High Severity Threats

CVE-2026-12505 is a vulnerability in the cifs-utils package on Red Hat Enterprise Linux 10 where the cifs.upcall helper does not properly drop root privileges before processing user information in a user-controlled environment. This allows a local, low-privileged attacker to trick the root-owned helper into loading a malicious NSS module, resulting in arbitrary command execution as root and full system compromise.

The E2Pdf – Export Pdf Tool for WordPress plugin suffers from a missing authorization vulnerability in versions up to and including 1.32.26. The vulnerability arises because the screen_action() function lacks proper capability checks and nonce verification, allowing an attacker with a custom role granted the e2pdf_templates capability to overwrite arbitrary WordPress options. This can lead to privilege escalation to administrator by modifying sensitive options such as default_role.

TypeBot versions prior to 3.17.2 contain a Server-Side Request Forgery (SSRF) vulnerability due to a time-of-check to time-of-use (TOCTOU) flaw in hostname resolution. The SSRF protection validates the hostname by resolving it once, but the actual request resolves the hostname again, allowing DNS rebinding attacks to bypass validation. This can lead to unauthorized server-side requests to internal network services or cloud metadata endpoints. The vulnerability is fixed in version 3.17.2.

CVE-2026-45357 is a high-severity vulnerability in harttle liquidjs, a JavaScript template engine. Versions 10.25.7 and below have an uncontrolled resource consumption issue in the date filter's strftime implementation. Specifically, large width specifiers like %9999999d cause unbounded string padding operations that bypass documented memory and render limits. This can lead to excessive memory use, high CPU consumption, or out-of-memory crashes during template rendering. The issue is fixed in version 10.26.0.

TypeBot versions 3.15.2 and below have an authorization bypass vulnerability (CWE-639) allowing authenticated users to modify or delete theme templates across workspaces due to improper validation in theme template handlers. This issue is fixed in version 3.16.0.

LiquidJS versions 10.25.7 and below contain a vulnerability in the built-in strip_html filter where a flawed regular expression can cause excessive backtracking. This leads to a Regular Expression Denial of Service (ReDoS) attack that blocks the Node.js event loop and causes high CPU usage. The issue is triggered by input containing many <script, <style, or <!-- tokens without matching closing tags. The vulnerability has been fixed in version 10.26.0.

SignalRGB kernel driver versions prior to 1.3.7.0 create the \\.\SignalIo device object without an explicit security descriptor and without FILE_DEVICE_SECURE_OPEN. This misconfiguration results in overly permissive default access control, allowing any authenticated local user to open a handle to the device and issue privileged IOCTL commands.

CVE-2026-50200 is a vulnerability in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore prior to versions 4.2.0 and 3.4.0 respectively. The Sanitizer component in the Environment actuator fails to redact certain sensitive configuration values, specifically connection strings, exposing them in plaintext in the /actuator/env endpoint responses. This occurs because the default redaction list does not cover .NET standard connection string patterns or Steeltoe Connectors' connection string keys. The issue is patched in Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0. Mitigations include removing the env endpoint from exposure, adding connection string patterns to the redaction list, or requiring authorization on actuator endpoints.

Steeltoe.Discovery.Eureka versions prior to 4.2.0 and 3.4.0 improperly validate input in the DataCenterInfo.FromJson method. The method throws an exception when encountering a 'name' value other than "MyOwn" or "Amazon", despite the Java Eureka specification allowing a third valid value: "Netflix". This causes the exception to propagate and be swallowed by the cache refresh task, resulting in a permanently empty or stale local service registry. Versions 4.2.0 and 3.4.0 address this issue. If upgrading immediately is not possible, removing unsupported DataCenterInfo.name values from the registry is recommended. Auditing for the "Netflix" data center type is advised in mixed Java/Spring and Steeltoe environments before deploying Steeltoe Eureka clients.

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.