Security Research

#gzip-decompression#memory-exhaustion#denial-of-service

CVE-2026-5438: Orthanc gzip Decompression Bomb via Unbounded Allocation

Orthanc ≤1.12.10 allocates memory based on attacker-controlled gzip metadata with no size ceiling. A crafted Content-Encoding: gzip request exhausts system memory and crashes the server.

2026-04-09

#race-condition#double-free#ioctl-vulnerability

CVE-2025-54601: Samsung Exynos Wi-Fi Driver Double Free via ioctl Race

A race condition in Samsung's Exynos Wi-Fi driver allows concurrent ioctl callers to double-free a global variable, yielding local privilege escalation on affected Exynos SoCs.

2026-04-06

#memory-corruption#out-of-bounds-write#bounds-check

CVE-2025-32313: OOB Write in Android UsageEvents Parcel Deserialization

An incorrect bounds check in UsageEvents.java allows an out-of-bounds write during Parcel deserialization, enabling local privilege escalation with no user interaction required.

#sql-injection#privilege-escalation#file-disclosure

CVE-2025-48544: SQL Injection in Android Enables Cross-App File Read

A SQL injection flaw in Android's content provider layer allows local privilege escalation by reading files belonging to other apps. No additional privileges or user interaction required.

2025-09-04

#memory-corruption#out-of-bounds-write#bounds-check-failure

CVE-2026-0030: OOB Write in __host_check_page_state_range Enables LPE

An incorrect bounds check in __host_check_page_state_range of mem_protect.c allows an out-of-bounds write, enabling local privilege escalation with no additional privileges required.

#privilege-escalation#access-control-bypass#local-attack-vector

CVE-2026-33825: Microsoft Defender ACL Granularity LPE

Insufficient access control granularity in Microsoft Defender allows a local authorized attacker to escalate privileges to SYSTEM via a logic flaw in the service's IPC surface.

#cross-site-scripting#stored-xss#wordpress-plugin

CVE-2026-5231: WP Statistics utm_source Stored XSS via innerHTML Sink

WP Statistics ≤14.16.4 copies raw utm_source into source_name on wildcard channel match, then renders it via innerHTML in admin chart legends — no escaping, no authentication required.

2026-04-17

#content-type-bypass#xss#file-upload

CVE-2026-40262: Note Mark Asset Handler Stored XSS via MIME Sniffing

Note Mark's asset delivery handler serves uploaded files inline with no Content-Type or nosniff header, enabling stored XSS via SVG/HTML upload that executes under the app's origin.

2026-04-17

#remote-code-execution#tls-protocol#popen-injection

CVE-2026-41113: qmail tls_quit RCE via popen() in notlshosts_auto

sagredo qmail before 2026.04.07 exposes a remote code execution path through unsanitized popen() calls in notlshosts_auto triggered during TLS negotiation teardown.

#buffer-overflow#stack-overflow#quic-protocol

CVE-2026-40170: ngtcp2 qlog Stack Buffer Overflow via QUIC Transport Params

ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking, enabling remote stack corruption during QUIC handshake.

#command-injection#sandbox-escape#arbitrary-code-execution

CVE-2026-6442: Snowflake Cortex CLI Bash Sandbox Escape → RCE

Improper command validation in Snowflake Cortex Code CLI ≤1.0.24 allows sandboxed bash commands to escape agent isolation, achieving arbitrary code execution from malicious repository content.

#sql-injection#cloud-application#remote-code-execution

CVE-2026-37337: SQL Injection to RCE in Simple Music Cloud Community System

Unauthenticated SQL injection in view_playlist.php allows full database extraction and remote code execution via stacked queries. CVSS 7.3 HIGH.

#sql-injection#php#cloud-application

CVE-2026-37336: SQL Injection to RCE in Simple Music Cloud v1.0

Unauthenticated SQL injection in view_music.php allows full database read and potential RCE via stacked queries. CVSS 7.3 HIGH, no patch available.

#remote-code-execution#laravel-package#unauthenticated-access

CVE-2026-31843: Unauthenticated RCE in goodoneuz/pay-uz via PHP File Overwrite

The pay-uz Laravel package exposes an unauthenticated endpoint that writes attacker-controlled PHP into executable hook files, enabling trivial remote code execution on any default install.

#privilege-escalation#local-access#windows-platform

CVE-2026-23772: Dell Replay Manager Local Privilege Escalation via Improper Service Privilege Management

Dell Storage Manager Replay Manager 8.0 exposes a local privilege escalation path through misconfigured service permissions, allowing low-privileged users to hijack execution context and gain SYSTEM.

#xxe-injection#xml-external-entity#information-disclosure

CVE-2024-2374: XXE in WSO2 Products Enables File Read and SSRF

WSO2 XML parsers accept user-supplied data without disabling external entity resolution, enabling file disclosure, SSRF, and DoS via recursive entity expansion.

#prototype-pollution#arbitrary-code-execution#object-manipulation

CVE-2026-34621: Prototype Pollution RCE in Adobe Acrobat Reader

A prototype pollution vulnerability in Acrobat Reader's JavaScript engine allows arbitrary code execution via malicious PDF. Exploited in the wild against versions ≤26.001.21367.

2026-04-11

#nginx-ui#mcp-integration#authentication-bypass

CVE-2026-33032: Nginx UI MCP Endpoint Auth Bypass Enables Full Service Takeover

The /mcp_message endpoint in nginx-ui ≤2.3.5 skips AuthRequired() middleware, letting any network attacker invoke all MCP tools unauthenticated — rewriting configs, restarting nginx, achieving full service takeover.

2026-03-30

#permission-bypass#privilege-escalation#logic-error

CVE-2025-20658: MediaTek DA2 USB Handler Heap Overflow → ACE

A logic error in MediaTek's Download Agent USB command handler allows heap overflow via a malformed USB packet, enabling arbitrary code execution with physical access.

2025-04-07

#crlf-injection#mail-gateway#arbitrary-file-read

CVE-2026-6351: CRLF Injection to LFI in Openfind MailGates/MailAudit

Unauthenticated CRLF injection in Openfind MailGates/MailAudit allows arbitrary system file read via HTTP response splitting. No authentication required.

#stack-based-buffer-overflow#remote-code-execution#unauthenticated-attack

CVE-2026-6350: Openfind MailGates Stack Buffer Overflow → Unauthenticated RCE

A stack-based buffer overflow in Openfind MailGates/MailAudit allows unauthenticated remote attackers to corrupt the stack frame and achieve arbitrary code execution. CVSS 9.8, no authentication required.

#heap-buffer-overflow#arbitrary-code-execution#bounds-checking

CVE-2026-40504: Heap Overflow in Gravity VM Fiber Reassignment Enables RCE

A heap buffer overflow in gravity_fiber_reassign() allows attackers to corrupt heap metadata via crafted scripts with excessive global string literals, achieving arbitrary code execution in any application embedding Gravity before 0.9.6.

#privilege-escalation#mod-security-bypass#api-interception

CVE-2026-40960: Luanti Mod Sandbox Escape via Trusted Env Interception

A logic flaw in Luanti's Lua sandbox dispatcher allows a crafted mod to intercept and inherit the insecure environment or HTTP API granted to a trusted mod, enabling RCE via unsandboxed Lua execution.

#command-injection#remote-code-execution#authentication-bypass

CVE-2026-40502: OpenHarness Gateway Handler Command Injection

OpenHarness prior to dd1d235 fails to distinguish local-only from remote-safe commands in its gateway handler, allowing remote chat users to execute administrative commands like /permissions full_auto without operator authorization.

#stored-xss#output-encoding#seo-fields

CVE-2026-35569: Stored XSS in ApostropheCMS SEO Fields Enables RCE

ApostropheCMS ≤4.28.0 fails to encode SEO field output in title tags, meta attributes, and JSON-LD contexts, allowing stored XSS leading to authenticated API exfiltration.

#credential-exposure#cloud-storage#tencent-cos

CVE-2025-41118: Pyroscope Leaks Tencent COS Secret Key via API

Pyroscope's COS storage backend exposes secret_key credentials through the unauthenticated API. CVSS 9.1 critical. Fixed in 1.15.2, 1.16.1, 1.17.0.

#prompt-injection#arbitrary-command-execution#mcp-hijacking

CVE-2026-30615: Prompt Injection to RCE via Windsurf MCP Config Hijack

Windsurf 1.9544.26 processes attacker-controlled HTML without sanitization, allowing injected LLM instructions to rewrite MCP STDIO server config and execute arbitrary commands without user interaction.

#privilege-escalation#file-upload#temporary-files

CVE-2026-20204: Splunk apptemp RCE via Insecure Temp File Handling

A low-privileged Splunk user can achieve RCE by uploading a malicious file to the apptemp directory. Affects Splunk Enterprise below 10.2.1/10.0.5/9.4.10/9.3.11 and multiple Cloud Platform versions.

#command-injection#remote-code-execution#input-validation

CVE-2024-53412: Command Injection via Port Field in ShoppingCart 0.0.2

The connect() function in NietThijmen ShoppingCart 0.0.2 passes an attacker-controlled Port field directly to a shell command, enabling unauthenticated RCE via classic command injection.

#out-of-bounds-read#memory-exposure#dng-sdk

CVE-2025-64893: DNG SDK OOB Read Exposes Process Memory

Adobe DNG SDK ≤1.7.0 contains an out-of-bounds read in IFD/tile parsing that leaks heap memory and can crash the host application when processing a malformed DNG file.

2025-12-09

#gpu-memory-safety#use-after-free#reference-counting

CVE-2025-58411: Imagination GPU Driver Use-After-Free via Refcount Mismanagement

A reference counting flaw in Imagination Technologies' GPU kernel driver allows an unprivileged user to trigger a write use-after-free via malformed GPU syscalls, enabling potential RCE at kernel privilege.

2026-01-13

#buffer-overflow#wifi-driver#kernel-exploit

CVE-2025-52908: Samsung Exynos Wi-Fi Driver NL80211 Buffer Overflow

Samsung Exynos Wi-Fi driver mishandles NL80211 vendor command ioctl input, enabling heap buffer overflow via crafted netlink messages. CVSS 9.8 critical, affects Exynos 980 through W1000.

2026-04-07

#tls-fingerprinting#dpi-detection#proxy-blocking

CVE-2025-13476: Viber Cloak Mode Static TLS Fingerprint Bypass

Viber's Cloak proxy mode emits a static, predictable TLS ClientHello fingerprint trivially detectable by DPI. CVSS 9.8. Android v25.7.2.0g and Windows v25.6.0.0–v25.8.1.0 affected.

2026-03-05

#tls-ulp-vulnerability#receive-queue-corruption#tcp-socket-handling

CVE-2025-38616: Linux TLS ULP Dangling Anchor After Queue Drain

A race between TCP receive queue consumers and TLS ULP installation leaves a parsing anchor pointing to freed socket buffers, enabling out-of-bounds reads and memory corruption.

2025-08-22

#png-image-processing#palette-image-vulnerability#out-of-bounds-read

CVE-2025-64720: libpng OOB Read via Palette Alpha Invariant Violation

libpng 1.6.0–1.6.50 misapplies background compositing during premultiplication on palette images with PNG_FLAG_OPTIMIZE_ALPHA, violating component ≤ alpha×257 and triggering an out-of-bounds read.

2025-11-25

#out-of-bounds-read#lookup-table-decoding#palette-color-image

CVE-2026-5445: DICOM Palette OOB Read Leaks Heap via Android Image Decoder

DecodeLookupTable in DicomImageDecoder.cpp fails to bounds-check pixel indices against palette size, exposing heap memory through crafted PALETTE COLOR DICOM images on Android.

2026-04-09

#heap-buffer-overflow#remote-code-execution#out-of-bounds-access

CVE-2026-0006: Heap Buffer Overflow Enabling Unauthenticated RCE

A heap buffer overflow in a cross-platform parsing component allows unauthenticated remote code execution via crafted network input. No user interaction required; CVSS 9.8.

#permission-bypass#privilege-escalation#logic-error

CVE Analysis 6 min read

CVE-2025-20658: MediaTek Download Agent Logic Flaw Enables Local Privilege Escalation via Physical Access

A logic error in MediaTek's Download Agent permits permission bypass and local privilege escalation on affected devices. Organizations managing shared or high-value endpoints should treat this as an urgent patching priority.

2025-04-07

CVE Analysis 5 min read

CVE-2026-27289: Out-of-Bounds Read in Adobe Photoshop Desktop Enables Code Execution via Malicious File

A high-severity memory corruption flaw in Adobe Photoshop Desktop allows attackers to achieve code execution by tricking victims into opening a crafted file. CVSS score: 7.8.

#out-of-bounds-read#memory-corruption#code-execution

#out-of-bounds-read#memory-corruption#arbitrary-code-execution

CVE-2026-27284: Critical Memory Corruption Vulnerability in Adobe InDesign Desktop

Adobe InDesign Desktop suffers from an out-of-bounds read vulnerability that could allow attackers to execute arbitrary code. User interaction required through malicious file opening.

#use-after-free#memory-safety#arbitrary-code-execution

CVE-2026-27283: Critical Use-After-Free Vulnerability in Adobe InDesign Desktop

Adobe InDesign Desktop contains a high-severity Use-After-Free vulnerability allowing arbitrary code execution. User interaction required through malicious file opening.

#buffer-overflow#heap-based#remote-code-execution

CVE-2026-27238: Critical Heap Buffer Overflow in Adobe InDesign Desktop Enables Remote Code Execution

Adobe InDesign Desktop versions 20.5.2 and 21.2 contain a heap-based buffer overflow vulnerability allowing arbitrary code execution. Exploitation requires opening malicious files.

#ssrf#server-side-request-forgery#webhook

CVE-2026-38527: Critical SSRF Vulnerability in Webkul Krayin CRM Webhook Component

A high-severity Server-Side Request Forgery vulnerability in Krayin CRM's webhook creation endpoint allows attackers to scan internal infrastructure. The flaw affects version 2.2.x installations.

#authentication-bypass#two-factor-authentication#token-replay

CVE-2026-23708: Critical Authentication Bypass in Fortinet FortiSOAR Through 2FA Replay Attack

A high-severity vulnerability allows unauthenticated attackers to bypass two-factor authentication in FortiSOAR platforms. The flaw enables replay attacks against captured 2FA requests.

#heap-buffer-overflow#remote-code-execution#cloud-infrastructure

CVE-2026-22828: Critical Heap Buffer Overflow in Fortinet Cloud Management Platforms

A high-severity heap buffer overflow in FortiAnalyzer and FortiManager Cloud allows remote code execution. ASLR and segmentation provide some protection.

#remote-code-execution#improper-access-control#industrial-control-systems

Critical Authentication Bypass in Siemens Industrial Edge Management Exposes OT Networks

CVE-2026-33892 allows unauthenticated attackers to bypass authentication in Siemens Industrial Edge Management systems. Industrial organizations must patch immediately to prevent unauthorized access to critical infrastructure devices.

#authentication-bypass#industrial-control-systems#remote-access

CVE-2026-33892: Critical Authentication Bypass in Industrial Edge Management Systems

A high-severity vulnerability allows unauthenticated attackers to impersonate legitimate users in Industrial Edge Management systems. Remote exploitation possible through header manipulation.

#memory-corruption#memory-allocation#alignment-vulnerability

Critical Memory Corruption in Qualcomm Firmware Exploited in Wild: CVE-2026-21385 Analysis

A critical memory alignment vulnerability in Qualcomm firmware is being actively exploited, allowing attackers to achieve arbitrary code execution. Security teams must prioritize patching immediately.

#jmx-monitoring-port#remote-code-execution#unauthenticated-access

CVE-2026-6264: Critical Unauthenticated RCE in Talend JobServer via JMX Monitoring Port

A critical vulnerability in Talend JobServer and Runtime enables unauthenticated remote code execution through exposed JMX monitoring ports. Organizations must patch immediately or disable JMX access to prevent complete system compromise.

#remote-code-execution#jmx-exploitation#unauthenticated-access

CVE-2026-6264: Critical Remote Code Execution in Talend JobServer JMX Monitoring Port

A critical vulnerability in Talend JobServer and Runtime enables unauthenticated remote code execution through exposed JMX monitoring ports. Immediate patching required.

#local-file-inclusion#path-traversal#wordpress-plugin

CVE-2026-6227: Critical Local File Inclusion Vulnerability in BackWPup WordPress Plugin Enables Remote Code Execution

BackWPup plugin versions up to 5.6.6 contain a high-severity LFI vulnerability allowing authenticated administrators to read sensitive files and achieve RCE. The flaw stems from inadequate path traversal sanitization in a REST API endpoint.

#sql-injection#wordpress-plugin#rest-api

Critical SQL Injection Vulnerability in JetEngine WordPress Plugin Affects Custom Content Types

CVE-2026-4352 exposes a high-severity SQL injection flaw in JetEngine's REST API search functionality. Unauthenticated attackers can exploit unsanitized parameters to execute arbitrary database queries.

#abap-report-execution#authorization-bypass#dos-availability

CVE-2026-34256: Critical Authorization Bypass in SAP ERP Allows ABAP Report Overwriting

A missing authorization check in SAP ERP and S/4HANA allows authenticated attackers to overwrite executable ABAP reports. This vulnerability poses significant risks to system availability and integrity.

#hash-collision#cpu-exhaustion#hardcoded-seed

CVE-2026-40164: Critical Hash Collision Vulnerability in jq JSON Processor Enables DoS Attacks

A hardcoded seed in jq's MurmurHash3 implementation allows attackers to craft malicious JSON payloads causing severe CPU exhaustion. The vulnerability affects CI/CD pipelines and web services processing JSON data.