| CVE-2026-50130 | Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to 6.4.2, a user with code execution as the unprivileged pihole user can escalate to root by replacing /etc/pihole/logrotate. The replacement is laundered to root:root ownership by pihole-FTL-prestart.sh and then parsed as root by the daily pihole flush cron, executing firstaction shell as uid 0. This issue is fixed in version 6.4.3. | high | 2026-07-16 |
| CVE-2026-49855 | Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, Tornado gzip decompression routines processed limited-size chunks but did not enforce an overall limit on accumulated decompressed chunks, allowing a malicious server accessed by SimpleAsyncHTTPClient or an HTTPServer configured with decompress_request=True to consume effectively unlimited memory. This issue is fixed in version 6.5.6. | high | 2026-07-16 |
| CVE-2026-49808 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Kernel allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49807 | Exposure of sensitive information to an unauthorized actor in Windows DirectX allows an unauthorized attacker to disclose information locally. | medium | 2026-07-16 |
| CVE-2026-49806 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49805 | Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49804 | Heap-based buffer overflow in Windows USB Video Driver allows an unauthorized attacker to elevate privileges with a physical attack. | medium | 2026-07-16 |
| CVE-2026-49803 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows AppX Deployment Service allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49802 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49801 | Use of uninitialized resource in Windows SMB allows an authorized attacker to disclose information locally. | medium | 2026-07-16 |
| CVE-2026-49799 | Uncontrolled resource consumption in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. | medium | 2026-07-16 |
| CVE-2026-49798 | Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally. | critical | 2026-07-16 |
| CVE-2026-49797 | Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. | high | 2026-07-16 |
| CVE-2026-49796 | Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code locally. | high | 2026-07-16 |
| CVE-2026-49795 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49794 | Out-of-bounds read in Windows USB Audio Class driver (usbaudio.sys) allows an unauthorized attacker to disclose information with a physical attack. | medium | 2026-07-16 |
| CVE-2026-49784 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Windows App Store allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49783 | Improperly implemented security check for standard in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | high | 2026-07-16 |
| CVE-2026-49501 | Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.7, and versions 9.11.0.0 through 9.13.0.2 contains an Improper Privilege Management vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | medium | 2026-07-16 |
| CVE-2026-49353 | 9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest() to protect /api/mcp/*, /api/tunnel/*, and /api/cli-tools/*, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP child process stdin paths. | high | 2026-07-16 |
| CVE-2026-49352 | 9Router is an AI router & token saver. From 0.2.21 until 0.4.44, 9Router used the hardcoded fallback JWT secret 9router-default-secret-change-me in src/app/api/auth/login/route.js, src/middleware.js, and later src/lib/auth/dashboardSession.js, allowing attackers to forge an auth_token cookie when JWT_SECRET was unset. This issue is fixed in version 0.4.44 | critical | 2026-07-16 |
| CVE-2026-49183 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Clipboard Server allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49181 | Integer underflow (wrap or wraparound) in Windows DHCP Client allows an unauthorized attacker to elevate privileges over a network. | high | 2026-07-16 |
| CVE-2026-49175 | Heap-based buffer overflow in Windows DNS allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49171 | Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49170 | Insufficient granularity of access control in Windows StateRepository API allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49169 | Use after free in DNS Server allows an authorized attacker to execute code over a network. | high | 2026-07-16 |
| CVE-2026-49168 | Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack. | medium | 2026-07-16 |
| CVE-2026-49167 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49166 | Use after free in Microsoft Printer Drivers allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-49165 | Use of uninitialized resource in Microsoft Windows App Store allows an authorized attacker to disclose information locally. | high | 2026-07-16 |
| CVE-2026-49164 | Heap-based buffer overflow in Active Directory Domain Services allows an unauthorized attacker to execute code over a network. | critical | 2026-07-16 |
| CVE-2026-49162 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-48933 | A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | high | 2026-07-16 |
| CVE-2026-48795 | AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3. | high | 2026-07-16 |
| CVE-2026-4878 | A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation. | high | 2026-07-16 |
| CVE-2026-48736 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, NoPrivateNetworkHttpClient and IpUtils::PRIVATE_SUBNETS omitted IPv6 transition prefixes such as 6to4, NAT64, Teredo, and IPv4-compatible IPv6, allowing attacker-supplied URLs to represent private IPv4 targets in forms that IpUtils::isPrivateIp() did not block. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13. | medium | 2026-07-16 |
| CVE-2026-48618 | A flaw in Node.js TLS hostname handling can cause Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**. | medium | 2026-07-16 |
| CVE-2026-48572 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows App Installer allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-48571 | Use after free in Windows App Installer allows an authorized attacker to elevate privileges locally. | high | 2026-07-16 |
| CVE-2026-48564 | Heap-based buffer overflow in Windows DHCP Server allows an authorized attacker to execute code over a network. | high | 2026-07-16 |
| CVE-2026-48561 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to execute code over a network. | critical | 2026-07-16 |
| CVE-2026-48489 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, DefaultAuthenticationFailureHandler honored the request-supplied _failure_path parameter when failure_forward: true was enabled, allowing an unauthenticated failing login request to dispatch a subrequest to access_control-protected GET routes that skipped firewall listeners. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13. | high | 2026-07-16 |
| CVE-2026-48357 | CAI Content Credentials is affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. | medium | 2026-07-16 |
| CVE-2026-48354 | CAI Content Credentials is affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. | medium | 2026-07-16 |
| CVE-2026-48353 | CAI Content Credentials is affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | medium | 2026-07-16 |
| CVE-2026-48352 | CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. | high | 2026-07-16 |
| CVE-2026-48351 | CAI Content Credentials is affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. | high | 2026-07-16 |
| CVE-2026-48350 | Animate is affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to access sensitive files or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | high | 2026-07-16 |
| CVE-2026-48349 | Animate is affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. Scope is changed. | high | 2026-07-16 |