Trending Vulnerabilities

CVE-2026-42945, also referred to as NGINX Rift, is a critical heap-based buffer overflow in NGINX Open Source and NGINX Plus within ngx_http_rewrite_module. The flaw is triggered when a rewrite directive uses unnamed PCRE captures such as $1 or $2, the replacement string contains a question mark (?), and that directive is followed in the same scope by another rewrite, if, or set directive. Public reporting indicates the root cause is inconsistent state handling between the rewrite engine’s length-calculation pass and copy/write pass: an internal flag associated with argument escaping remains set, causing NGINX to allocate a buffer based on unescaped length and then write escaped attacker-controlled URI data into it, resulting in a deterministic out-of-bounds heap write in the worker process. The issue affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus releases R32 through R36; related F5/NGINX products embedding vulnerable versions were also reported affected.

CVE-2026-20182 is a critical improper authentication vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw is in the control-connection peering authentication/handshake implemented by the vdaemon service over DTLS on UDP/12346. Public reporting indicates the vulnerable logic is in vbond_proc_challenge_ack(), where a peer that identifies itself as a vHub (device_type = 2) can bypass the certificate and trust verification normally applied to other peer types. As a result, an unauthenticated remote attacker can complete the control-plane handshake with crafted requests, be incorrectly marked as an authenticated peer, and log in as an internal high-privileged non-root account. Cisco states that successful exploitation exposes NETCONF access, enabling manipulation of SD-WAN fabric configuration.

CVE-2026-42897 is an actively exploited cross-site scripting vulnerability in on-premises Microsoft Exchange Server, specifically affecting the Outlook Web Access (OWA) component. The flaw stems from improper neutralization of input during web page generation. Available reporting indicates the vulnerable OWA server-side rendering logic embeds user-controlled values, including URL paths or query string parameters, into generated HTML without context-aware output encoding. As a result, a specially crafted email or reflected input can cause attacker-controlled JavaScript to execute in the victim’s browser when the content is opened in OWA under certain interaction conditions. Microsoft describes the issue as a spoofing vulnerability rooted in XSS. Affected products include Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition on-premises at any update level; Exchange Online is not affected.

CVE-2026-46300, dubbed Fragnesia, is a Linux kernel local privilege escalation vulnerability in the XFRM ESP-in-TCP subsystem. The flaw is caused by improper handling of shared socket-buffer fragments during skb coalescing: reporting indicates skb_try_coalesce() can transfer paged fragments between sk_buffs without preserving the SKBFL_SHARED_FRAG marker. As a result, later ESP-in-TCP receive-side processing may incorrectly treat page-cache-backed fragments as safe for in-place decryption. An unprivileged local attacker can splice file-backed pages from a readable file into a TCP receive queue, transition the socket into espintcp ULP mode, and cause queued file pages to be processed as ESP ciphertext. The in-place AES-GCM decryption path then yields a deterministic chosen-byte write primitive against the kernel page cache of read-only files, without modifying the on-disk file. Public reporting and PoC material show exploitation against the cached copy of /usr/bin/su to obtain root. The issue is described as part of the broader Dirty Frag/page-cache corruption class and affects Linux kernels released before the May 13, 2026 patch.

CVE-2026-46333 is a Linux kernel logic flaw in __ptrace_may_access() / ptrace_may_access() related to dumpability checks during task exit. The bug arises because ptrace authorization logic can treat a target task with mm == NULL as accessible without enforcing the intended dumpable restriction. During do_exit(), exit_mm() can clear the target task's mm before exit_files() releases its open file descriptors, creating a race window in which a local attacker can target a dying privileged process that has already dropped credentials to the attacker's UID/GID but still retains sensitive open file descriptors. By racing pidfd_getfd() against that exit window, an attacker can steal descriptors from setuid/setgid-root helpers such as ssh-keysign, chage, pkexec, or accounts-daemon. Public reporting and PoCs showed disclosure of /etc/shadow and SSH host private keys, and additional exploitation paths using stolen authenticated D-Bus connections for root command execution. The upstream fix changes get_dumpable()/ptrace handling so tasks without an mm no longer bypass the intended protection and CAP_SYS_PTRACE is required to override in those cases.

CVE-2026-45585, publicly referred to as YellowKey, is a Windows BitLocker security feature bypass affecting the Windows Recovery Environment (WinRE) rather than the BitLocker cryptography itself. Public reporting and Microsoft mitigation guidance indicate the issue is rooted in WinRE behavior around the FsTx Auto Recovery Utility (autofstx.exe), which automatically replays crafted NTFS transaction recovery data during recovery boot. An attacker can stage specially crafted FsTx files on removable media or in the EFI System Partition so that, when the target is booted into WinRE, the replay deletes or alters winpeshl.ini and causes WinRE to launch an unrestricted command shell instead of the normal restricted recovery interface. At that point, on TPM-only BitLocker configurations, the protected volume has already been transparently unlocked by the TPM, giving the attacker access to the decrypted system volume. Reported affected platforms include Windows 11 24H2, 25H2, and 26H1 on x64 systems and Windows Server 2025; some reporting also states Windows Server 2022 was affected in testing. Microsoft had issued mitigation guidance but, per the provided content, no security update was yet available at publication time.

CVE-2026-31635 is a Linux kernel vulnerability in the RxRPC RXGK authentication path, publicly referred to as DirtyDecrypt or DirtyCBC. The upstream fix states that rxgk_verify_response() decodes auth_len from an incoming RESPONSE packet and is intended to verify that the authenticator length fits within the remaining packet payload. That validation was inverted, so oversized RESPONSE authenticators were accepted and passed to rxgk_decrypt_skb(). The resulting impossible length can propagate into skb_to_sgvec()/__skb_to_sgvec(), triggering a kernel BUG_ON(len) and causing a crash. Supporting reporting also associates this issue with a missing copy-on-write guard in rxgk_decrypt_skb(), enabling writes into shared page-cache-backed memory during decryption and turning the bug into a local privilege-escalation primitive on affected systems. The issue affects kernels with RXGK support enabled, and reporting indicates it was introduced in kernel 6.16 and affects versions through stable releases before 6.18.23.

CVE-2026-31431 ("Copy Fail") is a Linux kernel local privilege escalation vulnerability in the AF_ALG cryptographic socket interface, specifically the algif_aead path. The bug was introduced by an in-place optimization in algif_aead, associated with commit 72548b093ee3, which incorrectly treated AEAD processing as if source and destination buffers could safely overlap. In practice, algif_aead operates across distinct mappings: the source data comes from the TX scatter-gather list populated via sendmsg(), while the destination comes from the RX scatter-gather list populated via recvmsg(). In the vulnerable recv path (described in public analysis as algif_aead._aead_recvmsg()), this cross-mapping assumption causes kernel writes to occur against page-cache-backed data referenced through zero-copy mechanisms such as splice(). Public reporting and vendor advisories describe the flaw as a logic bug in the authencesn decrypt path that enables a deterministic controlled write into the kernel page cache of readable files. Upstream fixed the issue by reverting algif_aead to out-of-place operation and removing the false in-place model, while still copying associated data as needed.

CVE-2026-43284 is a Linux kernel vulnerability in the xfrm/ESP path, specifically ESP handling of skb fragments for ESP-in-UDP traffic built from spliced pages. The bug arises because the IPv4/IPv6 datagram append paths did not mark UDP skbs created via page splicing with SKBFL_SHARED_FRAG, unlike TCP. As a result, an ESP-in-UDP packet backed by shared pipe pages could appear to be an ordinary uncloned nonlinear skb. During ESP input processing, the kernel could then take the no-copy fast path and decrypt in place over skb fragments that were not privately owned by the skb. In practice, this is a missing copy-on-write/ownership guard on shared skb fragments, enabling writes into externally backed memory, including page-cache-backed pages, through kernel crypto processing. The fix marks IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG and makes ESP input fall back to skb_cow_data() when that flag is present, preventing in-place decryption on shared fragments.

CVE-2020-17103 is a local privilege escalation vulnerability in the Windows Cloud Files Mini Filter Driver (cldflt.sys), specifically in the HsmOsBlockPlaceholderAccess routine. The provided content indicates the flaw was originally reported by James Forshaw of Google Project Zero in 2020 and associated with improper handling during registry key creation in a code path that can open the .DEFAULT user hive. Supporting reporting states the vulnerable logic failed to enforce normal access checks when creating/opening registry keys, and that exploitation relies on a race condition involving token switching or impersonation state changes so that a low-privileged user can cause privileged code to operate on the wrong security context. The issue has been publicly weaponized as MiniPlasma to spawn a SYSTEM shell, and the content further claims the original proof-of-concept remained effective on fully patched Windows 11 systems as of May 2026, suggesting an incomplete fix or regression.

CVE-2026-44338 is a missing-authentication vulnerability in PraisonAI’s legacy Flask API server (src/praisonai/api_server.py). Affected versions are 2.5.6 through 4.6.33. The legacy server shipped with insecure defaults, including AUTH_ENABLED = False and AUTH_TOKEN = None, and its authentication helper failed open when authentication was disabled. As a result, when the legacy server is used, unauthenticated callers can access GET /agents and POST /chat without presenting an Authorization token. The /agents endpoint exposes configured agent metadata, including the agent definition file and agent list. The /chat endpoint triggers execution of the local agents.yaml workflow via PraisonAI(agent_file="agents.yaml").run(); reported analysis indicates the submitted message field is ignored and the configured workflow executes regardless. The legacy server also bound to 0.0.0.0:8080 when launched directly, increasing exposure on reachable network interfaces.

CVE-2026-0300 is a critical out-of-bounds write / buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS, also referred to as the Captive Portal. By sending specially crafted packets to the vulnerable portal, an unauthenticated remote attacker can trigger memory corruption and achieve arbitrary code execution with root privileges on affected PA-Series and VM-Series firewalls. Public reporting and vendor-linked summaries indicate the vulnerable component is exposed through the User-ID Authentication Portal service and that exploitation has been observed in the wild, including post-exploitation shellcode injection into an nginx worker process. Prisma Access, Cloud NGFW, and Panorama are reported as not affected.

CVE-2026-43500 is a Linux kernel vulnerability in the RxRPC subsystem. According to the provided fix description, the DATA packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() only copied an skb to a linear/private buffer before invoking security operations when skb_cloned() was true. This missed a second unsafe condition: skbs that were not cloned but still referenced externally owned paged fragments, including cases indicated by skb_has_shared_frag() or skb_has_frag_list(). In those cases, the code could proceed down an in-place decryption path and bind those fragment pages directly into the AEAD/skcipher scatter-gather list via skb_to_sgvec(). As a result, kernel crypto operations could modify memory backed by externally shared pages, including page-cache-backed data introduced through zero-copy paths such as splice() into UDP sockets. The upstream fix extends the unshare/copy gate so that RxRPC also unshares packets when skb_has_frag_list() or skb_has_shared_frag() is true, preventing in-place modification of externally shared fragments while preserving the zero-copy fast path for kernel-private fragments.

CVE-2026-41702 is a local privilege escalation vulnerability in VMware Fusion on macOS. The flaw is described as a TOCTOU (time-of-check time-of-use) race condition occurring during an operation performed by a SETUID binary within VMware Fusion. An attacker with local access and only non-administrative user privileges can exploit the race condition to cause the privileged binary to operate on a resource whose state changes between validation and use, resulting in elevation of privileges to root. Reported affected versions are VMware Fusion 25H2 / versions prior to 26H1.

CVE-2026-44578 is a server-side request forgery vulnerability in Next.js affecting self-hosted deployments that use the built-in Node.js server. The issue affects versions from 13.4.13 up to, but not including, 15.5.16 and 16.2.5. The flaw is in how the built-in server handles crafted WebSocket upgrade requests, allowing an attacker to cause the Next.js server to proxy requests to arbitrary internal or external destinations. This can expose internal network services and cloud metadata endpoints. Vercel-hosted deployments are not affected.

CVE-2026-3102 is an OS command injection vulnerability in ExifTool affecting macOS in versions 13.49 and earlier. The flaw is in the SetMacOSTags function in lib/Image/ExifTool/MacOS.pm, reached during handling of macOS file creation date metadata in the PNG file parser workflow. A user-controlled metadata value, described in the reporting as a tainted DateTimeOriginal value later copied into FileCreateDate/MDItemFSCreationDate, is passed unsafely into a system command that invokes /usr/bin/setfile. Because the date value is not properly sanitized before shell execution, an attacker can embed shell metacharacters such as single quotes in image metadata and cause arbitrary command execution when ExifTool processes the crafted file on macOS. Public reporting indicates exploitation is facilitated by using the -n flag to bypass normal date conversion/validation and the -tagsFromFile feature to copy a permissive source tag such as DateTimeOriginal into the vulnerable FileCreateDate path.

CVE-2026-45185 is a remotely reachable use-after-free vulnerability in Exim’s BDAT body parsing path affecting Exim versions before 4.99.3 when built with GnuTLS. The flaw is triggered during SMTP CHUNKING/BDAT processing if a client sends a TLS close_notify in the middle of a BDAT body transfer and then sends a final cleartext byte on the same TCP connection. In the vulnerable state transition, Exim tears down the TLS session and frees the TLS transfer buffer, but nested BDAT receive wrappers can still reference the stale TLS callbacks and invoke ungetc()-style logic against the freed buffer. This results in a write into freed heap memory and consequent heap corruption. Public reporting indicates the issue affects Exim 4.97 through 4.99.2 with USE_GNUTLS=yes; OpenSSL-backed builds are not affected. The vulnerability is unauthenticated and network-reachable, and available reporting states it can be developed into arbitrary code execution.

CVE-2026-45829 is a pre-authentication code injection / remote code execution vulnerability in the Python FastAPI implementation of ChromaDB, affecting version 1.0.0 or later and reported as present through 1.5.8. The flaw is in the collection creation API path, including /api/v2/tenants/{tenant}/databases/{db}/collections, where attacker-controlled embedding function configuration is processed before authentication is enforced. An unauthenticated attacker can submit a crafted request that specifies an attacker-controlled Hugging Face model repository and sets trust_remote_code=true. ChromaDB then loads the model and executes remote Python code from that repository before the authentication check completes. The root cause is that client-supplied model-loading parameters are forwarded into embedding/model loading logic prior to auth validation, enabling arbitrary code execution in the ChromaDB server process.

CVE-2026-8181 is an authentication bypass vulnerability in the Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress. It affects versions 3.4.0 through 3.4.1.1. The flaw is caused by incorrect return-value handling in the `is_mainwp_authenticated()` function while validating application passwords supplied via the HTTP Authorization header. Due to this logic error, an unauthenticated attacker who knows an administrator username can send a Basic Authentication header containing that username and any arbitrary password, and the plugin may treat the request as authenticated. This allows the attacker to impersonate the administrator for the lifetime of the request and execute actions through the affected plugin/REST API context with elevated privileges.

CVE-2026-40369 is a Windows Kernel elevation of privilege vulnerability caused by an untrusted pointer dereference. The provided content states that an authorized local attacker can exploit this flaw to elevate privileges on a vulnerable Windows system. The issue affects the Windows Kernel and was assessed as 'Exploitation More Likely' in May 2026 Patch Tuesday reporting. No additional technical details about the specific vulnerable function, code path, or triggering mechanism are provided in the supplied content.

CVE-2026-45584 is a heap-based buffer overflow vulnerability in Microsoft Defender. According to the provided Microsoft vulnerability metadata, the flaw allows an unauthorized attacker to execute code over a network. No additional public technical detail about the specific vulnerable component, function, parsing routine, or trigger condition was provided in the supplied content.

CVE-2026-0265 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS caused by improper verification of cryptographic signatures. When an authentication profile using Cloud Authentication Service (CAS) is enabled and attached to a login interface, an unauthenticated attacker with network access can bypass authentication controls on the affected device. Palo Alto states the risk is highest when CAS is enabled on the management interface, though other login interfaces may also be affected at lower risk. The issue affects PAN-OS on PA-Series and VM-Series firewalls and Panorama appliances, including virtual and M-Series deployments. Cloud NGFW and Prisma Access are not affected.

CVE-2026-8711 is a heap-based buffer overflow in NGINX JavaScript (njs) affecting versions 0.9.4 through 0.9.8 in configurations using ngx_http_js_module. The issue occurs when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable, such as $http_*, $arg_*, or $cookie_*, and a location invokes the ngx.fetch() operation from NGINX JavaScript. An unauthenticated remote attacker can send crafted HTTP requests that manipulate those client-controlled values and trigger heap memory corruption in the NGINX worker process. The documented result is worker-process restart, and on systems with ASLR disabled, the memory corruption may be exploitable for code execution in the worker context.

CVE-2026-29205 is an arbitrary file read vulnerability in cPanel & WHM affecting the cpdavd attachment download endpoints. According to the provided content, the issue results from a combination of incorrect privileges management and insufficient path filtering. Because privileges are not correctly dropped and path validation is inadequate, a remote attacker can cause the affected endpoint to read arbitrary files from the server filesystem. The available context further indicates this can be exploited pre-authentication and that file access may occur with root-level privileges or impact.