CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41690 – Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
https://notcve.org/view.php?id=CVE-2026-41690
08 May 2026 — This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE. • https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44499 – ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
https://notcve.org/view.php?id=CVE-2026-44499
08 May 2026 — Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. • https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2026-41585 – ZEBRA: Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients
https://notcve.org/view.php?id=CVE-2026-41585
08 May 2026 — The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. • https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w • CWE-248: Uncaught Exception CWE-617: Reachable Assertion •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43424 – usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
https://notcve.org/view.php?id=CVE-2026-43424
08 May 2026 — If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. ... tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command... • https://git.kernel.org/stable/c/c52661d60f636d17e26ad834457db333bd1df494 •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2026-25077 – Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates
https://notcve.org/view.php?id=CVE-2026-25077
08 May 2026 — This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-69233 – Apache CloudStack: Domain/account resources limits not honored
https://notcve.org/view.php?id=CVE-2025-69233
08 May 2026 — Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. • https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2022-26522
https://notcve.org/view.php?id=CVE-2022-26522
08 May 2026 — The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3. • https://www.avast.com/bug-bounty • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 5.3EPSS: 0%CPEs: -EXPL: 0CVE-2022-26523
https://notcve.org/view.php?id=CVE-2022-26523
08 May 2026 — The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94. • https://www.avast.com/bug-bounty • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2026-29975
https://notcve.org/view.php?id=CVE-2026-29975
08 May 2026 — The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like "\\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service. • https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-6411 – MAXHUB Pivot Client Application Use of a Broken or Risky Cryptographic Algorithm
https://notcve.org/view.php?id=CVE-2026-6411
07 May 2026 — Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations. • https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •