PoC Week 2026-05-18
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. I don’t vouch for any links in this list: follow them with caution.
CVE-2026-31431
- Severity: 7.8 HIGH
- Impacted Products: All major Linux kernels since 2017
- Description: This local privilege escalation is rated as Important severity. Part of the Linux kernel’s cryptographic interface contains an incorrect in-place operation, where source and destination data mappings differ. This could lead to data integrity issues, including the escalation to root privileges.
- Remediation:
- More Info: NVD - CVE-2026-31431
- PoC:
CVE-2026-0300
- Severity: 9.8 CRITICAL
- Impacted Products: Palo Alto Networks PAN-OS
- Description: Palo Alto Networks PAN-OS is affected by a buffer overflow vulnerability in the User-ID Authentication Portal service that allows for unauthenticated remote code execution. This flaw enables an attacker to gain root privileges on PA-Series and VM-Series firewalls.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-0300
- PoC:
CVE-2026-7482
- Severity: 9.1 CRITICAL
- Impacted Products: Ollama 0.17.1
- Description: Ollama versions prior to 0.17.1 are affected by a heap out-of-bounds read vulnerability in the GGUF model loader that allows unauthenticated remote attackers to access sensitive server memory. This issue occurs when the application processes a maliciously crafted GGUF file via the
/api/createendpoint. - Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-7482
- PoC:
CVE-2026-7411
- Severity: 10.0 CRITICAL
- Impacted Products: Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10
- Description: Eclipse BaSyx Java Server SDK is affected by a path traversal vulnerability in its Submodel HTTP API that allows unauthenticated remote attackers to achieve arbitrary code execution. This flaw exists due to inadequate path normalization during file upload operations.
- Remediation:
- More Info: NVD - CVE-2026-7411
- PoC:
CVE-2026-44109 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: OpenClaw before 2026.4.15
- Description: OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
- Remediation:
- More Info: NVD - CVE-2026-44109
- PoC:
CVE-2026-42796
- Severity: 9.8 CRITICAL
- Impacted Products: Arelle before 2.39.10
- Description: Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.
- Remediation:
- More Info: NVD - CVE-2026-42796
- PoC:
CVE-2026-42778
- Severity: 9.8 CRITICAL
- Impacted Products: Apache MINA 2.1.X, Apache MINA 2.2.X
- Description: Apache MINA is affected by a deserialization of untrusted data vulnerability in the AbstractIoBuffer.getObject() method that allows for remote code execution. This issue exists because the classname allowlist validation is performed after a class’s static initializer may have already been executed.
- Remediation:
- More Info: NVD - CVE-2026-42778
- PoC:
CVE-2026-42208 NEW
- Severity: 10.0 CRITICAL
- Impacted Products: LiteLLM
- Description: LiteLLM is affected by a pre-authentication SQL injection vulnerability in its proxy component that allows for unauthorized database access. This flaw occurs when the application improperly handles user-supplied input within the Authorization header during API key verification.
- Remediation:
- More Info: NVD - CVE-2026-42208
- PoC:
CVE-2026-41940
- Severity: 9.8 CRITICAL
- Impacted Products: cPanel and WHM versions after 11.40
- Description: cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-41940
- PoC:
CVE-2026-36356
- Severity: 9.1 CRITICAL
- Impacted Products: MeiG Smart FORGE_SLT711 (firmware MDM9607.LE.1.0-00110-STD.PROD-1)
- Description: The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-36356
- PoC:
CVE-2026-25588 NEW
- Severity: 8.8 HIGH
- Impacted Products: RedisTimeSeries, 1.12.14
- Description: RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution.
- Remediation:
- More Info: NVD - CVE-2026-25588
- PoC:
CVE-2026-24118
- Severity: 9.8 CRITICAL
- Impacted Products: vm2 < 3.11.0
- Description: vm2, an open-source sandbox for Node.js, is affected by a sandbox breakout vulnerability in versions prior to 3.11.0. This flaw allows an attacker to bypass the sandbox restrictions and execute arbitrary commands on the host system.
- Remediation:
- More Info: NVD - CVE-2026-24118
- PoC:
CVE-2026-23631 NEW
- Severity: 8.1 HIGH
- Impacted Products: redis-server, 8.6.3
- Description: Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-23631
- PoC:
CVE-2026-0073 NEW
- Severity: 8.8 HIGH
- Impacted Products: Google Android
- Description: Google Android is affected by an authentication bypass vulnerability in the Android Debug Bridge daemon (adbd) that allows for remote code execution. This flaw exists due to a logic error in the wireless ADB mutual authentication component.
- Remediation:
- More Info: NVD - CVE-2026-0073
- PoC:
CVE-2022-0847 NEW
- Severity: 7.8 HIGH
- Impacted Products: Linux Kernel
- Description: A vulnerability exists within the pipe handler in the Linux Kernel because the pipe handler does not properly initialize the page cache when a splice happens on a pipe with the flag ‘PIPE_BUF_FLAG_CAN_MERGE’ set. This allows the existing data in the page cache to be overridden by arbitrary data. As this page cache is then flushed to the cached target file, any file can be overridden, even when when the file has no write permissions, is immutable, or is a read-only mount.
- Remediation:
- More Info: NVD - CVE-2022-0847
- PoC:
CVE-2016-5195
- Severity: 7.8 HIGH
- Impacted Products: Linux kernel versions 2.x through 4.x before 4.8.3
- Description: A race condition in mm/gup.c allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, known as “Dirty COW.”
- Remediation: Update to a version after 4.8.3, applying patches or following specific vendor advisories.
- More Info: NVD - CVE-2016-5195
- PoC: https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
CVE-2026-20127
- Severity: 10.0 CRITICAL
- Impacted Products: Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager
- Description: Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager are affected by an authentication bypass vulnerability in the peering authentication mechanism. This flaw allows an unauthenticated remote attacker to gain administrative privileges and manipulate network configurations by sending crafted requests to the system.
- Remediation:
- More Info: NVD - CVE-2026-20127
- PoC:
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.