CVE Intel Feed

[HIGH] The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8.

Tue, 16 Jun 2026 10:16:29 GMT

CVSS 8.1 | The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and wprp_save_review_admin AJAX handlers combined with insufficient path validation in the wpfb_hidere... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8442

[HIGH] The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 7.5 | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a Wor... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8176

[HIGH] Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 8.7 | Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5416

[HIGH] Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 7.1 | Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-54198

[MEDIUM] Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 6.5 | Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-54197

[HIGH] Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 7.1 | Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-54191

[MEDIUM] Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 6.5 | Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-54190

[CRITICAL] Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 9.3 | Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-52715

[MEDIUM] Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.

Tue, 16 Jun 2026 10:16:28 GMT

CVSS 5.9 | Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-52714

[HIGH] Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 7.6 | Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-52712

[HIGH] Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 7.5 | Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-52711

[CRITICAL] Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 9.9 | Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49774

[CRITICAL] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49772

[MEDIUM] Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 6.5 | Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40809

[HIGH] Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 8.5 | Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39581

[CRITICAL] Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 9.3 | Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39574

[HIGH] Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.

Tue, 16 Jun 2026 10:16:27 GMT

CVSS 7.5 | Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39490

[HIGH] Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.

Tue, 16 Jun 2026 10:16:26 GMT

CVSS 7.1 | Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39437

[MEDIUM] The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint.

Tue, 16 Jun 2026 10:16:26 GMT

CVSS 6.5 | The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification w... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2381

[HIGH] A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests.

Tue, 16 Jun 2026 10:16:26 GMT

CVSS 7.1 | A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-10825

[HIGH] Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.

Tue, 16 Jun 2026 10:16:25 GMT

CVSS 7.5 | Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-68045

[HIGH] The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8.

Tue, 16 Jun 2026 08:16:24 GMT

CVSS 8.8 | The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type casting, then conca... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8444

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys.

Tue, 16 Jun 2026 08:16:23 GMT

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix pedit partial COW leading to page cache corruption tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime ... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-46331

[MEDIUM] The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping.

Tue, 16 Jun 2026 08:16:23 GMT

CVSS 6.4 | The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated ... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-10093

Nokia SR Linux is vulnerable to a local privilege escalation vulnerability.

Tue, 16 Jun 2026 08:16:23 GMT

Nokia SR Linux is vulnerable to a local privilege escalation vulnerability. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privilege. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9912

[MEDIUM] The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2.

Tue, 16 Jun 2026 06:16:58 GMT

CVSS 5.3 | The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9187

[HIGH] The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8.

Tue, 16 Jun 2026 06:16:58 GMT

CVSS 8.8 | The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strings prior to json_... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8443

[HIGH] The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0.

Tue, 16 Jun 2026 06:16:58 GMT

CVSS 8.8 | The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'crea... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6933

[MEDIUM] The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data.

Tue, 16 Jun 2026 06:16:58 GMT

CVSS 6.5 | The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it ... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5149

[MEDIUM] Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier.

Tue, 16 Jun 2026 06:16:58 GMT

CVSS 5.4 | Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If this vulnerability is exploited, arbitrary code may be executed with SYSTEM privileges. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-50255

[MEDIUM] The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.

Tue, 16 Jun 2026 06:16:58 GMT

CVSS 4.3 | The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrieving a post via get_post() using an attacker-supplied 'id' attribute and outputting its post_content... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-10780

[MEDIUM] On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain.

Tue, 16 Jun 2026 06:16:57 GMT

CVSS 6.3 | On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-10635

Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation.

Tue, 16 Jun 2026 06:16:57 GMT

Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10262

[MEDIUM] The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7.

Tue, 16 Jun 2026 04:17:26 GMT

CVSS 5.3 | The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain ... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6964

[LOW] A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3.

Tue, 16 Jun 2026 04:17:17 GMT

CVSS 1.9 | A vulnerability has been found in Intelliants Subrion CMS up to 4.0.3. Affected by this issue is some unknown functionality of the component Blocks Endpoint. Such manipulation of the argument CSS class name leads to cross site scripting. The attack may be launched remotely. The exploit has been d... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-12202

[HIGH] A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request.

Tue, 16 Jun 2026 03:16:13 GMT

CVSS 8.8 | A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7273

[MEDIUM] Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application.

Tue, 16 Jun 2026 02:58:39 GMT

CVSS 5.9 | Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/61a86a8cd73546c9fea916f3d304c1293e05c046 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42767

[LOW] Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output.

Tue, 16 Jun 2026 02:58:12 GMT

CVSS 3.7 | Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use t... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/a2ca7b2d73e0ffc1eae183fe6e1741dac767cb4f | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42768

[LOW] Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.

Tue, 16 Jun 2026 02:58:00 GMT

CVSS 3.7 | Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of t... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/3da5a516cd2635a320ff748503db2cef7c4b0f02 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42770

[MEDIUM] Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen.

Tue, 16 Jun 2026 02:57:31 GMT

CVSS 6.2 | Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/6cd187689f8180c1f8a3acde21f88190c4a20de7 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42771

[HIGH] Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded.

Tue, 16 Jun 2026 02:57:17 GMT

CVSS 7.5 | Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the I... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/323f0b6e7d530a4cb4336d50c88cb70f3ac2a451 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45445

[MEDIUM] Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages.

Tue, 16 Jun 2026 02:57:01 GMT

CVSS 4.8 | Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the vic... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/25b32cd9d41d2bc01b6abc425bb4baf2c2236fdc | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45446

[HIGH] Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.

Tue, 16 Jun 2026 02:56:50 GMT

CVSS 8.8 | Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signe... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/3aad5eb7af4de4ee0633c30a8541a54d9bbde63c | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45447

[MEDIUM] OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs.

Tue, 16 Jun 2026 02:55:53 GMT

CVSS 6 | OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by pro... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-grc3-2j34-p6gm | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53827

[HIGH] OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement.

Tue, 16 Jun 2026 02:55:43 GMT

CVSS 7.7 | OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. Attackers can trigger native command handling to bypass the configured owner-command access contro... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-p73f-w79w-jqr5 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53828

[HIGH] OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers.

Tue, 16 Jun 2026 02:55:31 GMT

CVSS 8.5 | OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval. | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-xww8-gqvh-92x9 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53829

[MEDIUM] OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload.

Tue, 16 Jun 2026 02:55:05 GMT

CVSS 6 | OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, po... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-275c-xpvc-jgfw | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53830

[MEDIUM] OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions.

Tue, 16 Jun 2026 02:54:55 GMT

CVSS 6 | OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrict... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-83w9-h5wv-j9xm | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53838

[MEDIUM] OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames.

Tue, 16 Jun 2026 02:54:28 GMT

CVSS 6 | OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoints. | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-77q5-rr5v-x43q | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53839

[MEDIUM] OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions.

Tue, 16 Jun 2026 02:53:24 GMT

CVSS 6.9 | OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command ... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-qh2f-99mv-mrcf | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53820

[HIGH] OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline.

Tue, 16 Jun 2026 02:53:11 GMT

CVSS 8.7 | OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execut... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-qjpc-qf9m-xwmr | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53821

[HIGH] OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution.

Tue, 16 Jun 2026 02:52:56 GMT

CVSS 8.7 | OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist approval to execute unapproved command shapes, potentially bypassing security controls. | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-2j8v-hwgc-x698 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53822

[HIGH] OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names.

Tue, 16 Jun 2026 02:52:26 GMT

CVSS 8.6 | OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-c29c-2q9c-pc86 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53823

[MEDIUM] OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows.

Tue, 16 Jun 2026 02:51:29 GMT

CVSS 6 | OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially e... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-4m3v-q747-pc6h | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53824

[HIGH] OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources.

Tue, 16 Jun 2026 02:49:17 GMT

CVSS 7.1 | OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-p2fh-f5fc-44hr | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53825

[LOW] OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts.

Tue, 16 Jun 2026 02:48:51 GMT

CVSS 2.3 | OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context ... | Mitigation: See vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-6c4r-g249-wv3c | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-53826

[HIGH] Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow.

Tue, 16 Jun 2026 02:46:08 GMT

CVSS 8.1 | Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/4f8d2bddaa2c8e06f9c33390ee1717059a6e4be6 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7383

[HIGH] Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

Tue, 16 Jun 2026 02:45:58 GMT

CVSS 7.5 | Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Den... | Mitigation: See vendor advisory: https://github.com/openssl/openssl/commit/05b066366842f930fadd9a6e94df98030af431bb | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9076

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_binary is unset If the export_binary parameter is disabled on runtime, profiles that were loaded before that will still have their rawdata stored in apparmorfs, with a symbolic link to the rawdata on the policy directory.

Tue, 16 Jun 2026 02:45:00 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_binary is unset If the export_binary parameter is disabled on runtime, profiles that were loaded before that will still have their rawdata stored in apparmorfs, with a symbolic... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/1432ab0774cba43e8111be39989ff226531a9bac | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45965

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL pointer dereference in __unix_needs_revalidation When receiving file descriptors via SCM_RIGHTS, both the socket pointer and the socket's sk pointer can be NULL during socket setup or teardown, causing NULL pointer dereferences in __unix_needs_revalidation().

Tue, 16 Jun 2026 02:44:44 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL pointer dereference in __unix_needs_revalidation When receiving file descriptors via SCM_RIGHTS, both the socket pointer and the socket's sk pointer can be NULL during socket setup or teardown, causing NULL p... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/e2938ad00b21340c0362562dfedd7cfec0554d67 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45966

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The map_direct_value_addr() function of the instruction array map incorrectly adds offset to the resulting address.

Tue, 16 Jun 2026 02:43:49 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The map_direct_value_addr() function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolve_pseudo_l... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/73ef43202a37d779a8e665a0acae214fa59df9fb | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45967

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: cpuidle: Skip governor when only one idle state is available On certain platforms (PowerNV systems without a power-mgt DT node), cpuidle may register only a single idle state.

Tue, 16 Jun 2026 02:43:34 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: cpuidle: Skip governor when only one idle state is available On certain platforms (PowerNV systems without a power-mgt DT node), cpuidle may register only a single idle state. In cases where that single state is a polling state... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/4da2b897283c39980d6ae09dc1560fcd937879e5 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45968

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Add missing check for input_ff_create_memless The ps_gamepad_create() function calls input_ff_create_memless() without verifying its return value, which can lead to incorrect behavior or potential crashes when FF effects are triggered.

Tue, 16 Jun 2026 02:43:21 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Add missing check for input_ff_create_memless The ps_gamepad_create() function calls input_ff_create_memless() without verifying its return value, which can lead to incorrect behavior or potential crashes whe... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/33acf9a4d6eb1f6d01691faca96ad6b2ab0fcfc0 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45969

[HIGH] In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access rx_hashtbl concurrently with bond teardown.

Tue, 16 Jun 2026 02:42:53 GMT

CVSS 7.8 | In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX handlers are still ... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/c65cdf46ce340c9c00fbbaf84599d2daff43626e | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45970

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: bpf: Limit bpf program signature size Practical BPF signatures are significantly smaller than KMALLOC_MAX_CACHE_SIZE Allowing larger sizes opens the door for abuse by passing excessive size values and forcing the kernel into expensive allocation paths (via kmalloc_large or vmalloc).

Tue, 16 Jun 2026 02:42:22 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: bpf: Limit bpf program signature size Practical BPF signatures are significantly smaller than KMALLOC_MAX_CACHE_SIZE Allowing larger sizes opens the door for abuse by passing excessive size values and forcing the kernel into e... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/5835a077c6f5c565d525eaca9fac01572b97a9b9 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45971

[CRITICAL] In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free.

Tue, 16 Jun 2026 02:42:11 GMT

CVSS 9.8 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free. | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/4d339b219004869e96c4ce56b8891f83a38da4c0 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45972

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix UMR hang in LAG error state unload During firmware reset in LAG mode, a race condition causes the driver to hang indefinitely while waiting for UMR completion during device unload.

Tue, 16 Jun 2026 02:42:00 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix UMR hang in LAG error state unload During firmware reset in LAG mode, a race condition causes the driver to hang indefinitely while waiting for UMR completion during device unload. See [1]. In LAG mode the bond ... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/613f5d4139b6ba801ccd93f9a28943be60d903bc | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45973

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found If btrfs_search_slot_for_read() returns 1, it means we did not find any key greater than or equals to the key we asked for, meaning we have reached the end of the tree and therefore the path is not valid.

Tue, 16 Jun 2026 02:41:44 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found If btrfs_search_slot_for_read() returns 1, it means we did not find any key greater than or equals to the key we asked for, meaning we have reached the... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/023545e272f369d487e6a986c1e321c6e04be1da | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45974

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd struct ublksrv_ctrl_cmd is part of the io_uring_sqe, which may lie in userspace-mapped memory.

Tue, 16 Jun 2026 02:41:06 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd struct ublksrv_ctrl_cmd is part of the io_uring_sqe, which may lie in userspace-mapped memory. It's racy to access its fields with normal loads, as userspace may write to th... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/ce63eda3e6d36e2c253febee1c8421ecbd1a680e | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45975

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_ras_init() When amdgpu_nbio_ras_sw_init() fails in amdgpu_ras_init(), the function returns directly without freeing the allocated con structure, leading to a memory leak.

Tue, 16 Jun 2026 02:40:53 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_ras_init() When amdgpu_nbio_ras_sw_init() fails in amdgpu_ras_init(), the function returns directly without freeing the allocated con structure, leading to a memory leak. Fix this by jumpi... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/2fef8c2ac67e7c1b0409d23653300b134c63e54c | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45976

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: fbnic: close fw_log race between users and teardown Fixes a theoretical race on fw_log between the teardown path and fw_log write functions.

Tue, 16 Jun 2026 02:40:23 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: fbnic: close fw_log race between users and teardown Fixes a theoretical race on fw_log between the teardown path and fw_log write functions. fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox han... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/223cfef4812bdfa5ac5c1aa761cdba03cfe2c9cd | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45977

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: staging: greybus: lights: avoid NULL deref gb_lights_light_config() stores channel_count before allocating the channels array.

Tue, 16 Jun 2026 02:40:18 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: staging: greybus: lights: avoid NULL deref gb_lights_light_config() stores channel_count before allocating the channels array. If kcalloc() fails, gb_lights_release() iterates the non-zero count and dereferences light->channels... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/01b91cb3e748032fd96bbe0043812b426a52f091 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45978

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: clean up the amdgpu_cs_parser_bos In low memory conditions, kmalloc can fail.

Tue, 16 Jun 2026 02:40:10 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: clean up the amdgpu_cs_parser_bos In low memory conditions, kmalloc can fail. In such conditions unlock the mutex for a clean exit. We do not need to amdgpu_bo_list_put as it's been handled in the amdgpu_cs_parser_... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/0905a1d4a5500ecf11f1c0079098e3a351d22163 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45979

[HIGH] In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Stop job scheduling across aie2_release_resource() Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes.

Tue, 16 Jun 2026 02:39:58 GMT

CVSS 7.8 | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Stop job scheduling across aie2_release_resource() Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes. Fix this by stopping job scheduling... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/688c3ff079b10e4600f040944430d3d4ff448a15 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45980

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: s390/cio: Fix device lifecycle handling in css_alloc_subchannel() `css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks.

Tue, 16 Jun 2026 02:39:43 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: s390/cio: Fix device lifecycle handling in css_alloc_subchannel() `css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails, the error path free... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/6715560527e343a387e4a0d2e6c401748e89fa55 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45981

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch() Cover a missed execution path with a new check.

Tue, 16 Jun 2026 02:39:34 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch() Cover a missed execution path with a new check. | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/56024dbe8c76cff22f53ba81a95d9efd4d0c9c44 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45982

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: nfsd: never defer requests during idmap lookup During v4 request compound arg decoding, some ops (e.g.

Tue, 16 Jun 2026 02:39:11 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: nfsd: never defer requests during idmap lookup During v4 request compound arg decoding, some ops (e.g. SETATTR) can trigger idmap lookup upcalls. When those upcall responses get delayed beyond the allowed time limit, cache_chec... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/063a6f22478ef929625000a2caf54667725c1dfd | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45983

[HIGH] In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data.

Tue, 16 Jun 2026 02:39:00 GMT

CVSS 7.8 | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This ... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/1403989d1b502f4a2c0d0b42ccf1c25748442eff | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45984

[HIGH] In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down context entry When tearing down a context entry, the current implementation zeros the entire 128-bit entry using multiple 64-bit writes.

Tue, 16 Jun 2026 02:37:20 GMT

CVSS 7.5 | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down context entry When tearing down a context entry, the current implementation zeros the entire 128-bit entry using multiple 64-bit writes. This creates a window where the hardware... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/a922dbafb4a674d958d702038232d09a30daf770 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45944

[HIGH] In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix race condition during PASID entry replacement The Intel VT-d PASID table entry is 512 bits (64 bytes).

Tue, 16 Jun 2026 02:36:52 GMT

CVSS 8.8 | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix race condition during PASID entry replacement The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing an active PASID entry (e.g., during domain replacement), the current implementation calculate... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/66a7aff480a82b8642b3991fed5fdc9780022157 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45945

[HIGH] In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order).

Tue, 16 Jun 2026 02:36:44 GMT

CVSS 7.8 | In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` h... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/43cbb78ee047b9b12d096d40e3be265969d4c1f8 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45946

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc() In amdgpu_acpi_enumerate_xcc(), if amdgpu_acpi_dev_init() returns -ENOMEM, the function returns directly without releasing the allocated xcc_info, resulting in a memory leak.

Tue, 16 Jun 2026 02:36:01 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc() In amdgpu_acpi_enumerate_xcc(), if amdgpu_acpi_dev_init() returns -ENOMEM, the function returns directly without releasing the allocated xcc_info, resulting in a memory... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/18a7bbd11f17a7cd4c42fd5955d3675d68c692df | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45947

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_ext_shift_extents() In ext4_ext_shift_extents(), if the extent is NULL in the while loop, the function returns immediately without releasing the path obtained via ext4_find_extent(), leading to a memory leak.

Tue, 16 Jun 2026 02:35:36 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_ext_shift_extents() In ext4_ext_shift_extents(), if the extent is NULL in the while loop, the function returns immediately without releasing the path obtained via ext4_find_extent(), leading to a m... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/12615ab4bfb69678e5d961b28bb70040299e51b1 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45948

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: hwrng: core - use RCU and work_struct to fix race condition Currently, hwrng_fill is not cleared until the hwrng_fillfn() thread exits.

Tue, 16 Jun 2026 02:34:59 GMT

CVSS 4.7 | In the Linux kernel, the following vulnerability has been resolved: hwrng: core - use RCU and work_struct to fix race condition Currently, hwrng_fill is not cleared until the hwrng_fillfn() thread exits. Since hwrng_unregister() reads hwrng_fill outside the rng_mutex lock, a concurrent hwrng_un... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/ad38f2cdfef9a2f2899c30cad269baec5bfd4a5d | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45949

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req() The starfive_aes_aead_do_one_req() function allocates rctx->adata with kzalloc() but fails to free it if sg_copy_to_buffer() or starfive_aes_hw_init() fails, which lead to memory leaks.

Tue, 16 Jun 2026 02:34:46 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req() The starfive_aes_aead_do_one_req() function allocates rctx->adata with kzalloc() but fails to free it if sg_copy_to_buffer() or starfive_aes_hw_init() fails, ... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/38d80307decc1132626a30e2a62af734630ecca5 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45950

[HIGH] In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the check_pseudo_btf_id() function is incorrect: the __check_pseudo_btf_id() function might get called with a zero refcounted btf.

Tue, 16 Jun 2026 02:34:35 GMT

CVSS 7.8 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the check_pseudo_btf_id() function is incorrect: the __check_pseudo_btf_id() function might get called with a zero refcounted btf. Fix this, and patch related cod... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/9ff46ffeecdb1802d6e26183177935b948a12e7f | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45951

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmap_ops->blocks_synced() is checked in handle_stripe_dirtying().

Tue, 16 Jun 2026 02:34:19 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmap_ops->blocks_synced() is checked in handle_stripe_dirtying(). However, later the same ... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/28ef299e7a5b81817f8ca8297c2ddff28f5da5e8 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45953

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() In au1200fb_drv_probe(), when platform_get_irq fails(), it directly returns from the function with an error code, which causes a memory leak.

Tue, 16 Jun 2026 02:33:44 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() In au1200fb_drv_probe(), when platform_get_irq fails(), it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto la... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/071d8fb757a8318f72c8e02898c2cf7e14e21fb6 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45954

[HIGH] In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it returns -ETIMEDOUT without resurrecting the percpu_ref.

Tue, 16 Jun 2026 02:33:32 GMT

CVSS 7.1 | In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it returns -ETIMEDOUT without resurrecting the percpu_ref. The caller (md_llbitm... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/095417d6b669c2dec39a5842ccb94df915f97f54 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45955

[HIGH] In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer.

Tue, 16 Jun 2026 02:33:20 GMT

CVSS 7.8 | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/21ca24ba51a2c28bcc4df9d7e5a40b0eb66ab76d | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45956

[HIGH] In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to softirq Commit 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()") removes the recursion-protection code from __rcu_read_unlock().

Tue, 16 Jun 2026 02:32:46 GMT

CVSS 7.1 | In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to softirq Commit 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()") removes the recursion-protection code from __rcu_read_unlock(). Therefore, we could invoke ... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/1f16679a5aa60238466ce339c35f5e82ece60337 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45957

[HIGH] In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: fix to avoid directly dereferencing user pointer In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel.

Tue, 16 Jun 2026 02:32:24 GMT

CVSS 7.1 | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: fix to avoid directly dereferencing user pointer In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/13537f7f6d28a87ee2e496e071b6ad9541905f23 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45958

[HIGH] In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the `__cleanup(kfree)` attribute will make the address of the local variable, rather than the address returned by kmalloc, passed to kfree directly and lead to a crash due to invalid deallocation of stack address.

Tue, 16 Jun 2026 02:32:16 GMT

CVSS 7.8 | In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the `__cleanup(kfree)` attribute will make the address of the... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/90f9090e3e744a8fe3bb6fa0e61f577347728b0b | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45959

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfs_bnode_create When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count.

Tue, 16 Jun 2026 02:32:06 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfs_bnode_create When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without increm... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45960

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: gfs2: fix memory leaks in gfs2_fill_super error path Fix two memory leaks in the gfs2_fill_super() error handling path when transitioning a filesystem to read-write mode fails.

Tue, 16 Jun 2026 02:31:41 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: gfs2: fix memory leaks in gfs2_fill_super error path Fix two memory leaks in the gfs2_fill_super() error handling path when transitioning a filesystem to read-write mode fails. First leak: kthread objects (thread_struct, task_... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45961

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: ublk: Validate SQE128 flag before accessing the cmd ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before IO_URING_F_SQE128 flag check.

Tue, 16 Jun 2026 02:31:13 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: ublk: Validate SQE128 flag before accessing the cmd ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before IO_URING_F_SQE128 flag check. This could cause out of boundary memory access. Move the SQE128 flag check earlier in ub... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/17d33ba7291100008360b5a354962db37ad80684 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45962

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: ASoC: nau8821: Cancel delayed work on component remove Attempting to unload the driver while a jack detection work is pending would likely crash the kernel when it is eventually scheduled for execution: [ 1984.896308] BUG: unable to handle page fault for address: ffffffffc10c2a20 [...] [ 1984.896388] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ 1984.896396] Workqueue: events nau8821_jdet_work [snd_soc_nau8821] [ 1984.896414] RIP: 0010:__mutex_lock+0x9f/0x11d0 [...] [ 1984.896504] Call Trace: [ 1984.896511] [ 1984.896524] ?

Tue, 16 Jun 2026 02:30:25 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: ASoC: nau8821: Cancel delayed work on component remove Attempting to unload the driver while a jack detection work is pending would likely crash the kernel when it is eventually scheduled for execution: [ 1984.896308] BUG: una... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/3955767ec39dcc0358470ffe6535703e2b7fd815 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45963

[MEDIUM] In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path Commit 5940d1cf9f42 ("SUNRPC: Rebalance a kref in auth_gss.c") added a kref_get(&gss_auth->kref) call to balance the gss_put_auth() done in gss_release_msg(), but forgot to add a corresponding kref_put() on the error path when kstrdup_const() fails.

Tue, 16 Jun 2026 02:29:40 GMT

CVSS 5.5 | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path Commit 5940d1cf9f42 ("SUNRPC: Rebalance a kref in auth_gss.c") added a kref_get(&gss_auth->kref) call to balance the gss_put_auth() done in gss_release_msg(), but forgo... | Mitigation: See vendor advisory: https://git.kernel.org/stable/c/3b2b6c42070ce4204936288253baf101e995c2d3 | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45964

[MEDIUM] A flaw was found in GnuTLS.

Tue, 16 Jun 2026 02:16:19 GMT

CVSS 6.6 | A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path. | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42014

[MEDIUM] A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component.

Tue, 16 Jun 2026 02:16:18 GMT

CVSS 5.6 | A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component. A remote attacker could exploit this heap buffer overflow vulnerability by providing a specially crafted MP3 file containing malformed ID3 tags. This incorrect length calc... | NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1767