bound and potentially trigger OutOfMemoryError. Affecte...

CVE-2026-11982

Technical details about this CVE are not publicly available in the provided documents. Monitor for updates and refer to the cited references for any forthcoming specifics.

CVE-2026-55237

AutoGPT (signup page) is vulnerable in versions prior to 0.6.62 due to a DOM-based XSS flaw that trusts a URL parameter (next) passed to router.push. When an authenticated user opens a crafted link, a client-side redirect can execute arbitrary JavaScript in the victim’s browser, potentially enabl...

CVE-2026-48617

CVE-2026-48617 describes a flaw in Node.js permission model enforcement that allows bypass via path misvalidation in process.report.writeReport(), potentially affecting confidentiality and integrity under affected configurations. Affected: all supported Node.js release lines (22, 24, 26). Impact ...

CVE-2025-32437

CVE-2025-32437 affects AutoGPT prior to 0.6.63, specifically the MediaDurationBlock. The issue arises because MediaDurationBlock downloads and stores videos in a temporary directory without proper deletion, and StepThroughItemsBlock can iterate MediaDurationBlock multiple times, with no limit on ...

CVE-2025-32436

CVE-2025-32436 affects AutoGPT before version 0.6.63. The AddAudioToVideoBlock may download and store video and audio in a temporary directory without cleanup until all nodes complete, and there is no limit on disk usage or automatic deletion of the intermediate video after processing. Combined w...

CVE-2025-32424

AutoGPT contains a DoS vulnerability in ScreenshotWebPageBlock prior to version 0.6.63. When a user repeatedly screenshots many pages via StepThroughItemsBlock, there is no limit on loops or on disk space usage in the current working directory, allowing disk exhaustion. Version 0.6.63 patches thi...

CVE-2026-54106

CVE-2026-54106 affects the U.S. GAO EPDS and CBCA EDS login flow, where X-Forwarded-For headers are not validated. The underlying issue allows a remote attacker who has compromised administrator credentials to bypass network access controls and log in, potentially gaining access to restricted doc...

CVE-2026-54105

The CVE concerns CVE-2026-54105 affecting the GAO EPDS and CBCA EDS systems. The vulnerability arises from the update-profile/ API endpoint, where a remote, unauthenticated attacker can supply an arbitrary user_id and receive a JSON response containing account-specific information, including the ...

CVE-2026-54104

The CVE-2026-54104 entry covers a privilege escalation flaw in the U.S. GAO EPDS and CBCA EDS client authentication flow. The systems trust client-provided values for the epds_role_id parameter without verification, enabling a remote, authenticated attacker to raise their privileges. Affected com...

CVE-2025-32422

AutoGPT contains a DoS vulnerability in StepThroughItemsBlock leading to disk exhaustion via unbounded downloads to FileStoreBlock. Before version 0.6.63, StepThroughItemsBlock can iterate over an arbitrary list and trigger downloads to FileStoreBlock without limiting loop count, while FileStoreB...

CVE-2026-54103

CVE-2026-54103 affects GAO EPDS and CBCA EDS, where the /update-profile/N endpoint does not require authentication for password changes. The vulnerability allows a remote attacker to change an arbitrary user’s password without credentials. This result is supported by the CVSS data indicating high...

CVE-2026-56020

The CVE-2026-56020 affects the Webmin HTTP server (miniserv.pl). An unauthenticated attacker can bypass authentication by sending a forged HTTP header to impersonate any user who has an SSL client certificate configured, effectively spoofing certificate DNs to gain access. This is a network-based...

CVE-2026-56021

CVE-2026-56021 affects Webmin. An unauthenticated attacker can read contents of any .conf file in module directories because of a bypassable regex pattern, causing information disclosure (confidentiality impact: low). The CVSS metrics place it at Medium: CVSS v3.1 base score 5.3 (NETWORK, LOW com...

CVE-2026-56022

CVE-2026-56022 affects Webmin. The issue allows bypass of MFA by using basic authentication without session cookies when the attacker supplies the header User-Agent: webmin, enabling MFA bypass. The vulnerability is mitigated in Webmin 2.641. "Fixed in 2.641" from the advisory. No exploit details...

CVE-2025-32392

AutoGPT (workflow automation platform) contains a DoS vulnerability in the LoopVideoBlock before version 0.6.63, where looping a video has no resource limits. The attacker can set an unbounded number of loops, causing an excessively large video file to be written to disk and thereby exhaust disk ...

CVE-2026-55204

HAProxy CVE-2026-55204 affects HAProxy up to version 3.4.0. It describes a null pointer dereference in the function hpack_dht_insert (in src/hpack-tbl.c) that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. Under memory pressure, HPACK dynamic table ins...

CVE-2026-55203

HAProxy

CVE-2026-55205

Hermes WebUI prior to 0.51.468 is affected by a resource-exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint. The issue allows unbounded accumulation of in-memory flow state and daemon threads, enabling repeated or concurrent requests to exhaust server memory...

CVE-2026-56024

The CVE concerns the WordPress WP EasyPay plugin, affected versions

CVE-2026-55170

Technical details for CVE-2026-55170 are not publicly available in the provided documents; monitoring for updates is advised.

CVE-2026-55093

Technical details for CVE-2026-55093 are not publicly available in the provided documents; the entry is placeholder/reserved. Monitor for updates.

CVE-2026-54711

Technical details for CVE-2026-54711 are not provided in the supplied documents. No affected products, impact, or remediation are disclosed. Monitor for updates from the submitting organization.

CVE-2026-54695

Technical details for CVE-2026-54695 are not publicly available in the provided documents. Monitor for updates as information is not yet disclosed.

CVE-2026-55701

Technical details are not publicly available in the provided documents. Monitor for updates as more information becomes available.

CVE-2026-54005

Technical details for CVE-2026-54005 are not publicly available in the provided documents. The entry is reserved; monitor for updates.

CVE-2026-54004

Technical details for CVE-2026-54004 are not publicly available in the provided documents. Monitor for updates as information may be released by the reserving party.

CVE-2026-54003

Technical details for CVE-2026-54003 are not publicly available in the provided documents. Monitor for updates from the reporting organization and associated advisories.

CVE-2026-54002

Technical details for CVE-2026-54002 are not publicly available in the provided documents. No affected products, vectors, or fixes are disclosed. Monitor for updates and new information as it is published.

CVE-2026-50188

Technical details for CVE-2026-50188 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-49276

Technical details for CVE-2026-49276 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-56008

Summary: A privilege escalation vulnerability affects WordPress Fusion Builder plugin versions <= 3.15.4, as reported by Patchstack. The vulnerability was identified by daroo and pertains to the Fusion Builder plugin for WordPress. The provided connected document does not specify the underlyin...

CVE-2026-49274

Technical details for CVE-2026-49274 are not publicly available in the provided documents. This CVE entry appears reserved; monitor for updates as new details are published.

CVE-2026-47256

Technical details for CVE-2026-47256 are not publicly available in the provided documents. Monitor for updates and posted details.

CVE-2026-11791

The CVE-2026-11791 entry concerns 389 Directory Server (389-ds-base), where during schema reload the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing refcount-based deferred deletion. This can lead to use-after-free or double-free when LDAP query ...