CVE Database
In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is something other than one of the supported Hyper-V hypercalls. When all of the above conditions are met, KVM will intercept VMMCALL but never forward it to L1, i.e. will let L2 make hypercalls as if it were L1. The TLFS says a whole lot of nothing about this scenario, so go with the architectural behavior, which says that VMMCALL #UDs if it's not intercepted. Opportunistically do a 2-for-1 stub trade by stub-ifying the new API instead of the helpers it uses. The last remaining "single" stub will soon be dropped as well. [sean: rewrite changelog and comment, tag for stable, remove defunct stubs]
Invocation of process using visible sensitive information vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Domain Joiner allows Excavation. This issue affects Pardus Domain Joiner: from 0.5.2 before 0.5.4.
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that will be executed during service startup or system reboot, resulting in privilege escalation.
InCopy versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path — through any of several realistic local or container-level scenarios — can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default). This vulnerability is fixed in 4.5.5.
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally.
Gematik Authenticator securely authenticates users for login to digital health applications. Starting in version 4.12.0 and prior to version 4.16.0, the Mac OS version of the Authenticator is vulnerable to remote code execution, triggered when victims open a malicious file. Update the gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds.
A security flaw has been discovered in EaseUS Partition Master up to 14.5. The impacted element is an unknown function in the library EUEDKEPM.sys of the component Kernel Driver. The manipulation results in improper access controls. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The affected component should be upgraded. The vendor explains: "We have confirmed that this issue was present only in older versions of the product. Our product has since been updated, and the issue has been resolved in the latest version, so it no longer exists."
A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root.
Brother SAPSprint 7.60 contains an unquoted service path vulnerability in the SAPSprint service binary that allows local attackers to escalate privileges. Attackers can place a malicious executable in the Program Files directory path to be executed with LocalSystem privileges when the service starts automatically.
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later.
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally.
WorkgroupMail 7.5.1 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup.
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.
In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down() to allow anchored URBs to be completed.
In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
SEPPmail Secure Email Gateway before version 15.0.3 does not properly authenticate the inner message of S/MIME-encrypted MIME entities, allowing an attacker to control trusted headers.
BlackMoon FTP Server 3.1.2.1731 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to insert malicious code that would execute with LocalSystem account permissions during service startup.
SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password.
In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection.
Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.
Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Out-of-bounds read in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally.
OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.
External control of file name or path in Windows Kernel allows an authorized attacker to elevate privileges locally.
Memory Corruption when running a memory copy operation due to invalid writes caused by a null pointer.
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context.
In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done.
OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.
Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
Double free in Windows Kernel allows an authorized attacker to elevate privileges locally.
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in joncampbell123 doslib.This issue affects doslib: before doslib-20250729.
ActiveFax Server 6.92 Build 0316 contains an unquoted service path vulnerability in the ActiveFaxServiceNT service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated administrative privileges.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM.
When dealing with abnormally constructed objects, there is a lack of argument validation; JavaScript triggers signature verification, but the signature plugin does not perform validation when copying the abnormal string, causing the application to crash.
Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
After the application opened the PDF file, the script first reset the annotation status, then triggered the reset form event by additional action. During the re-entry process, the application access invalid objects and crashed.
| CVE ID | Priority | CVSS | EPSS | Severity | CWE | Exploit Status | Action | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46076 | 0 MINIMAL | 7.9 | 0.02% P: 4.9% | HIGH | — | none | MONITOR | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is something other than one of the supported Hyper-V hypercalls. When all of the above conditions are met, KVM will intercept VMMCALL but never forward it to L1, i.e. will let L2 make hypercalls as if it were L1. The TLFS says a whole lot of nothing about this scenario, so go with the architectural behavior, which says that VMMCALL #UDs if it's not intercepted. Opportunistically do a 2-for-1 stub trade by stub-ifying the new API instead of the helpers it uses. The last remaining "single" stub will soon be dropped as well. [sean: rewrite changelog and comment, tag for stable, remove defunct stubs] |
| CVE-2026-12250 | 0 MINIMAL | 7.9 | 0.11% P: 1.3% | HIGH | CWE-214 | none | MONITOR | Invocation of process using visible sensitive information vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Domain Joiner allows Excavation. This issue affects Pardus Domain Joiner: from 0.5.2 before 0.5.4. |
| CVE-2026-28457 | 0 MINIMAL | 7.9 | 0.01% P: 1.1% | HIGH | CWE-22 | none | MONITOR | OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory. |
| CVE-2026-48578 | 0 MINIMAL | 7.9 | 0.06% P: 19.2% | HIGH | CWE-284 | none | MONITOR | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. |
| CVE-2026-48568 | 0 MINIMAL | 7.9 | 0.08% P: 24.7% | HIGH | CWE-693 | none | MONITOR | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. |
| CVE-2016-20092 | 0 MINIMAL | 7.8 | — P: — | HIGH | CWE-428 | none | MONITOR | NetDrive 2.6.12 contains an unquoted service path vulnerability in the Netdrive2_Service_Netdrive2 service that allows local users to execute arbitrary code with SYSTEM privileges. Attackers can insert malicious executables in the system root path that will be executed during service startup or system reboot, resulting in privilege escalation. |
| CVE-2026-34707 | 0 MINIMAL | 7.8 | 0.03% P: 7.4% | HIGH | CWE-122 | none | MONITOR | InCopy versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| CVE-2026-34702 | 0 MINIMAL | 7.8 | 0.03% P: 7.4% | HIGH | CWE-121 | none | MONITOR | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| CVE-2026-46607 | 0 MINIMAL | 7.8 | 0.30% P: 21.9% | HIGH | CWE-502 | none | MONITOR | Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path — through any of several realistic local or container-level scenarios — can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default). This vulnerability is fixed in 4.5.5. |
| CVE-2026-44171 | 0 MINIMAL | 7.8 | 0.15% P: 4.8% | HIGH | CWE-22 | none | MONITOR | MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. |
| CVE-2026-45636 | 0 MINIMAL | 7.8 | 0.12% P: 30.0% | HIGH | CWE-20 | none | MONITOR | Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. |
| CVE-2026-33874 | 0 MINIMAL | 7.8 | 0.07% P: 21.1% | HIGH | CWE-78 | none | MONITOR | Gematik Authenticator securely authenticates users for login to digital health applications. Starting in version 4.12.0 and prior to version 4.16.0, the Mac OS version of the Authenticator is vulnerable to remote code execution, triggered when victims open a malicious file. Update the gematik Authenticator to version 4.16.0 or greater to receive a patch. There are no known workarounds. |
| CVE-2026-12782 | 0 MINIMAL | 7.8 | 0.11% P: 1.5% | HIGH | CWE-266 | none | MONITOR | A security flaw has been discovered in EaseUS Partition Master up to 14.5. The impacted element is an unknown function in the library EUEDKEPM.sys of the component Kernel Driver. The manipulation results in improper access controls. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The affected component should be upgraded. The vendor explains: "We have confirmed that this issue was present only in older versions of the product. Our product has since been updated, and the issue has been resolved in the latest version, so it no longer exists." |
| CVE-2026-50257 | 0 MINIMAL | 7.8 | 0.01% P: 1.8% | HIGH | CWE-416 | none | MONITOR | A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root. |
| CVE-2021-47985 | 0 MINIMAL | 7.8 | — P: — | HIGH | CWE-428 | none | MONITOR | Brother SAPSprint 7.60 contains an unquoted service path vulnerability in the SAPSprint service binary that allows local attackers to escalate privileges. Attackers can place a malicious executable in the Program Files directory path to be executed with LocalSystem privileges when the service starts automatically. |
| CVE-2026-34462 | 0 MINIMAL | 7.8 | 0.01% P: 3.1% | HIGH | CWE-121 | none | MONITOR | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. |
| CVE-2026-9255 | 0 MINIMAL | 7.8 | 0.01% P: 2.1% | HIGH | CWE-862 | none | MONITOR | Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later. |
| CVE-2026-47921 | 0 MINIMAL | 7.8 | 0.03% P: 10.0% | HIGH | CWE-416 | none | MONITOR | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| CVE-2026-50512 | 0 MINIMAL | 7.8 | 0.06% P: 17.5% | HIGH | CWE-306 | none | MONITOR | Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. |
| CVE-2019-25307 | 83 CRITICAL | 7.8 | 0.01% P: 0.3% | HIGH | CWE-428 | weaponized | PATCH WITHIN 24H | WorkgroupMail 7.5.1 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. |
| CVE-2026-25176 | 0 MINIMAL | 7.8 | 0.04% P: 12.5% | HIGH | CWE-284 | none | MONITOR | Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
| CVE-2026-25175 | 0 MINIMAL | 7.8 | 0.04% P: 13.7% | HIGH | CWE-125 | none | MONITOR | Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally. |
| CVE-2026-31758 | 0 MINIMAL | 7.8 | 0.01% P: 1.8% | HIGH | — | none | MONITOR | In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down() to allow anchored URBs to be completed. |
| CVE-2026-0077 | 0 MINIMAL | 7.8 | 0.01% P: 0.6% | HIGH | — | none | MONITOR | In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2026-29143 | 0 MINIMAL | 7.8 | 0.08% P: 24.8% | HIGH | CWE-20 | none | MONITOR | SEPPmail Secure Email Gateway before version 15.0.3 does not properly authenticate the inner message of S/MIME-encrypted MIME entities, allowing an attacker to control trusted headers. |
| CVE-2019-25306 | 83 CRITICAL | 7.8 | 0.01% P: 0.3% | HIGH | CWE-428 | weaponized | PATCH WITHIN 24H | BlackMoon FTP Server 3.1.2.1731 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to insert malicious code that would execute with LocalSystem account permissions during service startup. |
| CVE-2026-29139 | 0 MINIMAL | 7.8 | 0.04% P: 12.6% | HIGH | CWE-288 | none | MONITOR | SEPPmail Secure Email Gateway before version 15.0.3 allows account takeover by abusing GINA account initialization to reset a victim account password. |
| CVE-2026-0076 | 0 MINIMAL | 7.8 | 0.01% P: 0.3% | HIGH | — | none | MONITOR | In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2026-0634 | 0 MINIMAL | 7.8 | 0.05% P: 15.7% | HIGH | CWE-88 | none | MONITOR | Code execution in AssistFeedbackService of TECNO Pova7 Pro 5G on Android allows local apps to execute arbitrary code as system via command injection. |
| CVE-2026-27273 | 0 MINIMAL | 7.8 | 0.03% P: 6.4% | HIGH | CWE-787 | none | MONITOR | Substance3D - Stager versions 3.1.7 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| CVE-2026-38950 | 0 MINIMAL | 7.8 | 0.05% P: 16.7% | HIGH | — | none | MONITOR | An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization. |
| CVE-2026-27276 | 0 MINIMAL | 7.8 | 0.03% P: 9.2% | HIGH | CWE-416 | none | MONITOR | Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| CVE-2026-23673 | 0 MINIMAL | 7.8 | 0.06% P: 18.4% | HIGH | CWE-125 | none | MONITOR | Out-of-bounds read in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally. |
| CVE-2026-31999 | 0 MINIMAL | 7.8 | 0.06% P: 19.0% | HIGH | CWE-78 | none | MONITOR | OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution. |
| CVE-2026-24287 | 0 MINIMAL | 7.8 | 0.07% P: 20.6% | HIGH | CWE-73 | none | MONITOR | External control of file name or path in Windows Kernel allows an authorized attacker to elevate privileges locally. |
| CVE-2025-59604 | 0 MINIMAL | 7.8 | 0.01% P: 1.6% | HIGH | CWE-476 | none | MONITOR | Memory Corruption when running a memory copy operation due to invalid writes caused by a null pointer. |
| CVE-2026-31994 | 0 MINIMAL | 7.8 | 0.04% P: 10.9% | HIGH | CWE-78 | none | MONITOR | OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context. |
| CVE-2026-0093 | 0 MINIMAL | 7.8 | 0.01% P: 0.3% | HIGH | CWE-451 | none | MONITOR | In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. |
| CVE-2026-31474 | 0 MINIMAL | 7.8 | 0.02% P: 4.8% | HIGH | — | none | MONITOR | In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access to so->tx.buf. isotp_release() waits for ISOTP_IDLE via wait_event_interruptible() and then calls kfree(so->tx.buf). If a signal interrupts the wait_event_interruptible() inside close() while tx.state is ISOTP_SENDING, the loop exits early and release proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) while sendmsg may still be reading so->tx.buf for the final CAN frame in isotp_fill_dataframe(). The so->tx.buf can be allocated once when the standard tx.buf length needs to be extended. Move the kfree() of this potentially extended tx.buf to sk_destruct time when either isotp_sendmsg() and isotp_release() are done. |
| CVE-2026-53819 | 0 MINIMAL | 7.8 | 0.30% P: 21.2% | HIGH | CWE-426 | none | MONITOR | OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system. |
| CVE-2026-26180 | 0 MINIMAL | 7.8 | 0.06% P: 18.6% | HIGH | CWE-122 | none | MONITOR | Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally. |
| CVE-2026-26179 | 0 MINIMAL | 7.8 | 0.06% P: 18.6% | HIGH | CWE-415 | none | MONITOR | Double free in Windows Kernel allows an authorized attacker to elevate privileges locally. |
| CVE-2026-32647 | 0 MINIMAL | 7.8 | 0.01% P: 1.2% | HIGH | CWE-125 | none | MONITOR | NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
| CVE-2026-33851 | 0 MINIMAL | 7.8 | 0.01% P: 2.1% | HIGH | CWE-119 | none | MONITOR | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in joncampbell123 doslib.This issue affects doslib: before doslib-20250729. |
| CVE-2019-25310 | 83 CRITICAL | 7.8 | 0.01% P: 2.1% | HIGH | CWE-428 | weaponized | PATCH WITHIN 24H | ActiveFax Server 6.92 Build 0316 contains an unquoted service path vulnerability in the ActiveFaxServiceNT service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated administrative privileges. |
| CVE-2026-33847 | 0 MINIMAL | 7.8 | 0.01% P: 2.1% | HIGH | CWE-119 | none | MONITOR | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96. |
| CVE-2026-57239 | 0 MINIMAL | 7.8 | 0.11% P: 1.7% | HIGH | — | none | MONITOR | The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM. |
| CVE-2026-57246 | 0 MINIMAL | 7.8 | 0.12% P: 1.9% | HIGH | CWE-120 | none | MONITOR | When dealing with abnormally constructed objects, there is a lack of argument validation; JavaScript triggers signature verification, but the signature plugin does not perform validation when copying the abnormal string, causing the application to crash. |
| CVE-2026-34637 | 0 MINIMAL | 7.8 | 0.03% P: 7.1% | HIGH | CWE-787 | none | MONITOR | Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. |
| CVE-2026-57249 | 0 MINIMAL | 7.8 | 0.12% P: 1.9% | HIGH | CWE-416 | none | MONITOR | After the application opened the PDF file, the script first reset the annotation status, then triggered the reset form event by additional action. During the re-entry process, the application access invalid objects and crashed. |