The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. I don’t vouch for any links in this list: follow them with caution.

CVE-2026-43500 NEW

• Severity: 7.8 HIGH
• Impacted Products: Linux kernel
• Description: The Linux kernel is affected by a local privilege escalation vulnerability in the RxRPC subsystem, part of a vulnerability chain known as “Dirty Frag,” which allows an unprivileged local user to gain root access. This issue stems from an arbitrary page cache write primitive triggered during the handling of socket buffer fragments.
• Remediation:
  • [SECURITY] [DSA 6253-1] linux security update
  • [SECURITY] [DSA 6258-1] linux security update
  • ALAS2-2026-3302 (important): kernel
• More Info: NVD - CVE-2026-43500
• PoC:
  • https://github.com/FrosterDL/CVE-2026-43284
  • https://github.com/kuniyal08/Dirty-Frag-CVE-2026-43284
  • https://github.com/gagaltotal/CVE-2026-43284-CVE-2026-43500-scan

CVE-2026-0300

• Severity: 9.8 CRITICAL
• Impacted Products: Palo Alto Networks PAN-OS
• Description: Palo Alto Networks PAN-OS is affected by a buffer overflow vulnerability in the User-ID Authentication Portal service that allows for unauthenticated remote code execution. This flaw enables an attacker to gain root privileges on PA-Series and VM-Series firewalls.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-0300
• PoC:
  • https://github.com/bannned-bit/CVE-2026-0300-PANOS
  • https://github.com/mr-r3b00t/CVE-2026-0300
  • https://github.com/0xBlackash/CVE-2026-0300

CVE-2026-7482

• Severity: 9.1 CRITICAL
• Impacted Products: Ollama 0.17.1
• Description: Ollama versions prior to 0.17.1 are affected by a heap out-of-bounds read vulnerability in the GGUF model loader that allows unauthenticated remote attackers to access sensitive server memory. This issue occurs when the application processes a maliciously crafted GGUF file via the /api/create endpoint.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-7482
• PoC:
  • https://github.com/0x0OZ/CVE-2026-7482-PoC
  • https://github.com/szybnev/CVE-2026-7482

CVE-2026-7411

• Severity: 10.0 CRITICAL
• Impacted Products: Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10
• Description: Eclipse BaSyx Java Server SDK is affected by a path traversal vulnerability in its Submodel HTTP API that allows unauthenticated remote attackers to achieve arbitrary code execution. This flaw exists due to inadequate path normalization during file upload operations.
• Remediation:
  • [CVE Request] CWE-22: Unauthenticated Arbitrary File Write to RCE in Eclipse BaSyx V2 (#102) · Issue · security/cve-assignment
  • [Eclipse BaSyx] Multiple Critical Vulnerabilities in Eclipse BaSyx V2 (#423) · Issue · security/vulnerability-reports
• More Info: NVD - CVE-2026-7411
• PoC:
  • https://github.com/CryptReaper12/CVE-2026-7411

CVE-2026-44109

• Severity: 9.8 CRITICAL
• Impacted Products: OpenClaw before 2026.4.15
• Description: OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
• Remediation:
  • https://github.com/openclaw/openclaw/commit/c8003f1b33ed2924be5f62131bd28742c5a41aae
  • Feishu webhook and card-action validation now fail closed · Advisory · openclaw/openclaw · GitHub
• More Info: NVD - CVE-2026-44109
• PoC:
  • https://github.com/CryptReaper12/CVE-2026-44109

CVE-2026-42796

• Severity: 9.8 CRITICAL
• Impacted Products: Arelle before 2.39.10
• Description: Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges.
• Remediation:
  • Restrict Webserver Plugins by austinmatherne-wk · Pull Request #2320 · Arelle/Arelle · GitHub
• More Info: NVD - CVE-2026-42796
• PoC:
  • https://github.com/ameerhamza-malik/CVE-2026-42796

CVE-2026-42778

• Severity: 9.8 CRITICAL
• Impacted Products: Apache MINA 2.1.X, Apache MINA 2.2.X
• Description: Apache MINA is affected by a deserialization of untrusted data vulnerability in the AbstractIoBuffer.getObject() method that allows for remote code execution. This issue exists because the classname allowlist validation is performed after a class’s static initializer may have already been executed.
• Remediation:
  • Apache MINA 2.0.12 and 2.2.7 release-Apache Mail Archives
• More Info: NVD - CVE-2026-42778
• PoC:
  • https://github.com/Akinfue/CVE-2026-42778-POC

CVE-2026-42208

• Severity: 10.0 CRITICAL
• Impacted Products: LiteLLM
• Description: LiteLLM is affected by a pre-authentication SQL injection vulnerability in its proxy component that allows for unauthorized database access. This flaw occurs when the application improperly handles user-supplied input within the Authorization header during API key verification.
• Remediation:
  • SQL injection in Proxy API key verification · Advisory · BerriAI/litellm · GitHub
• More Info: NVD - CVE-2026-42208
• PoC:
  • https://github.com/rootdirective-sec/cve-2026-42208-Lab
  • https://github.com/0xBlackash/CVE-2026-42208
  • https://github.com/imjdl/CVE-2026-42208_lab

CVE-2026-41940

• Severity: 9.8 CRITICAL
• Impacted Products: cPanel and WHM versions after 11.40
• Description: cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-41940
• PoC:
  • https://github.com/Jenderal92/CVE-2026-41940
  • https://github.com/merdw/cPanel-CVE-2026-41940-Scanner
  • https://github.com/0xBlackash/CVE-2026-41940

CVE-2026-36356

• Severity: 9.1 CRITICAL
• Impacted Products: MeiG Smart FORGE_SLT711 (firmware MDM9607.LE.1.0-00110-STD.PROD-1)
• Description: The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-36356
• PoC:
  • https://github.com/totekuh/CVE-2026-36356

CVE-2026-31431

• Severity: 7.8 HIGH
• Impacted Products: All major Linux kernels since 2017
• Description: This local privilege escalation is rated as Important severity. Part of the Linux kernel’s cryptographic interface contains an incorrect in-place operation, where source and destination data mappings differ. This could lead to data integrity issues, including the escalation to root privileges.
• Remediation:
  • crypto: algif_aead - Revert to operating out-of-place
  • oss-security - CVE-2026-31431: CopyFail: linux local privilege scalation
  • oss-security - Re: CVE-2026-31431: CopyFail: linux local privilege scalation
• More Info: NVD - CVE-2026-31431
• PoC:
  • https://github.com/mCub3/CVE-2026-31431
  • https://github.com/Theori-lO/copy-fail-CVE-2026-31431
  • https://github.com/ruattd/cve-2026-31431

CVE-2026-25588

• Severity: 8.8 HIGH
• Impacted Products: RedisTimeSeries, 1.12.14
• Description: RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution.
• Remediation:
  • https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14
• More Info: NVD - CVE-2026-25588
• PoC:
  • https://github.com/mgiay/CVE-2026-25589-25588-25243-23631-23479-REDIS

CVE-2026-24118

• Severity: 9.8 CRITICAL
• Impacted Products: vm2 < 3.11.0
• Description: vm2, an open-source sandbox for Node.js, is affected by a sandbox breakout vulnerability in versions prior to 3.11.0. This flaw allows an attacker to bypass the sandbox restrictions and execute arbitrary commands on the host system.
• Remediation:
  • https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3
  • https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74
  • VM2 Sandbox Breakout Through lookupGetter · Advisory · patriksimek/vm2 · GitHub
• More Info: NVD - CVE-2026-24118
• PoC:
  • https://github.com/HORKimhab/CVE-2026-24118

CVE-2026-24072 NEW

• Severity: 8.8 HIGH
• Impacted Products: Apache HTTP Server 2.4.66 and earlier
• Description: Apache HTTP Server is affected by a privilege escalation vulnerability in versions 2.4.66 and earlier that allows local users with the ability to author .htaccess files to read arbitrary files with the privileges of the server process.
• Remediation:
  • Red Hat Hardened Images RPMs bug fix and enhancement update
  • Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project
  • #1135737 - apache2: CVE-2026-23918 CVE-2026-24072 CVE-2026-29169 CVE-2026-33006 CVE-2026-33007 CVE-2026-33523 CVE-2026-33857 CVE-2026-34032 CVE-2026-34059 - Debian Bug report logs
• More Info: NVD - CVE-2026-24072
• PoC:
  • https://github.com/EricRHancock-coder/CVE-2026-24072-Analysis

CVE-2026-23918

• Severity: 8.8 HIGH
• Impacted Products: Apache HTTP Server 2.4.66
• Description: Apache HTTP Server version 2.4.66 is vulnerable to a double free condition within its HTTP/2 protocol handling that can lead to remote code execution. This issue occurs when the server processes an early reset of an HTTP/2 stream.
• Remediation:
  • Red Hat Inc.
  • 2465304 – (CVE-2026-23918) CVE-2026-23918 Apache HTTP Server: Apache HTTP Server: Remote Code Execution via Double Free in HTTP/2 Protocol
  • Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project
• More Info: NVD - CVE-2026-23918
• PoC:
  • https://github.com/rhasan-com/CVE-2026-23918
  • https://github.com/12lie20/CVE-2026-23918-test
  • https://github.com/aa022/CVE-2026-23918-Passive-Audit

CVE-2026-23631

• Severity: 8.1 HIGH
• Impacted Products: redis-server, 8.6.3
• Description: Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
• Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
• More Info: NVD - CVE-2026-23631
• PoC:
  • https://github.com/mgiay/CVE-2026-25589-25588-25243-23631-23479-REDIS

CVE-2026-0073

• Severity: 8.8 HIGH
• Impacted Products: Google Android
• Description: Google Android is affected by an authentication bypass vulnerability in the Android Debug Bridge daemon (adbd) that allows for remote code execution. This flaw exists due to a logic error in the wireless ADB mutual authentication component.
• Remediation:
  • Android Security Bulletin—May 2026
• More Info: NVD - CVE-2026-0073
• PoC:
  • https://github.com/adityatelange/poc-CVE-2026-0073
  • https://github.com/0xBlackash/CVE-2026-0073

CVE-2022-0847

• Severity: 7.8 HIGH
• Impacted Products: Linux Kernel
• Description: A vulnerability exists within the pipe handler in the Linux Kernel because the pipe handler does not properly initialize the page cache when a splice happens on a pipe with the flag ‘PIPE_BUF_FLAG_CAN_MERGE’ set. This allows the existing data in the page cache to be overridden by arbitrary data. As this page cache is then flushed to the cached target file, any file can be overridden, even when when the file has no write permissions, is immutable, or is a read-only mount.
• Remediation:
  • 6596971
  • WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe
  • RHSA-2022:0819
• More Info: NVD - CVE-2022-0847
• PoC:
  • https://github.com/EagleTube/CVE-2022-0847
  • https://www.exploit-db.com/exploits/50808
  • https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit

CVE-2016-5195

• Severity: 7.8 HIGH
• Impacted Products: Linux kernel versions 2.x through 4.x before 4.8.3
• Description: A race condition in mm/gup.c allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, known as “Dirty COW.”
• Remediation: Update to a version after 4.8.3, applying patches or following specific vendor advisories.
• More Info: NVD - CVE-2016-5195
• PoC: https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.