CVE | THREATINT

New

CVE-2026-56790: CANBoat - Off-by-One Global Buffer Overflow in searchForPgn(): CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 message with an out-of-range PGN value over CAN bus or N2K-over-IP to trigger an out-of-bounds ...

CVE-2026-56789: RTKLIB 2.4.3 - Heap Buffer Overflow and Stack Read via Oversized RINEX Epoch Satellite Count: RTKLIB through 2.4.3 contains a heap buffer overflow vulnerability in the readrnxobsb function in src/rinex.c that allows attackers to trigger memory corruption by failing to clamp satellite count values from RINEX epoch headers. Attackers can craft malicious RINEX files declaring more than 64 satellit...

CVE-2026-56788: RTKLIB 2.4.3 - Out-of-bounds Read via Negative Array Index in getcodepri: RTKLIB through 2.4.3 contains an out-of-bounds read vulnerability in getcodepri function when processing unrecognized RINEX observation codes, allowing attackers to trigger denial of service. Crafted RINEX files with unknown observation types cause negative array indexing into the codepris table, resulting in reliable cra...

CVE-2026-56787: RTKLIB 2.4.3 - Off-by-One Out-of-Bounds Read in decode_ssr3 via RTCM3 SSR Message: RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability ...

CVE-2026-56786: RTKLIB 2.4.3 - Out-of-bounds Write in decode_type1033 via Crafted RTCM3 Message: RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid C...

Updated

CVE-2026-55700: pnpm: stage download writes outside destination via manifest version traversal: pnpm is a package manager. From 11.3.0 until 11.5.3, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, derives one safe fi...

CVE-2025-61023: An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE-2026-13350: Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.

CVE-2026-54040: LibreChat: 2FA Backup Code Regeneration Without OTP Verification Allows 2FA Bypass: LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can silently replace a ...

CVE-2026-50014: pnpm: Git Fetch Argument Injection via Lockfile resolution.commit: pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git op...

CISA Known Exploited Vulnerabilities

CVE-2026-34908 Ubiquiti UniFi OS: Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.

CVE-2025-67038 Lantronix EDS5000: Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

CVE-2026-34910 Ubiquiti UniFi OS: Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.

CVE-2026-34909 Ubiquiti UniFi OS: Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.

CVE-2026-20253 Splunk Enterprise: Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.

Additional information

EUVD (European Union Vulnerability Database) is maintained by ENISA (European Union Agency for Cybersecurity), under the European Union’s regulatory umbrella, serving as a centralized platform for vulnerability reporting specifically aligned with the EU’s legal frameworks such as NIS2 and the Cyber Resilience Act (CRA)

EUVD complements the CVE system by aggregating CVE data, but also assigns its own EUVD IDs to vulnerabilities, offers enriched metadata tailored for EU policies and compliance, and may highlight vulnerabilities particularly relevant to the European market.

Most vulnerabilities catalogued in EUVD will have both a CVE-ID and an EUVD-ID, acting as cross-references.

euvd.enisa.europa.eu

Source: media.ccc.de/v/eh22-138-panic-at-the-cve-o-theque.

A big "thank you" goes to @pennylane.

Welcome

New

Updated

CISA Known Exploited Vulnerabilities

Additional information