CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2026-4647 – Binutils: out-of-bounds read in xcoff relocation processing in gnu binutils bfd library
https://notcve.org/view.php?id=CVE-2026-4647
23 Mar 2026 — A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks. Se encontró ... • https://access.redhat.com/security/cve/CVE-2026-4647 • CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-31884 – Red Hat Security Advisory 2026-2800-03
https://notcve.org/view.php?id=CVE-2024-31884
17 Feb 2026 — pybind: Improper use of Pybind A new version of Red Hat build of Ceph Storage has been released. •
CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2026-2447 – Heap buffer overflow in libvpx
https://notcve.org/view.php?id=CVE-2026-2447
16 Feb 2026 — Heap buffer overflow in libvpx. This vulnerability affects Firefox < 147.0.4, Firefox ESR < 140.7.1, Firefox ESR < 115.32.1, Thunderbird < 140.7.2, and Thunderbird < 147.0.2. • https://bugzilla.mozilla.org/show_bug.cgi?id=2014390 • CWE-122: Heap-based Buffer Overflow •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2026-2007 – PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory
https://notcve.org/view.php?id=CVE-2026-2007
12 Feb 2026 — Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected. • https://www.postgresql.org/support/security/CVE-2026-2007 • CWE-122: Heap-based Buffer Overflow •
CVSS: 6.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-2391 – qs's arrayLimit bypass in comma parsing allows denial of service
https://notcve.org/view.php?id=CVE-2026-2391
12 Feb 2026 — ### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. This is a bypass of the array limit enforcement, similar to the bracket notation bypass addressed in GHSA-6rw7-vpxm-498p (CVE-2025-15284). ### Details When the `comma` option is set to `true` (not the default, but configurable in applications), qs allows parsing comma-separated strings as arrays (e.g., `?param=a,b,c` ... • https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2026-2003 – PostgreSQL oidvector discloses a few bytes of memory
https://notcve.org/view.php?id=CVE-2026-2003
12 Feb 2026 — Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. Multiple security issues were discovered in PostgreSQL, which may result in memory disclosure or the execution of arbitrary code. For the oldstable distribution (bookworm), th... • https://www.postgresql.org/support/security/CVE-2026-2003 • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-2004 – PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code
https://notcve.org/view.php?id=CVE-2026-2004
12 Feb 2026 — Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. Multiple security issues were discovered in PostgreSQL, which may result in memory disclosure or the execution of arbitrary code. For the oldstable distribution (bookworm), these problems have been fixed in version 15.16-0+deb12u1. • https://www.postgresql.org/support/security/CVE-2026-2004 • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-2005 – PostgreSQL pgcrypto heap buffer overflow executes arbitrary code
https://notcve.org/view.php?id=CVE-2026-2005
12 Feb 2026 — Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. Multiple security issues were discovered in PostgreSQL, which may result in memory disclosure or the execution of arbitrary code. For the oldstable distribution (bookworm), these problems have been fixed in version 15.16-0+deb12u1. • https://www.postgresql.org/support/security/CVE-2026-2005 • CWE-122: Heap-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-2006 – PostgreSQL missing validation of multibyte character length executes arbitrary code
https://notcve.org/view.php?id=CVE-2026-2006
12 Feb 2026 — Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected. Multiple security issues were discovered in PostgreSQL, which may result in memory disclosure or the execution of arbitrary code. For the oldstable distribution (bookworm), these probl... • https://www.postgresql.org/support/security/CVE-2026-2006 • CWE-129: Improper Validation of Array Index •
CVSS: 7.0EPSS: 0%CPEs: 3EXPL: 0CVE-2026-26158 – Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries
https://notcve.org/view.php?id=CVE-2026-26158
11 Feb 2026 — A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files. • https://access.redhat.com/security/cve/CVE-2026-26158 • CWE-73: External Control of File Name or Path •