CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-52935
High

In the Linux kernel's xfrm/espintcp module, a vulnerability allows reusing an in-progress partial send state (ctx->partial) before completion. The espintcp_sendmsg() function may overwrite the active send state, leading to an out-of-bounds memory read.

CVE-2026-52934
High

In the Linux kernel's batman-adv module, a buffer overflow vulnerability was found in TVLV packet processing. The function calculating the TVLV container list size used u16 type, causing integer wrap-around when the total exceeds 65535 bytes, leading to undersized buffer allocation and out-of-bounds write.

CVE-2026-52933
High

In the Linux kernel, a vulnerability was found in the io_uring/poll mechanism where a signed comparison in io_poll_get_ownership() prevented the slowpath from being taken when the cancel flag (IO_POLL_CANCEL_FLAG) was set. This could lead to improper handling of cancellation operations.

CVE-2026-52932
High

In the Linux kernel, the xfrm/ipcomp module fails to free destination pages on asynchronous compression (acomp) errors. The fix moves the out_free_req label to ensure the allocated SG list is freed on both error and success paths.

CVE-2026-52929
High

In the Linux kernel, a vulnerability in SCTP stream handling causes incomplete rollback when ADD_OUT_STREAMS is denied. Leftover metadata from removed streams can trigger a null-pointer dereference in the scheduler when the stream is re-added.

CVE-2026-52927
High

In the Linux kernel, a vulnerability in the ebtables module was found where the compat_mtw_from_user() function lacks proper validation of user-supplied match/target size, leading to an out-of-bounds (OOB) read. This affects ebtables extensions that require conversion from 32-bit user structures to kernel native structures.

CVE-2026-52923
High

In the Linux kernel, a vulnerability exists in the SysV IPC ID allocation mechanism. The `ipc_idr_alloc()` function in the checkpoint/restore path can allocate an ID beyond the valid range (`ipc_mni`), causing incorrect object lookup and removal, leading to a use-after-free condition when reading `/proc/sysvipc/shm`.

CVE-2026-52922
High

In the Linux kernel, the batman-adv module (Distributed ARP Table) fails to check the return value of pskb_copy_for_clone(). A failed memory allocation leads to a NULL pointer dereference in batadv_send_skb_prepare_unicast_4addr(), causing a system crash.

CVE-2026-52920
High

A vulnerability was found in the Linux kernel's netfilter xt_policy module, involving incorrect strict mode inbound policy matching. The match_policy_in() function processes sec_path entries in reverse order, causing inconsistency with the expected rule order for multi-element policies.

CVE-2026-52919
High

In the Linux kernel, the batman-adv module's tp_meter counter can underflow during shutdown due to multiple callers decrementing the atomic counter. This causes a sender kthread to loop indefinitely, leading to a use-after-free when the interface is removed.

CVE-2026-52918
High

A vulnerability was found in the Linux kernel's Bluetooth stack due to unsynchronized access to the accept_q queue. The bt_sock_poll() function walks the queue without locking, while child socket teardown can concurrently unlink and release the last reference, causing a race condition. This issue has existed since the initial Bluetooth implementation.

CVE-2026-52917
High

A vulnerability in the Linux kernel's SCTP sock_diag mechanism allows the dump_one function to process stale associations that have already been freed, leading to an out-of-bounds memory read.

CVE-2026-52915
High

In the Linux kernel, a vulnerability was found in the netfilter ip6t_hbh module where the hbh_mt6_check() function does not validate the number of option descriptors (optsnr) from userspace. This lack of validation allows out-of-bounds access to the opts array (off-by-one), potentially causing system instability.

CVE-2026-52912
High

A use-after-free vulnerability was found in the Linux kernel's netfilter queue (NFQUEUE) when handling bridge packets for LOCAL_IN. The skb->dev pointer is overwritten to the bridge master without holding a reference, causing a use-after-free upon reinjection after the bridge is freed.

CVE-2026-9710
High

The Cornerstone WordPress plugin before version 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, allowing any authenticated user to evaluate dynamic content tokens against arbitrary users and disclose their sensitive metadata, including raw password hashes.

CVE-2026-9709
High

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields.

CVE-2026-9643
High

The WP Meta SEO plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting via the REQUEST_URI server variable in all versions up to and including 4.5.18. The plugin directly inserts unsanitized HTTP_HOST and REQUEST_URI data into the database, allowing arbitrary script injection.

CVE-2026-9179
High

The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter and lack of proper preparation on the existing SQL query.

CVE-2026-9178
High

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.8. The plugin registers the REST route wp/v3/user/list/<id> with permission_callback set to '__return_true', allowing access to sensitive information without proper authorization.

CVE-2026-8705
High

The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to and including 3.4.2. Although a `wp_verify_nonce()` check exists, the failing branch's `die()` is commented out, allowing the vulnerability to be exploited.

PreviousPage 76 of 3348Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS