CVSS: 8.7EPSS: 0%CPEs: 18EXPL: 0CVE-2026-0603 – Org.hibernate/hibernate-core: hibernate: information disclosure and data deletion via second-order sql injection
https://notcve.org/view.php?id=CVE-2026-0603
23 Jan 2026 — A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service. • https://access.redhat.com/security/cve/CVE-2026-0603 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-14459 – Virt-cdi-controller: unauthorized pvc cloning via dataimportcron
https://notcve.org/view.php?id=CVE-2025-14459
22 Jan 2026 — A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. Red Hat OpenShift Virtualization release 4.19.17 is now available with updates to packages and images that fix several bugs and add enhancements. • https://access.redhat.com/errata/RHSA-2026:0950 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-14083 – Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure
https://notcve.org/view.php?id=CVE-2025-14083
21 Jan 2026 — A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. • https://access.redhat.com/security/cve/CVE-2025-14083 • CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-14559 – Org.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows unauthorized token issuance for disabled users
https://notcve.org/view.php?id=CVE-2025-14559
21 Jan 2026 — A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. • https://access.redhat.com/security/cve/CVE-2025-14559 • CWE-840: Business Logic Errors •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-15366 – IMAP command injection in user-controlled commands
https://notcve.org/view.php?id=CVE-2025-15366
20 Jan 2026 — The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. Denis Ledoux discovered that Python incorrectly parsed email message headers. An attacker could possibly use this issue to inject arbitrary headers into email messages. This issue only affected python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, and python3.14 packages. • https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 1CVE-2025-56005 – PLY 3.11 Arbitrary Code Execution
https://notcve.org/view.php?id=CVE-2025-56005
20 Jan 2026 — An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is activ... • https://packetstorm.news/files/id/214433 • CWE-502: Deserialization of Untrusted Data •
CVSS: 2.9EPSS: 0%CPEs: 6EXPL: 0CVE-2026-0992 – Libxml2: libxml2: denial of service via crafted xml catalogs
https://notcve.org/view.php?id=CVE-2026-0992
15 Jan 2026 — A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated
CVSS: 3.7EPSS: 0%CPEs: 7EXPL: 0CVE-2026-0989 – Libxml2: unbounded relaxng include recursion leading to stack overflow
https://notcve.org/view.php?id=CVE-2026-0989
15 Jan 2026 — A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk. It was discovered that libxml2 incorrectly handled maliciously crafted SGML catalog files. • https://access.redhat.com/security/cve/CVE-2026-0989 • CWE-674: Uncontrolled Recursion •
CVSS: 5.9EPSS: 0%CPEs: 7EXPL: 0CVE-2026-0990 – Libxml2: libxml2: denial of service via uncontrolled recursion in xml catalog processing
https://notcve.org/view.php?id=CVE-2026-0990
15 Jan 2026 — A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications. It was d... • https://access.redhat.com/security/cve/CVE-2026-0990 • CWE-674: Uncontrolled Recursion •
CVSS: 3.7EPSS: 0%CPEs: 4EXPL: 0CVE-2026-0976 – Org.keycloak/keycloak-quarkus-server: keycloak: proxy bypass due to improper handling of matrix parameters in url paths
https://notcve.org/view.php?id=CVE-2026-0976
15 Jan 2026 — A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable. • https://access.redhat.com/security/cve/CVE-2026-0976 • CWE-20: Improper Input Validation •