Critical Severity Threats

The PixelSmash vulnerability (CVE-2026-8461) is a heap out-of-bounds write flaw in the MagicYUV decoder of FFmpeg's libavcodec library. It affects video files in AVI, MKV, and MOV formats and can be triggered by opening or scanning such files. This flaw can cause denial-of-service conditions in multiple media applications and potentially enable remote code execution (RCE) on Jellyfin and Nextcloud servers under specific conditions. Exploitation for RCE requires Address Space Layout Randomization (ASLR) to be disabled or chained with another vulnerability to bypass this protection. FFmpeg version 8.1.2 addresses this issue, and some applications have implemented mitigations such as disabling vulnerable decoders or adding file format blocklists.

PhpSpreadsheet before version 1.30.5 contains a deserialization vulnerability related to improper handling of phar stream wrappers. The vulnerability allows an attacker to bypass a patch intended to block dangerous stream wrappers due to a parsing flaw with URLs containing three or more slashes after the scheme. On PHP 7.x, this can lead to remote code execution (RCE) via automatic deserialization of phar metadata. On PHP 8.x, RCE requires additional conditions involving Phar::getMetadata. The issue is fixed in version 1.30.5.

A critical cross-site scripting (XSS) vulnerability exists in jupyter_server prior to version 2.20. The nbconvert HTTP handlers render user-authored notebook HTML without a sandbox directive in the Content-Security-Policy, combined with default non-sanitizing behavior of nbconvert.HTMLExporter. This allows stored XSS that can lead to cookie access, full API authority, and kernel remote code execution. The vulnerability is fixed in version 2.20.

A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.

A critical security advisory from Red Hat addresses multiple vulnerabilities in the Linux kernel packages for Red Hat Enterprise Linux 7 Extended Lifecycle Support. The issues include denial of service and memory corruption in RDMA umad, improper clearing of data in ip6_tunnel, validation flaws in wifi brcmfmac, length checking errors in netfilter xt_tcpmss, freemap adjustment bugs in xfs, and improper rejection of userspace cifs.spnego descriptions in smb client. These vulnerabilities affect the core Linux kernel and require a system update and reboot to apply fixes.

IBM Langflow OSS versions 1.0.0 through 1.8.4 contain an improper authentication vulnerability in the Streamable MCP transport endpoint. This flaw allows unauthenticated attackers to access protected MCP project resources and execute MCP operations. The vulnerability is classified as CWE-287 (Improper Authentication) and has a critical severity with a CVSS score of 9.8.

A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to a hard-coded, publicly known secret. This default credential authenticates the embedded ZooKeeper ensemble, allowing an attacker with network access to read the full replication log or join the quorum and execute arbitrary replicated commands across the cluster.

Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is also present in the local database, as it contains accessible sensitive information such as data on minors and municipal users. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain access to sensitive information and data.

The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information. * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges. * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable. * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data.

The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host.