Vulnerabilities - Yack CVE

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-46239 1Linux 1Linux Kernel Jun 10, 2026 May 28, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without callin...Show more In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks. Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.Show less
CVE-2026-45778 1Buffalo 1Open Xdmod Jun 10, 2026 Jun 5, 2026 8.6 HIGH· v4 5.4 MEDIUM· v3 N/A· v2 OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset...Show more OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.Show less
CVE-2026-46240 1Linux 1Linux Kernel Jun 10, 2026 May 28, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buff...Show more In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.Show less
CVE-2026-45779 1Buffalo 1Open Xdmod Jun 10, 2026 Jun 5, 2026 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQ...Show more OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database. All deployments of Open XDMoD prior to 10.0.3 are impacted. This issue was discovered on 2023-08-03 and patched on 2023-08-04. At this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 10.0.3 on 2023-08-04. As a workaround, apply the patch manually.Show less
CVE-2026-46241 1Linux 1Linux Kernel Jun 10, 2026 May 28, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registration fails to avoid a...Show more In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak. This issue was flagged by Sashiko when reviewing a controller deregistration fix.Show less
CVE-2026-45658 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 10, 2026 Jun 9, 2026 N/A· v4 6.8 MEDIUM· v3 N/A· v2 Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
CVE-2026-9758 - - Jun 10, 2026 Jun 10, 2026 N/A· v4 7.3 HIGH· v3 N/A· v2 Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted
CVE-2026-45782 - - Jun 10, 2026 Jun 10, 2026 8.9 HIGH· v4 N/A· v3 N/A· v2 Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor ch...Show more Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g. io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0.Show less
CVE-2026-44505 - - Jun 10, 2026 Jun 10, 2026 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle_dht_get (network-libp2p/src/swarm.rs). Prior...Show more Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle_dht_get (network-libp2p/src/swarm.rs). Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record via dht_verifier.verify(&record.record). On verifier error, handle_dht_get logs and returns early without completing the oneshot used by Network::dht_get, and without cleaning up per-query bookkeeping. Later query progress can hit the "DHT inconsistent state" path and also return without cleanup. Because Network::dht_get awaits the oneshot without a timeout, the caller future can hang indefinitely. This issue has been patched in version 1.4.0.Show less
CVE-2026-44963 - - Jun 10, 2026 Jun 9, 2026 9.4 CRITICAL· v4 N/A· v3 N/A· v2 A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.
CVE-2026-47288 1Microsoft 5Windows Server 2012 Windows Server 2016Windows Server 2019+2 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.1 HIGH· v3 N/A· v2 Integer overflow or wraparound in Windows Kerberos allows an authorized attacker to execute code over an adjacent network.
CVE-2026-47291 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 10, 2026 Jun 9, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.
CVE-2026-47634 1Microsoft 1Sharepoint Server Jun 10, 2026 Jun 9, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-47636 1Microsoft 1Sharepoint Server Jun 10, 2026 Jun 9, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-45657 1Microsoft 6Windows 11 23h2 Windows 11 24h2Windows 11 25h2+3 more Jun 10, 2026 Jun 9, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network.
CVE-2026-45656 1Microsoft 13Windows 10 1607 Windows 10 1809Windows 10 21h2+10 more Jun 10, 2026 Jun 9, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 Protection mechanism failure in Windows UEFI allows an authorized attacker to bypass a security feature locally.
CVE-2026-45453 1Microsoft 1Sharepoint Server Jun 10, 2026 Jun 9, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-45454 1Microsoft 1Sharepoint Server Jun 10, 2026 Jun 9, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-45462 1Microsoft 1Sharepoint Server Jun 10, 2026 Jun 9, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-45464 1Microsoft 1Sharepoint Server Jun 10, 2026 Jun 9, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-45465 1Microsoft 1Sharepoint Server Jun 10, 2026 Jun 9, 2026 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.
CVE-2026-53689 - - Jun 10, 2026 Jun 10, 2026 N/A· v4 7.1 HIGH· v3 N/A· v2 libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c.
CVE-2026-36719 - - Jun 10, 2026 Jun 9, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs.
CVE-2026-6893 - - Jun 10, 2026 Jun 10, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a s...Show more A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.Show less
CVE-2026-50127 - - Jun 10, 2026 Jun 10, 2026 N/A· v4 5.9 MEDIUM· v3 N/A· v2 Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private I...Show more Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6.Show less

Previous 1...424344...14313 Next

Vulnerabilities (CVE)