// CVE Tracker

Pre-authentication remote code execution in GitHub Enterprise Server's Git protocol handler. A crafted pack-file transmitted during a git push triggers a memory corruption condition in the Git protocol parsing layer, achieving code execution in the context of the Git service process before authentication is completed. No credentials required. Affects all supported GHES versions prior to the hotfix releases. Fixed in GHES 3.12.8, 3.13.4, 3.14.2, 3.15.1.

A stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) service allows an unauthenticated attacker with network access to a Windows domain controller to execute arbitrary code with SYSTEM privileges. The vulnerability exists in the NetrLogonSendToSam RPC function, which fails to validate the size of an input parameter before copying it to a fixed-size stack buffer. A specially crafted RPC request causes the buffer to overflow into adjacent stack memory, overwriting a return address and redirecting execution to attacker-controlled code. The attack requires no credentials, no user interaction, and no prior foothold. It requires only network access to TCP 445 (SMB, which hosts the Netlogon named pipe) on the domain controller. Active exploitation confirmed by Belgium's Centre for Cybersecurity (CCB) on 29 May 2026. Public PoC exploit available. Successful exploitation results in complete Active Directory domain compromise.

A memory corruption vulnerability in the Windows DNS Client allows an attacker who controls or can spoof a DNS server to send a specially crafted DNS response that corrupts memory on the resolving Windows host. The flaw is triggered during standard DNS resolution activity requiring no user interaction. Successful exploitation could enable remote code execution in the context of the DNS Client service. All supported Windows versions are affected. No active exploitation has been confirmed at time of disclosure, but the network-based, zero-interaction attack vector makes this a candidate for rapid weaponisation.

Authentication logic flaw in the cPanel and WHM web hosting control panel software allowing unauthenticated remote attackers to bypass credential verification and gain full administrative access. Exploited as a zero-day for approximately six days before vendor patched; public proof-of-concept now available. Affects all cPanel/WHM versions from 11.40 onwards. WHM administrative compromise provides root-level server access; cPanel compromise provides full hosting account control. Fixed in cPanel LTS 120.0.24, Stable 122.0.16, Current 124.0.6.

A stack buffer overflow in the Windows DHCP Client service allows an attacker operating a rogue DHCP server on the same Layer 2 broadcast domain to achieve SYSTEM-level remote code execution on Windows systems performing DHCP discovery. No authentication or user interaction required from the victim. Affects all Windows versions using DHCP. Patched in the June 2026 cumulative update. DHCP Snooping on access-layer switches is an effective compensating control.

A use-after-free vulnerability in Exim's GnuTLS TLS session cleanup code path allows an unauthenticated remote attacker to trigger memory corruption during the SMTP STARTTLS negotiation phase. The freed TLS session structure continues to be referenced after deallocation, and with suitable heap manipulation the corruption can be elevated to arbitrary code execution. The attack requires only network access to port 25 or 587 — no credentials and no prior session state. All Exim versions compiled with GnuTLS support are affected prior to the patched release.

Unauthenticated remote code execution via PHP deserialization in the Mirasvit Full Page Cache Warmer extension for Magento 2. Attackers exploit a malicious serialised cookie value without authentication. CISA added to KEV 3 June 2026; actively exploited in Magecart-style and credential harvesting campaigns.

A use-after-free vulnerability in a Windows kernel memory management component allows unauthenticated attackers to execute arbitrary code at SYSTEM privilege. Microsoft confirmed active exploitation before patch release as part of the June 2026 Patch Tuesday. Affects all supported Windows versions (10/11 and Server 2016–2025). Patched in the June 2026 cumulative update.

A critical authentication bypass vulnerability in Progress MOVEit Automation allows a remote unauthenticated attacker to authenticate as any user without valid credentials, gaining full administrative access to the MOVEit Automation management interface. The vulnerability is pre-authentication and requires no prior account knowledge or network positioning. MOVEit Automation is an enterprise managed file transfer platform used by organisations in financial services, healthcare, and government to automate regulated data transfers. Progress Software released patches on 4 May 2026; MOVEit Cloud customers were patched automatically. This is the fourth critical vulnerability in the MOVEit product family since the mass-exploitation campaign of 2023.

A memory corruption vulnerability in the Windows Kerberos Key Distribution Centre (KDC) service allows network-adjacent unauthenticated attackers to execute arbitrary code on Active Directory domain controllers. The vulnerable code path is in the AS-REQ (pre-authentication) handling, reachable without credentials. Successful exploitation achieves SYSTEM privilege on the domain controller — equivalent to full domain compromise. Affects all supported Windows Server versions acting as AD domain controllers. Patched in the June 2026 cumulative update.

An integer overflow in the HTTP/2 protocol parser of Windows HTTP.sys (the kernel-mode HTTP driver) allows an unauthenticated remote attacker to execute arbitrary code at SYSTEM privilege on any Windows Server with HTTP services enabled. The vulnerability is wormable — no authentication or user interaction required — affecting IIS, Exchange, SharePoint, WSUS, WinRM, and any HTTP API application on Windows Server 2008 R2 through 2025. Patched in the June 2026 cumulative update.

A SQL injection vulnerability in SAP S/4HANA's Enterprise Search ABAP component allows an authenticated user with standard business privileges to manipulate database queries via unsanitised search parameters. No elevated SAP permissions are required beyond a valid user account. Successful exploitation provides full read and write access to the underlying HANA database, exposing the complete financial, HR, and operational dataset of the affected SAP system. The vulnerability was patched in SAP Security Note 3733041, released on SAP's May 2026 Security Patch Day.

An improper Spring Security configuration in SAP Commerce Cloud leaves specific API endpoints unauthenticated, allowing a completely unauthenticated remote attacker to inject malicious input that results in arbitrary server-side code execution. No credentials are required. The vulnerability impacts the full confidentiality, integrity, and availability triad of the Commerce Cloud instance. Given that SAP Commerce Cloud is commonly internet-facing as the transactional e-commerce platform, the external attack surface is broad. Patched via SAP Security Note 3733064, released May 2026.

A chained GitHub Actions misconfiguration vulnerability in the TanStack project allowed an attacker to hijack the npm OIDC trusted publisher token and publish 84 malicious package versions across 42 @tanstack/* packages. The attack combined a pull_request_target Pwn Request misconfiguration, Actions cache poisoning across the fork/base boundary, and runtime OIDC token extraction to operate under TanStack's trusted publisher identity. Malicious packages executed credential-stealing code via npm postinstall hooks. Affected versions were published to npm on 2026-05-11 between 19:20–19:26 UTC.

A path traversal vulnerability in the SimpleHelp RMM server enables an unauthenticated remote attacker to read and write arbitrary files on the underlying server filesystem. By crafting requests that escape the intended directory scope, an attacker can exfiltrate configuration files containing credentials, overwrite application files to establish persistent access, or modify server configuration to create new administrative accounts. No authentication is required to exploit this vulnerability.

An authentication bypass vulnerability in the web management interface of Cisco Adaptive Security Appliance (ASA) software allows an unauthenticated remote attacker to authenticate to the administrative interface without valid credentials. The flaw stems from an improper state validation in the session establishment process. Exploitation allows an attacker to access the ASA management plane with administrator privileges, and is used in conjunction with CVE-2025-20333 as part of the FIRESTARTER campaign to deploy a firmware-persistent backdoor.

Threat actor TeamPCP compromised the Aqua Security Trivy vulnerability scanner ecosystem on 19 March 2026, force-pushing malicious code to 75 of 77 version tags in the official aquasecurity/trivy-action and all tags in aquasecurity/setup-trivy GitHub Actions repositories. A second attack wave on 22 March replaced DockerHub images. The malicious code embedded in affected versions deployed an infostealer targeting plain-text secrets in CI/CD runner process memory, exfiltrating cloud credentials, API tokens, Kubernetes configurations, and SSH keys. CISA added CVE-2026-33634 to the Known Exploited Vulnerabilities catalogue on 26 March 2026.

An insufficient authorisation check in the Veeam Backup Service API allows any Active Directory domain user to invoke privileged backup service operations and achieve remote code execution on the Veeam Backup & Replication server. Exploitation grants code execution with the Veeam service account's privileges (typically Local System). Actively targeted by ransomware groups to neutralise backup infrastructure. Fixed in Veeam Backup & Replication 12.2.

A SQL injection vulnerability in Drupal core's database abstraction API (SA-CORE-2026-004) affecting all Drupal sites using PostgreSQL as the database backend. An unauthenticated attacker can inject arbitrary SQL via a crafted HTTP request, without any user interaction required. Impact includes database read and write access (site content, user credentials, configuration) and potentially OS command execution via PostgreSQL's COPY TO/FROM PROGRAM function where database permissions allow. Rated 'Highly Critical' (20/25) on Drupal's risk scale. MySQL and MariaDB backends are not affected by this specific CVE. CISA added to KEV 22 May 2026 following confirmed exploitation.

A critical buffer overflow in Palo Alto Networks PAN-OS User-ID authentication portal allows a remote unauthenticated attacker to execute arbitrary code as root on the management plane. Exploitation began approximately 6 April 2026 — six weeks before public disclosure. CISA added CVE-2026-0300 to the KEV catalogue on 6 May 2026. Post-exploitation activity includes deployment of novel implant toolkits and credential interception on compromised management planes. Espionage-motivated threat actors are targeting government and critical infrastructure organisations.

An authentication bypass vulnerability in SmarterTools SmarterMail email server allows unauthenticated remote attackers to bypass the authentication mechanism and gain administrative access. The flaw was exploited as a zero-day by Storm-1175, a China-linked ransomware affiliate, prior to public disclosure, and was subsequently used to deploy Medusa ransomware. SmarterMail is used by tens of thousands of organisations globally as an on-premises email and collaboration platform.

An insufficient input validation flaw in the SAML Identity Provider endpoint of Citrix NetScaler ADC and NetScaler Gateway allows an unauthenticated remote attacker to trigger an out-of-bounds memory read. The appliance leaks sensitive memory contents — including session tokens and authentication credentials — through the NSC_TASS response cookie when a crafted SAMLRequest omitting the AssertionConsumerServiceURL field is submitted to /saml/login. Only appliances configured as SAML IDPs are affected; default configurations are not vulnerable. CISA added this CVE to the Known Exploited Vulnerabilities catalogue on 30 March 2026 following confirmed in-the-wild exploitation.

An unauthenticated remote code execution vulnerability in Langflow's public flow build endpoint allows attackers to inject arbitrary Python code into flow node definitions, which Langflow executes server-side without sandboxing. No credentials or user interaction are required. Within 20 hours of public disclosure on 17 March 2026, active exploitation was confirmed with attackers harvesting LLM provider API keys (OpenAI, Anthropic, AWS) from compromised instances. CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue on 26 March 2026.

A pre-authentication remote code execution vulnerability in Marimo, an open-source Python notebook widely used in data science and AI/ML workflows, allows any network-accessible attacker to obtain a full PTY shell on the server. The /terminal/ws WebSocket endpoint fails to call authenticate() before accepting connections, unlike all other protected endpoints. An attacker connects to the endpoint and is immediately granted interactive OS-level access. Exploitation was observed within 10 hours of public disclosure, with attackers building working exploits directly from the advisory.

Authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling allows unauthenticated attackers to completely bypass remote access VPN authentication, gaining internal network access. CISA added to KEV 8 June 2026 with confirmed ransomware campaign use and a 3-day remediation deadline.