QSearchQSearch
A vertical stack of five horizontal severity-tier bars rendered with Swiss tabular precision, descending in opacity from a hot volt-lime upper bar through a cooler signal-blue lower bar, evoking vulnerability severity stratification

CVE Watch

Every published CVE, mapped to engagement reality.

Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.

Tracking 12096 CVEsUpdated dailyLatest entry 2026-06-26
  • CVE-2026-283744.3 MEDIUM2026-05-13

    Editors could delete any annotation, even those they do not have read access to

    Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations.

    grafanaCWE-284
  • CVE-2026-442485.3 MEDIUM2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-400
  • CVE-2026-425877.5 HIGH2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-400
  • CVE-2026-425866.8 MEDIUM2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-93
  • CVE-2026-425856.5 MEDIUM2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-444
  • CVE-2026-425847.3 HIGH2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-444
  • CVE-2026-425837.5 HIGH2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-400CWE-770
  • CVE-2026-425827.5 HIGH2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.

    nettyCWE-770CWE-789
  • CVE-2026-425815.8 MEDIUM2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-444
  • CVE-2026-425806.5 MEDIUM2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-190CWE-444
  • CVE-2026-425797.5 HIGH2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-20CWE-400
  • CVE-2026-425787.5 HIGH2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

    nettyCWE-113
  • CVE-2026-425777.5 HIGH2026-05-13

    Netty is an asynchronous, event-driven network application framework

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final.

    nettyCWE-772
  • CVE-2026-309067.8 HIGH2026-05-13

    Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escal...

    Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.

    zoomCWE-426
  • CVE-2026-309057.8 HIGH2026-05-13

    External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an aut...

    External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.

    zoomCWE-610CWE-73
  • CVE-2026-226776.5 MEDIUM2026-05-13

    Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers ...

    Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value. Attackers can supply a blocked filesystem root in the workspace field and subsequently use relative paths in the session file API to access any file readable by the WebUI process.

    CWE-22
  • CVE-2026-02579.1 CRITICAL2026-05-13

    Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker ...

    Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.

    paloaltonetworkssiemensCWE-565
  • CVE-2026-440018.6 HIGH2026-05-13

    vm2 is an open source vm/sandbox for Node.js

    vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.

    vm2_projectCWE-248
  • CVE-2026-450337.8 HIGH2026-05-13

    GitHub Copilot CLI brings AI-powered coding assistance directly to your command line

    GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.

    githubCWE-696
  • CVE-2026-446656.1 MEDIUM2026-05-13

    fast-xml-builder builds XML from JSON

    fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.

    CWE-91

Weekly digest

Get the curated CVE digest every Monday

One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.

Pipe the CVE feed into your stack.

CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.