Report Name: Linux Patch Wednesday May 2026
Generated: 2026-06-02 12:36:01

Product Name	Prevalence	U	C	H	M	L	A	Comment
Vim	0.95		1	4			5	Highly configurable command-line text editor used in development and system administration.
pip	0.95				2		2	pip is the standard package installer for Python, used to install and manage software packages from the Python Package Index (PyPI) and other repositories.
systemd	0.95		1				1	System and service manager for Linux, including udev device management subsystem.
AMD Processor	0.9				1		1	Processor
Active Directory	0.9				1		1	Active Directory is a directory service developed by Microsoft for Windows domain networks
Apache HTTP Server	0.9		1	4	5		10	Apache HTTP Server is a free and open-source web server that delivers web content through the internet
Django	0.9			1	3		4	Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It provides built-in tools for database models, authentication, URL routing, templates, and security features, making it one of the most widely used frameworks for building scalable and maintainable web applications.
Intel(R) Processor	0.9				1		1	Intel's processors from the pioneering 4-bit 4004 (1971) to the present high-end offerings
Linux Kernel	0.9	2	1	9	445	17	474	The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel
Microsoft Windows UPnP Service	0.9				1		1	Universal Plug and Play (UPnP) in Microsoft Windows is a networking component that enables automatic discovery and interaction with networked devices, implemented in part via the upnp.dll library.
Rust	0.9			2	6		8	Rust is a modern, high-performance systems programming language focused on safety, concurrency, and memory management.
Dovecot	0.85				2		2	Open-source IMAP and POP3 email server with authentication and indexing features.
Grafana	0.85				3	2	5	Grafana is an open-source analytics and monitoring platform that provides dashboards and visualization tools for metrics collected from various data sources.
PgBouncer	0.85		1	1	1	1	4	PgBouncer is a lightweight, open-source connection pooler for PostgreSQL databases. It reduces connection overhead by managing a pool of connections to one or more PostgreSQL servers, improving performance and resource efficiency for applications with frequent short-lived database connections.
.NET Core	0.8			1			1	.NET Core
Binutils	0.8			1	2		3	The GNU Binary Utilities, or binutils, are a set of programming tools for creating and managing binary programs, object files, libraries, profile data, and assembly source code
CUPS	0.8			1			1	CUPS is a modular printing system for Unix-like computer operating systems which allows a computer to act as a print server
Chromium	0.8			137	132		269	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
GLPI	0.8		1	2	2		5	GLPI is an open source IT Asset Management, issue tracking system and service desk system
GNU C Library	0.8		1	3	2		6	The GNU C Library, commonly known as glibc, is the GNU Project's implementation of the C standard library
ICMP	0.8				1		1	The Internet Control Message Protocol (ICMP) is a network layer protocol used by network devices to diagnose network communication issues
Keycloak	0.8			1	1		2	Keycloak is an open‑source identity and access management (IAM) solution that provides single sign‑on (SSO), user federation, identity brokering, and access control for applications and services.
MIT Kerberos 5	0.8				2		2	Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner
Mozilla Firefox	0.8			15	18		33	Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation
Netty	0.8		4	7	2		13	Netty is a non-blocking I/O client-server framework for the development of Java network applications such as protocol servers and clients
Node.js	0.8				1		1	Node.js is a cross-platform, open-source server environment that can run on Windows, Linux, Unix, macOS, and more
OpenSSL	0.8		1	1	2		4	A software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end
PHP	0.8			5	6		11	PHP is a general-purpose scripting language geared towards web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995.
RPC	0.8			1	1	1	3	Remote Procedure Call Runtime
The Qt Company Qt	0.8			1	1		2	Qt is a cross-platform application development framework used to build graphical user interfaces and applications for desktop, mobile, and embedded systems. It provides a comprehensive set of libraries, tools, and APIs, including Qt Quick for declarative UI development using QML. The vulnerability affects the Qt Quick Text component, where improper validation of width and height attributes in the tag can lead to excessive resource allocation and application unresponsiveness.
Windows NTFS	0.8				1		1	The default file system of the Windows NT family
Zabbix	0.8				1		1	Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services
xmldom	0.75				4		4	JavaScript XML parser and serializer implementing W3C DOM standards.
Apache Tomcat	0.7		1	1			2	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
Babel	0.7				1		1	Babel is a free and open-source JavaScript transcompiler that is mainly used to convert ECMAScript 2015+ code into backwards-compatible JavaScript code that can be run by older JavaScript engines
FFmpeg	0.7			1	1		2	FFmpeg is a free and open-source software project consisting of a suite of libraries and programs for handling video, audio, and other multimedia files and streams
Kubernetes	0.7		2	1			3	Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management
MariaDB	0.7				1		1	MariaDB is a community-developed, commercially supported fork of the MySQL relational database management system, intended to remain free and open-source software under the GNU General Public License
Neat VNC	0.7				1		1	A liberally licensed VNC server library with a clean interface
PHPUnit	0.7			1			1	PHPUnit is a widely used open-source unit testing framework for PHP, providing tools for writing and running automated tests, including support for code coverage analysis and PHPT test execution.
qs	0.7				1		1	qs is a popular JavaScript library for parsing and serializing URL query strings. It supports nested objects, arrays, custom parsing options, and is widely used in Node.js frameworks and middleware to handle HTTP query parameters and form-encoded data.
Postorius	0.65			1			1	Postorius is a modern web-based user interface for managing GNU Mailman 3 mailing lists, providing list administration, subscription management, and moderation features through a Django-based frontend.
Apache ActiveMQ	0.6	1	2		1		4	Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client
Axios	0.6		2	6	5		13	axios is a promise based HTTP client for the browser and node.js
Bouncy Castle	0.6				4	1	5	Bouncy Castle is a collection of APIs used in cryptography
Exim	0.6		1		3		4	Exim is a mail transfer agent (MTA) used on Unix-like operating systems
FreeRDP	0.6			1			1	FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license
ImageMagick	0.6					1	1	ImageMagick, invoked from the command line as magick, is a free and open-source cross-platform software suite for displaying, creating, converting, modifying, and editing raster images
MongoDB	0.6				3	1	4	MongoDB is a source-available, cross-platform, document-oriented database program
Oracle Java SE	0.6			1	6	1	8	Oracle Java SE
PHP Secure Communications Library	0.6				1		1	phpseclib provides pure-PHP implementations of SSH2, SFTP, RSA, DSA, Elliptic Curves, AES, ChaCha20, X. 509, CSR, CRL, SPKAC
Perl	0.6				11	1	12	Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages
Python	0.6			2	3	1	6	Python is a high-level, general-purpose programming language
Rclone	0.6	1		1			2	Rclone is a command-line program to sync files and directories to and from different cloud storage providers, supporting over 40 cloud storage products including S3, Google Drive, Dropbox, OneDrive, and many more.
Redis	0.6		3				3	Redis is an open-source in-memory storage, used as a distributed, in-memory key–value database, cache and message broker, with optional durability
Teams	0.6				1		1	MS Office product
Vault	0.6				4		4	Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets critical in modern computing
Wireshark	0.6		1	39			40	Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education
gdk-pixbuf	0.6			1			1	gdk-pixbuf is an open source image loading and manipulation library used primarily in GNOME-based applications for handling various image formats, including JPEG, PNG, and GIF.
libxml2	0.6			1			1	libxml2 is an XML toolkit implemented in C, originally developed for the GNOME Project
Alinto SOGo	0.5				3		3	SOGo is an open source groupware and webmail server developed by Alinto, providing email, calendar, and contact management through a web-based interface and standard protocols.
Authoritative	0.5				9	2	11	Product detected by a:powerdns:authoritative (exists in CPE dict)
Azure AD	0.5				2		2	Azure AD
BIND	0.5			1	4	2	7	Product detected by a:isc:bind (exists in CPE dict)
Binaryen	0.5			1			1	Product detected by a:webassembly:binaryen (exists in CPE dict)
Commons Configuration	0.5					1	1	Product detected by a:apache:commons_configuration (exists in CPE dict)
Composer	0.5			2			2	Product detected by a:getcomposer:composer (exists in CPE dict)
Curl	0.5			5	3		8	Product detected by a:haxx:curl (exists in CPE dict)
DNSSEC	0.5				2		2	The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups
DOMPurify	0.5			1	2		3	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
Emacs	0.5				1		1	Product detected by a:gnu:emacs (exists in CPE dict)
FRRouting	0.5				4		4	FRRouting (FRR) is an IP routing protocol suite for Linux and Unix platforms, supporting BGP, OSPF, RIP, IS-IS, and other routing protocols for network infrastructure.
GDAL	0.5			4			4	Product detected by a:osgeo:gdal (exists in CPE dict)
GIMP	0.5				2		2	GIMP is an open-source image manipulation program used for photo editing, graphic design, and digital art creation.
GNU Wget2	0.5			1			1	GNU Wget2 is a network utility to retrieve files from the web, supporting HTTP, HTTPS, and FTP protocols. It also supports Metalink for downloading multiple mirrors and checksums.
GitPython	0.5			4			4	Product detected by a:gitpython_project:gitpython (exists in CPE dict)
GnuTLS	0.5			2	2		4	Product detected by a:gnu:gnutls (exists in CPE dict)
Go	0.5				7	3	10	Product detected by a:golang:go (exists in CPE dict)
HTTP Server	0.5			1			1	Product detected by a:apache:http_server (exists in CPE dict)
Image	0.5				2		2	Product detected by a:golang:image (exists in CPE dict)
InVesalius	0.5		1				1	InVesalius is a free medical software used to generate virtual reconstructions of structures in the human body
Jupyterlab	0.5				1		1	Product detected by a:jupyter:jupyterlab (exists in CPE dict)
Keystone	0.5				1		1	Product detected by a:openstack:keystone (exists in CPE dict)
Libgcrypt	0.5				1		1	Product detected by a:gnupg:libgcrypt (exists in CPE dict)
Libheif	0.5			3			3	Product detected by a:struktur:libheif (exists in CPE dict)
Linux	0.5				2		2	Product detected by o:oracle:linux (exists in CPE dict)
MINA	0.5			1	1		2	Product detected by a:apache:mina (exists in CPE dict)
Mako	0.5				1		1	Product detected by a:sqlalchemy:mako (exists in CPE dict)
MapServer	0.5			1			1	Product detected by a:osgeo:mapserver (exists in CPE dict)
Markdown	0.5			1			1	Product detected by a:gomarkdown:markdown (exists in CPE dict)
MiniUPnPd	0.5				1		1	Product detected by a:miniupnp_project:miniupnpd (exists in CPE dict)
ModSecurity	0.5			2			2	ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx
Mongoose	0.5		1	6	3		10	Product detected by a:cesanta:mongoose (exists in CPE dict)
MuPDF	0.5			1			1	Product detected by a:artifex:mupdf (exists in CPE dict)
NGINX	0.5	1			4	1	6	Nginx is an open-source web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache
OP-TEE	0.5			1	1		2	Product detected by o:linaro:op-tee (exists in CPE dict)
OpenNLP	0.5			1	2		3	Product detected by a:apache:opennlp (exists in CPE dict)
P11-kit	0.5				1		1	Product detected by a:p11-kit_project:p11-kit (exists in CPE dict)
PJSIP	0.5				4		4	Product detected by a:teluu:pjsip (exists in CPE dict)
PackageKit	0.5			1			1	Product detected by a:packagekit_project:packagekit (exists in CPE dict)
Packetbeat	0.5				2		2	Product detected by a:elasticsearch:packetbeat (exists in CPE dict)
Pillow	0.5				4		4	Pillow is a Python imaging library that adds image processing capabilities to Python, supporting formats such as PNG, JPEG, GIF, TIFF, and BMP.
Podman	0.5				1		1	Product detected by a:podman_project:podman (exists in CPE dict)
ProFTPD	0.5		1	1			2	ProFTPD is a highly configurable and modular open-source FTP server designed for Unix-like systems, offering advanced features such as virtual hosting, authentication modules, and flexible configuration similar to Apache.
Pypdf	0.5				3	3	6	PyPDF is a Python library for reading, manipulating, and writing PDF files, including extraction, splitting, merging, and encryption features.
Recursor	0.5				7		7	Product detected by a:powerdns:recursor (exists in CPE dict)
Rsync	0.5			1	6		7	Product detected by a:samba:rsync (exists in CPE dict)
SPIP	0.5			2			2	SPIP is an open-source software content management system designed for web site publishing, oriented towards online collaborative editing
Spring Framework	0.5				2		2	Product detected by a:vmware:spring_framework (exists in CPE dict)
Starlette	0.5			1			1	Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit
TLS	0.5				2		2	TLS
Thrift	0.5				8	3	11	Product detected by a:apache:thrift (exists in CPE dict)
Tor	0.5				4	2	6	Product detected by a:torproject:tor (exists in CPE dict)
Traefik	0.5		1	3		1	5	Product detected by a:traefik:traefik (exists in CPE dict)
Ws	0.5				1		1	Product detected by a:ws_project:ws (exists in CPE dict)
Xrdp	0.5			2	6		8	xrdp is an open source remote desktop protocol server
YARD	0.5				1		1	Product detected by a:yardoc:yard (exists in CPE dict)
apache::session	0.5					1	1	Product detected by a:chorny:apachesession (does NOT exist in CPE dict)
apache::session::generate::sha256	0.5				1		1	Product detected by a:guimard:apachesessiongeneratesha256 (does NOT exist in CPE dict)
basic-ftp	0.5		1	1			2	Product detected by a:patrickjuchli:basic-ftp (does NOT exist in CPE dict)
cli	0.5			1			1	Product detected by a:github:cli (does NOT exist in CPE dict)
click	0.5			1			1	Product detected by a:palletsprojects:click (does NOT exist in CPE dict)
coTURN	0.5			1			1	Product detected by a:coturn_project:coturn (exists in CPE dict)
coreutils	0.5			13	19	11	43	Product detected by a:uutils:coreutils (does NOT exist in CPE dict)
cowlib	0.5				1		1	Product detected by a:ninenines:cowlib (does NOT exist in CPE dict)
crypt::argon2	0.5				1		1	Product detected by a:leont:cryptargon2 (does NOT exist in CPE dict)
cryptx	0.5				1		1	Product detected by a:dcit:cryptx (does NOT exist in CPE dict)
dancer::session::abstract	0.5				1		1	Product detected by a:perldancer:dancersessionabstract (does NOT exist in CPE dict)
deskflow	0.5			1			1	Product detected by a:deskflow:deskflow (does NOT exist in CPE dict)
dnsdist	0.5				9		9	Product detected by a:powerdns:dnsdist (exists in CPE dict)
dovecot	0.5				2	1	3	Product detected by a:dovecot:dovecot (exists in CPE dict)
erlang\\/otp	0.5				1		1	Product detected by a:erlang:erlang\\/otp (does NOT exist in CPE dict)
etcd	0.5					1	1	Product detected by a:etcd:etcd (exists in CPE dict)
fast-uri	0.5				1	1	2	Product detected by a:openjsf:fast-uri (does NOT exist in CPE dict)
fast-xml-parser	0.5			1			1	Product detected by a:naturalintelligence:fast-xml-parser (does NOT exist in CPE dict)
firebird	0.5		1	7			8	Product detected by a:firebirdsql:firebird (exists in CPE dict)
fleet	0.5			1	14	4	19	Product detected by a:fleetdm:fleet (exists in CPE dict)
follow-redirects	0.5				1		1	Product detected by a:follow-redirects_project:follow-redirects (exists in CPE dict)
gdown	0.5			1			1	Product detected by a:wkentaro:gdown (does NOT exist in CPE dict)
glances	0.5			3			3	Product detected by a:nicolargo:glances (does NOT exist in CPE dict)
go-git	0.5				1		1	Product detected by a:go-git_project:go-git (does NOT exist in CPE dict)
go-ntlmssp	0.5				1		1	Product detected by a:microsoft:go-ntlmssp (does NOT exist in CPE dict)
gobgp	0.5			1	4	1	6	Product detected by a:osrg:gobgp (does NOT exist in CPE dict)
grafana	0.5				1		1	Product detected by a:grafana:grafana (exists in CPE dict)
gst-plugins-good	0.5				2		2	Product detected by a:freedesktop:gst-plugins-good (does NOT exist in CPE dict)
hashcat	0.5		1	2			3	Product detected by a:hashcat:hashcat (does NOT exist in CPE dict)
htmlunit	0.5		1				1	Product detected by a:htmlunit:htmlunit (exists in CPE dict)
incus	0.5			8			8	Product detected by a:linuxcontainers:incus (does NOT exist in CPE dict)
ip-address	0.5			1			1	Product detected by a:beaugunderson:ip-address (does NOT exist in CPE dict)
ironic_python_agent	0.5				1		1	Product detected by a:openstack:ironic_python_agent (does NOT exist in CPE dict)
jupyter_server	0.5			2	1	1	4	Product detected by a:jupyter:jupyter_server (exists in CPE dict)
kcoreaddons	0.5					1	1	Product detected by a:kde:kcoreaddons (does NOT exist in CPE dict)
libefiboot	0.5				1		1	Product detected by a:ubuntu:libefiboot (does NOT exist in CPE dict)
libexpat	0.5			1	2		3	Product detected by a:libexpat_project:libexpat (exists in CPE dict)
libreoffice	0.5				1		1	Product detected by a:libreoffice:libreoffice (exists in CPE dict)
libsixel	0.5			6	1		7	Product detected by a:saitoha:libsixel (does NOT exist in CPE dict)
libsndfile	0.5			1			1	Product detected by a:libsndfile_project:libsndfile (exists in CPE dict)
libssh2	0.5				1		1	Product detected by a:libssh2:libssh2 (exists in CPE dict)
little_cms	0.5			1			1	Product detected by a:littlecms:little_cms (exists in CPE dict)
lucene.net	0.5			1			1	Product detected by a:apache:lucene.net (does NOT exist in CPE dict)
lucene_replicator	0.5				1		1	Product detected by a:apache:lucene_replicator (does NOT exist in CPE dict)
lxc	0.5			1			1	Product detected by a:linuxcontainers:lxc (exists in CPE dict)
lxml	0.5				1		1	Product detected by a:lxml:lxml (exists in CPE dict)
mchange_commons_java	0.5		1				1	Product detected by a:mchange:mchange_commons_java (does NOT exist in CPE dict)
memcached	0.5				2		2	Product detected by a:memcached:memcached (exists in CPE dict)
minetest	0.5			1			1	Product detected by a:minetest:minetest (exists in CPE dict)
mitmproxy	0.5				1		1	Product detected by a:mitmproxy:mitmproxy (exists in CPE dict)
mongodb	0.5					1	1	Product detected by a:mongodb:mongodb (exists in CPE dict)
multiparty	0.5			1	2		3	Product detected by a:pillarjs:multiparty (does NOT exist in CPE dict)
nano	0.5				1		1	Product detected by a:gnu:nano (does NOT exist in CPE dict)
nbconvert	0.5				2		2	Product detected by a:jupyter:nbconvert (exists in CPE dict)
net::imap	0.5			1	3	1	5	Product detected by a:ruby-lang:netimap (does NOT exist in CPE dict)
ngtcp2	0.5			1			1	Product detected by a:tatsuhiro-t:ngtcp2 (does NOT exist in CPE dict)
nullsoft_scriptable_install_system	0.5					1	1	Product detected by a:nullsoft:nullsoft_scriptable_install_system (exists in CPE dict)
ocs_inventory_server	0.5				1		1	Product detected by a:ocsinventory-ng:ocs_inventory_server (exists in CPE dict)
openCryptoki	0.5			1			1	Product detected by a:opencryptoki_project:opencryptoki (exists in CPE dict)
open_cascade_technology	0.5				4		4	Product detected by a:opencascade:open_cascade_technology (does NOT exist in CPE dict)
openbao	0.5			1		1	2	Product detected by a:openbao:openbao (does NOT exist in CPE dict)
openexr	0.5			3	2		5	Product detected by a:openexr:openexr (exists in CPE dict)
openimageio	0.5			7	1		8	Product detected by a:openimageio:openimageio (exists in CPE dict)
pjsip	0.5			1	8		9	Product detected by a:pjsip:pjsip (exists in CPE dict)
plack::middleware::xsendfile	0.5				1		1	Product detected by a:miyagawa:plackmiddlewarexsendfile (does NOT exist in CPE dict)
postfix	0.5				1		1	Product detected by a:postfix:postfix (exists in CPE dict)
postgresql	0.5				7	4	11	Product detected by a:postgresql:postgresql (exists in CPE dict)
postgresql_jdbc_driver	0.5				1		1	Product detected by a:postgresql:postgresql_jdbc_driver (exists in CPE dict)
prometheus	0.5				1		1	Product detected by a:prometheus:prometheus (exists in CPE dict)
prosody	0.5				2	2	4	Product detected by a:prosody:prosody (exists in CPE dict)
python-dotenv	0.5			1			1	Product detected by a:saurabh-kumar:python-dotenv (does NOT exist in CPE dict)
python-multipart	0.5				1		1	Product detected by a:fastapiexpert:python-multipart (does NOT exist in CPE dict)
sigstore_timestamp_authority	0.5				1		1	Product detected by a:linuxfoundation:sigstore_timestamp_authority (does NOT exist in CPE dict)
starlet	0.5				1		1	Product detected by a:kazuho:starlet (does NOT exist in CPE dict)
starman	0.5				1		1	Product detected by a:miyagawa:starman (does NOT exist in CPE dict)
storable	0.5				1		1	Product detected by a:nwclark:storable (does NOT exist in CPE dict)
text::csv_xs	0.5				1		1	Product detected by a:hmbrand:textcsv_xs (does NOT exist in CPE dict)
thin-vec	0.5			1			1	Product detected by a:mozilla:thin-vec (does NOT exist in CPE dict)
twisted	0.5			1			1	Product detected by a:twisted:twisted (does NOT exist in CPE dict)
unbound	0.5			1	9	1	11	Product detected by a:nlnetlabs:unbound (exists in CPE dict)
uriparser	0.5					3	3	Product detected by a:uriparser_project:uriparser (exists in CPE dict)
urllib3	0.5				1	1	2	Product detected by a:python:urllib3 (exists in CPE dict)
uuid	0.5			1			1	Product detected by a:uuidjs:uuid (does NOT exist in CPE dict)
valkey	0.5				1		1	Product detected by a:lfprojects:valkey (does NOT exist in CPE dict)
wildfly_core	0.5		1				1	Product detected by a:redhat:wildfly_core (exists in CPE dict)
wireshark	0.5			3			3	Product detected by a:wireshark:wireshark (exists in CPE dict)
wlc	0.5				1		1	Product detected by a:weblate:wlc (does NOT exist in CPE dict)
xen	0.5				1	1	2	Product detected by o:xen:xen (exists in CPE dict)
zlib	0.5				1		1	Product detected by a:ruby-lang:zlib (does NOT exist in CPE dict)
Flatpak	0.4					1	1	Flatpak is a utility for software deployment and package management for Linux
GPAC	0.4				2		2	GPAC is an Open Source multimedia framework for research and academic purposes; the project covers different aspects of multimedia, with a focus on presentation technologies (graphics, animation and interactivity)
Git	0.4					1	1	Git
U-Boot	0.4				1		1	Das U-Boot (U-Boot) is an open-source universal boot loader used on many embedded boards and SoCs to initialize hardware, provide low-level diagnostics, and load an operating system kernel. It is implemented primarily in C with board-specific assembly.
jqlang jq	0.3			4	3		7	jq is a lightweight and flexible command-line JSON processor, allowing powerful querying and manipulation of JSON data streams.
Wasmtime	0.25				1		1	Standalone WebAssembly runtime written in Rust
Artifex MuPDF mutool	0.2					1	1	Command-line utility 'mutool' for MuPDF, a lightweight PDF and XPS viewer
GitHub	0.2				2	1	3	GitHub, Inc. is an Internet hosting service for software development and version control using Git
Unknown Product	0			3	78	92	173	Unknown Product

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0	2	17	117	23		159
Authentication Bypass	0.98	1	5	10	24		40
Code Injection	0.97			6	17		23
Command Injection	0.97		4	9	3		16
XXE Injection	0.97				1		1
Arbitrary File Writing	0.95			1	2		3
Security Feature Bypass	0.9		2	78	114	1	195
Server-Side Request Forgery	0.87			3	2		5
Elevation of Privilege	0.85	2	2	6	7		17
Arbitrary File Reading	0.83				2		2
Information Disclosure	0.83			10	18	1	29
Cross Site Scripting	0.8			5	20		25
Open Redirect	0.75			1			1
Denial of Service	0.7		2	80	134	6	222
Path Traversal	0.7		1	4	15		20
Incorrect Calculation	0.5			8	42	7	57
Memory Corruption	0.5		1	39	302	17	359
Spoofing	0.4				7	1	8
Unknown Vulnerability Type	0			15	295	146	456

Source	U	C	H	M	L	A
almalinux	2		27	46	4	79
altlinux	4	13	114	538	32	701
debian	5	23	375	909	160	1472
oraclelinux	3		24	48	3	78
redhat	2	3	27	59	7	98
redos	2	5	14	21	3	45
ubuntu	3	3	29	84	25	144

Urgent (5)

1. Elevation of Privilege - Linux Kernel (CVE-2026-43500) - Urgent [932]

Description: xfrm-ESP Page-Cache Write provides a powerful arbitrary 4-byte STORE primitive like Copy Fail, and is included on most distributions, but it requires the privilege to create a namespace. Ubuntu sometimes blocks unprivileged user namespace creation through AppArmor policy. In such an environment, xfrm-ESP Page-Cache Write cannot be triggered. RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions. However, on Ubuntu, the rxrpc.ko module is loaded by default. Chaining the two variants makes the blind spots cover each other, allowing root privileges to be obtained on every major distribution. For details, refer to the technical details document.

altlinux: CVE-2026-43500 was patched at 2026-05-12, 2026-05-14

debian: CVE-2026-43500 was patched at 2026-05-08, 2026-05-09, 2026-05-20

oraclelinux: CVE-2026-43500 was patched at 2026-05-09, 2026-05-10

redos: CVE-2026-43500 was patched at 2026-05-16

2. Authentication Bypass - Rclone (CVE-2026-41176) - Urgent [929]

Description: Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint `options/set` is exposed without `AuthRequired: true`, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and prior to version 1.73.5, an unauthenticated attacker can set `rc.NoAuth=true`, which disables the authorization gate for many RC methods registered with `AuthRequired: true` on reachable RC servers that are started without global HTTP authentication. This can lead to unauthorized access to sensitive administrative functionality, including configuration and operational RC methods. Version 1.73.5 patches the issue.

altlinux: CVE-2026-41176 was patched at 2026-04-28

debian: CVE-2026-41176 was patched at 2026-05-20

ubuntu: CVE-2026-41176 was patched at 2026-05-25

3. Remote Code Execution - Apache ActiveMQ (CVE-2026-40466) - Urgent [921]

Description: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via BrokerView.addNetworkConnector or BrokerView.addConnector through Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.

debian: CVE-2026-40466 was patched at 2026-05-20

4. Elevation of Privilege - Linux Kernel (CVE-2026-31431) - Urgent [908]

Description: In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

almalinux: CVE-2026-31431 was patched at 2026-05-01, 2026-05-04, 2026-05-05

altlinux: CVE-2026-31431 was patched at 2026-04-20, 2026-05-04, 2026-05-05, 2026-05-08, 2026-05-12, 2026-05-14, 2026-05-18, 2026-05-25

debian: CVE-2026-31431 was patched at 2026-04-30, 2026-05-01, 2026-05-02, 2026-05-20

oraclelinux: CVE-2026-31431 was patched at 2026-05-01, 2026-05-05, 2026-05-10, 2026-05-18

redhat: CVE-2026-31431 was patched at 2026-05-04, 2026-05-05, 2026-05-06, 2026-05-11, 2026-05-12, 2026-05-19

redos: CVE-2026-31431 was patched at 2026-04-30

ubuntu: CVE-2026-31431 was patched at 2026-04-30, 2026-05-19, 2026-05-20, 2026-05-22, 2026-05-25, 2026-05-26

5. Remote Code Execution - NGINX (CVE-2026-42945) - Urgent [869]

Description: NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

almalinux: CVE-2026-42945 was patched at 2026-05-18

altlinux: CVE-2026-42945 was patched at 2026-05-19, 2026-05-26, 2026-05-27

debian: CVE-2026-42945 was patched at 2026-05-16, 2026-05-20

oraclelinux: CVE-2026-42945 was patched at 2026-05-19

redhat: CVE-2026-42945 was patched at 2026-05-15, 2026-05-18, 2026-05-19

ubuntu: CVE-2026-42945 was patched at 2026-05-14

Critical (34)

6. Denial of Service - PgBouncer (CVE-2026-6664) - Critical [790]

Description: An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.

altlinux: CVE-2026-6664 was patched at 2026-05-12, 2026-05-13

debian: CVE-2026-6664 was patched at 2026-05-20

7. Remote Code Execution - Apache HTTP Server (CVE-2026-23918) - Critical [733]

Description: Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

altlinux: CVE-2026-23918 was patched at 2026-05-06, 2026-05-07, 2026-05-08

debian: CVE-2026-23918 was patched at 2026-05-20

ubuntu: CVE-2026-23918 was patched at 2026-05-06

8. Remote Code Execution - Apache Tomcat (CVE-2026-34486) - Critical [688]

Description: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

altlinux: CVE-2026-34486 was patched at 2026-05-18

9. Remote Code Execution - htmlunit (CVE-2023-49093) - Critical [678]

Description: HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0

ubuntu: CVE-2023-49093 was patched at 2026-05-05

10. Remote Code Execution - ProFTPD (CVE-2026-42167) - Critical [666]

Description: mod_sql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

debian: CVE-2026-42167 was patched at 2026-05-20

11. Command Injection - basic-ftp (CVE-2026-39983) - Critical [661]

Description: basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.

debian: CVE-2026-39983 was patched at 2026-04-21

12. Authentication Bypass - Apache ActiveMQ (CVE-2026-27446) - Critical [644]

Description: Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by one of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability. - Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html .

redhat: CVE-2026-27446 was patched at 2026-05-18

13. Elevation of Privilege - systemd (CVE-2026-33945) - Critical [643]

Description: Incus is a system container and virtual machine manager. Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. Prior to version 6.23.0, an attacker can set a configuration key named something like `systemd.credential.../../../../../../root/.bashrc` to cause Incus to write outside of the `credentials` directory associated with the container. This makes use of the fact that the Incus syntax for such credentials is `systemd.credential.XYZ` where `XYZ` can itself contain more periods. While it's not possible to read any data this way, it's possible to write to arbitrary files as root, enabling both privilege escalation and denial of service attacks. Version 6.23.0 fixes the issue.

altlinux: CVE-2026-33945 was patched at 2026-04-23

redos: CVE-2026-33945 was patched at 2026-04-20

14. Denial of Service - Mongoose (CVE-2019-19307) - Critical [636]

Description: An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop), or possibly cause an out-of-bounds write, by sending a crafted MQTT protocol packet.

debian: CVE-2019-19307 was patched at 2026-05-20

15. Remote Code Execution - firebird (CVE-2026-40342) - Critical [630]

Description: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a filesystem path without filtering path separators or .. components. An authenticated user with CREATE FUNCTION privileges can use a crafted ENGINE name to load an arbitrary shared library from anywhere on the filesystem via path traversal. The library's initialization code executes immediately during loading, before Firebird validates the module, achieving code execution as the server's OS account. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

altlinux: CVE-2026-40342 was patched at 2026-05-07

debian: CVE-2026-40342 was patched at 2026-04-21

redos: CVE-2026-40342 was patched at 2026-05-15

16. Remote Code Execution - mchange_commons_java (CVE-2026-27727) - Critical [630]

Description: mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

redhat: CVE-2026-27727 was patched at 2026-05-18

17. Remote Code Execution - Kubernetes (CVE-2026-3288) - Critical [628]

Description: A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

redos: CVE-2026-3288 was patched at 2026-04-29

18. Remote Code Execution - Kubernetes (CVE-2026-4342) - Critical [628]

Description: A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

redos: CVE-2026-4342 was patched at 2026-04-29

19. Authentication Bypass - wildfly_core (CVE-2025-23368) - Critical [627]

Description: A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.

redhat: CVE-2025-23368 was patched at 2026-05-18

20. Command Injection - Netty (CVE-2026-42581) - Critical [627]

Description: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

debian: CVE-2026-42581 was patched at 2026-05-20

21. Remote Code Execution - Exim (CVE-2026-45185) - Critical [623]

Description: Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.

altlinux: CVE-2026-45185 was patched at 2026-05-16

debian: CVE-2026-45185 was patched at 2026-05-12, 2026-05-20

22. Remote Code Execution - Redis (CVE-2026-23479) - Critical [623]

Description: Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

altlinux: CVE-2026-23479 was patched at 2026-05-14

debian: CVE-2026-23479 was patched at 2026-05-20

23. Remote Code Execution - Redis (CVE-2026-25243) - Critical [623]

Description: Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.

altlinux: CVE-2026-25243 was patched at 2026-05-14

debian: CVE-2026-25243 was patched at 2026-05-20

24. Remote Code Execution - GLPI (CVE-2026-26026) - Critical [621]

Description: GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

redos: CVE-2026-26026 was patched at 2026-04-17

25. Authentication Bypass - Axios (CVE-2026-42044) - Critical [620]

Description: Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.

debian: CVE-2026-42044 was patched at 2026-05-20

26. Remote Code Execution - hashcat (CVE-2026-42484) - Critical [619]

Description: A heap-based buffer overflow in hex_to_binary in the PKZIP hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted PKZIP hash file. The issue affects modules 17200, 17210, 17220, 17225, and 17230. When data_type_enum<=1, attacker-controlled hex data from a user-supplied hash string is decoded into a fixed-size buffer without proper input-length validation.

debian: CVE-2026-42484 was patched at 2026-05-20

27. Command Injection - Vim (CVE-2026-44656) - Critical [617]

Description: Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.

altlinux: CVE-2026-44656 was patched at 2026-05-25

debian: CVE-2026-44656 was patched at 2026-05-20

ubuntu: CVE-2026-44656 was patched at 2026-05-25

28. Security Feature Bypass - Netty (CVE-2026-42579) - Critical [615]

Description: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

debian: CVE-2026-42579 was patched at 2026-05-20

29. Elevation of Privilege - Linux Kernel (CVE-2026-31635) - Critical [611]

Description: In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. The existing check is inverted, so oversized RESPONSE authenticators are accepted and passed to rxgk_decrypt_skb(), which can later reach skb_to_sgvec() with an impossible length and hit BUG_ON(len). Decoded from the original latest-net reproduction logs with scripts/decode_stacktrace.sh: RIP: __skb_to_sgvec() [net/core/skbuff.c:5285 (discriminator 1)] Call Trace: skb_to_sgvec() [net/core/skbuff.c:5305] rxgk_decrypt_skb() [net/rxrpc/rxgk_common.h:81] rxgk_verify_response() [net/rxrpc/rxgk.c:1268] rxrpc_process_connection() [net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364 net/rxrpc/conn_event.c:386] process_one_work() [kernel/workqueue.c:3281] worker_thread() [kernel/workqueue.c:3353 kernel/workqueue.c:3440] kthread() [kernel/kthread.c:436] ret_from_fork() [arch/x86/kernel/process.c:164] Reject authenticator lengths that exceed the remaining packet payload.

altlinux: CVE-2026-31635 was patched at 2026-04-27, 2026-05-12

30. Remote Code Execution - Apache ActiveMQ (CVE-2026-41044) - Critical [611]

Description: Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.

debian: CVE-2026-41044 was patched at 2026-05-20

31. Remote Code Execution - GNU C Library (CVE-2026-35368) - Critical [609]

Description: A vulnerability exists in the chroot utility of uutils coreutils when using the --userspec option. The utility resolves the user specification via getpwnam() after entering the chroot but before dropping root privileges. On glibc-based systems, this can trigger the Name Service Switch (NSS) to load shared libraries (e.g., libnss_*.so.2) from the new root directory. If the NEWROOT is writable by an attacker, they can inject a malicious NSS module to execute arbitrary code as root, facilitating a full container escape or privilege escalation.

debian: CVE-2026-35368 was patched at 2026-05-20

32. Authentication Bypass - Axios (CVE-2026-42041) - Critical [608]

Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.

debian: CVE-2026-42041 was patched at 2026-05-20

33. Command Injection - Netty (CVE-2026-42585) - Critical [604]

Description: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

debian: CVE-2026-42585 was patched at 2026-05-20

34. Authentication Bypass - Traefik (CVE-2026-39858) - Critical [603]

Description: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

altlinux: CVE-2026-39858 was patched at 2026-05-06

35. Memory Corruption - OpenSSL (CVE-2021-26530) - Critical [603]

Description: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.

debian: CVE-2021-26530 was patched at 2026-05-20

36. Security Feature Bypass - Netty (CVE-2026-42584) - Critical [603]

Description: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

debian: CVE-2026-42584 was patched at 2026-05-20

37. Path Traversal - InVesalius (CVE-2024-44825) - Critical [601]

Description: Directory Traversal vulnerability in Centro de Tecnologia da Informaco Renato Archer InVesalius3 v3.1.99995 allows attackers to write arbitrary files unto the system via a crafted .inv3 file.

debian: CVE-2024-44825 was patched at 2026-05-20

38. Remote Code Execution - Redis (CVE-2026-23631) - Critical [600]

Description: Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.

altlinux: CVE-2026-23631 was patched at 2026-05-14

debian: CVE-2026-23631 was patched at 2026-05-20

39. Remote Code Execution - Wireshark (CVE-2026-5402) - Critical [600]

Description: TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allows denial of service and possible code execution

altlinux: CVE-2026-5402 was patched at 2026-05-04, 2026-05-06

debian: CVE-2026-5402 was patched at 2026-05-20

High (392)

40. Elevation of Privilege - Linux Kernel (CVE-2026-46300) - High [599]

Description: In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.

almalinux: CVE-2026-46300 was patched at 2026-05-16, 2026-05-20

debian: CVE-2026-46300 was patched at 2026-05-20, 2026-05-23, 2026-05-28, 2026-05-30

oraclelinux: CVE-2026-46300 was patched at 2026-05-21, 2026-05-25

redhat: CVE-2026-46300 was patched at 2026-05-20, 2026-05-21, 2026-05-26

redos: CVE-2026-46300 was patched at 2026-05-18

41. Remote Code Execution - PHP (CVE-2026-6735) - High [597]

Description: In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.

altlinux: CVE-2026-6735 was patched at 2026-05-22, 2026-05-25, 2026-05-27

debian: CVE-2026-6735 was patched at 2026-05-08, 2026-05-20

42. Remote Code Execution - hashcat (CVE-2026-42482) - High [595]

Description: A stack-based buffer overflow in mangle_to_hex_lower() and mangle_to_hex_upper() in src/rp_cpu.c in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted rule file, or via the -j or -k rule options used with password candidates of 128 or more characters. The vulnerability is caused by a bounds check that fails to account for the 2x expansion that occurs when password bytes are converted to hexadecimal.

debian: CVE-2026-42482 was patched at 2026-05-20

43. Command Injection - Netty (CVE-2026-42580) - High [592]

Description: Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

debian: CVE-2026-42580 was patched at 2026-05-20

44. Elevation of Privilege - PackageKit (CVE-2026-41651) - High [592]

Description: PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.

almalinux: CVE-2026-41651 was patched at 2026-04-29

altlinux: CVE-2026-41651 was patched at 2026-04-27, 2026-05-03, 2026-05-27

debian: CVE-2026-41651 was patched at 2026-04-22, 2026-05-20

oraclelinux: CVE-2026-41651 was patched at 2026-04-29

redhat: CVE-2026-41651 was patched at 2026-04-29, 2026-05-14, 2026-05-18, 2026-05-19, 2026-05-20

ubuntu: CVE-2026-41651 was patched at 2026-04-29

45. Authentication Bypass - Traefik (CVE-2026-35051) - High [591]

Description: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

altlinux: CVE-2026-35051 was patched at 2026-05-06

46. Authentication Bypass - Traefik (CVE-2026-40912) - High [591]

Description: Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's StripPrefixRegex middleware when used in combination with ForwardAuth, BasicAuth, or DigestAuth. The middleware matches the regex against the decoded URL path but uses the resulting byte length to slice the percent-encoded raw path. When a dot (or multiple dots) appears in the prefix portion of the URL, the raw path after stripping becomes a dot-segment (e.g. /./admin/secret). ForwardAuth receives this dot-segment path in X-Forwarded-Uri, which does not match the protected path patterns and therefore allows the request through. The backend then normalizes the dot-segment to the real path per RFC 3986 and serves the protected content An unauthenticated attacker can exploit this against any backend that performs dot-segment normalization. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.

altlinux: CVE-2026-40912 was patched at 2026-05-06

47. Command Injection - Composer (CVE-2026-40261) - High [589]

Description: Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.

debian: CVE-2026-40261 was patched at 2026-04-17

48. Denial of Service - firebird (CVE-2026-27890) - High [589]

Description: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

altlinux: CVE-2026-27890 was patched at 2026-05-07

debian: CVE-2026-27890 was patched at 2026-04-21

redos: CVE-2026-27890 was patched at 2026-05-15

49. Denial of Service - firebird (CVE-2026-28224) - High [589]

Description: Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when the server receives an op_crypt_key_callback packet without prior authentication, the port_server_crypt_callback handler is not initialized, resulting in a null pointer dereference and server crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.

altlinux: CVE-2026-28224 was patched at 2026-05-07

debian: CVE-2026-28224 was patched at 2026-04-21

redos: CVE-2026-28224 was patched at 2026-05-15

50. Elevation of Privilege - Linux Kernel (CVE-2026-46333) - High [587]

Description: In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.

almalinux: CVE-2026-46333 was patched at 2026-05-16, 2026-05-20

debian: CVE-2026-46333 was patched at 2026-05-15, 2026-05-20

oraclelinux: CVE-2026-46333 was patched at 2026-05-20, 2026-05-21

redhat: CVE-2026-46333 was patched at 2026-05-20, 2026-05-21, 2026-05-26

redos: CVE-2026-46333 was patched at 2026-05-28

51. Remote Code Execution - gdown (CVE-2026-40491) - High [583]

Description: gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outside the intended destination directory, potentially leading to arbitrary file overwrite and Remote Code Execution (RCE). Version 5.2.2 contains a fix.

debian: CVE-2026-40491 was patched at 2026-04-21

52. Remote Code Execution - hashcat (CVE-2026-42483) - High [583]

Description: A heap-based buffer overflow in the Kerberos hash parser in hashcat v7.1.2 allows an attacker to cause a denial of service or possibly execute arbitrary code via a crafted Kerberos hash file. The issue affects module_hash_decode in multiple Kerberos-related modules because account_info_len is calculated from untrusted delimiter positions without upper-bound validation before memcpy copies the data into a fixed-size account_info buffer.

debian: CVE-2026-42483 was patched at 2026-05-20

53. Remote Code Execution - openimageio (CVE-2026-43907) - High [583]

Description: OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGBBufferSizeInternal() in DPXColorConverter.cpp leads to a heap-based out-of-bounds write when processing crafted DPX image files. The function computes buffer sizes using 32-bit signed integer arithmetic with negative multipliers (e.g., pixels * -3 * bytes for kCbYCr descriptors and pixels * -4 * bytes for kABGR descriptors), where a negative result is used as an in-band signal that no separate buffer is needed. When the pixel count is sufficiently large, the multiplication overflows INT_MIN and wraps to a small positive value. The caller in dpxinput.cpp interprets this positive value as a required buffer size, allocates an undersized heap buffer via m_decodebuf.resize(), and then writes the full image data into it via fread, resulting in a heap buffer overflow. An attacker can exploit this by crafting a DPX file that triggers the overflow, causing a denial of service (crash) or potentially arbitrary code execution through heap corruption in any application that reads pixel data using OpenImageIO. This vulnerability is fixed in 3.0.18.0 and 3.1.13.0.

debian: CVE-2026-43907 was patched at 2026-05-20

54. Command Injection - Netty (CVE-2026-41417) - High [580]

Description: Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

debian: CVE-2026-41417 was patched at 2026-05-20

55. Remote Code Execution - Wireshark (CVE-2026-5403) - High [576]

Description: SBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution

altlinux: CVE-2026-5403 was patched at 2026-05-04, 2026-05-06

debian: CVE-2026-5403 was patched at 2026-05-06, 2026-05-20

56. Remote Code Execution - Wireshark (CVE-2026-5405) - High [576]

Description: RDP protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution

altlinux: CVE-2026-5405 was patched at 2026-05-04, 2026-05-06

debian: CVE-2026-5405 was patched at 2026-05-06, 2026-05-20

57. Remote Code Execution - Wireshark (CVE-2026-5656) - High [576]

Description: Profile import path traversal in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution

altlinux: CVE-2026-5656 was patched at 2026-05-04, 2026-05-06

debian: CVE-2026-5656 was patched at 2026-05-06, 2026-05-20

58. Remote Code Execution - gdk-pixbuf (CVE-2026-33023) - High [576]

Description: libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.

debian: CVE-2026-33023 was patched at 2026-04-17

59. Server-Side Request Forgery - Axios (CVE-2026-42038) - High [576]

Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, he fix for no_proxy hostname normalization bypass is incomplete. When no_proxy=localhost is set, requests to 127.0.0.1 and [::1] still route through the proxy instead of bypassing it. The shouldBypassProxy() function does pure string matching — it does not resolve IP aliases or loopback equivalents. This vulnerability is fixed in 1.15.1 and 0.31.1.

debian: CVE-2026-42038 was patched at 2026-05-20

60. Memory Corruption - Apache HTTP Server (CVE-2026-28780) - High [572]

Description: Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

almalinux: CVE-2026-28780 was patched at 2026-05-27

altlinux: CVE-2026-28780 was patched at 2026-05-06, 2026-05-07, 2026-05-08

debian: CVE-2026-28780 was patched at 2026-05-06, 2026-05-20

redhat: CVE-2026-28780 was patched at 2026-05-27

ubuntu: CVE-2026-28780 was patched at 2026-05-06

61. Memory Corruption - GNU C Library (CVE-2026-5450) - High [567]

Description: Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

debian: CVE-2026-5450 was patched at 2026-04-21

62. Code Injection - GitPython (CVE-2026-44244) - High [566]

Description: GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

altlinux: CVE-2026-44244 was patched at 2026-05-13, 2026-05-20, 2026-05-22

debian: CVE-2026-44244 was patched at 2026-05-20

ubuntu: CVE-2026-44244 was patched at 2026-05-26

63. Code Injection - ProFTPD (CVE-2026-44331) - High [566]

Description: In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.