Briefs

An SQL injection vulnerability (CVE-2026-39815) in Fortinet FortiDDoS-F versions 7.2.1 through 7.2.2 may allow a low-privilege attacker to execute unauthorized code or commands.

Fortinet FortiSandbox versions 4.4.0 through 4.4.8 are vulnerable to OS Command Injection (CVE-2026-39808), potentially allowing unauthenticated attackers to execute arbitrary code or commands.

A vulnerability in the go-markdown library exists where processing a malformed input containing a '<' character that is not followed by a '>' character with a SmartypantsRenderer can lead to an out-of-bounds read or a panic, causing a denial of service.

Jetty is vulnerable to HTTP request smuggling due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding extension values, potentially allowing attackers to inject arbitrary HTTP requests, poison caches, and bypass security controls.

Krayin CRM v2.2.x is vulnerable to SQL injection via the rotten_lead parameter in /Lead/LeadDataGrid.php, potentially allowing attackers to read sensitive data.

A use-after-free vulnerability exists in libsixel versions 1.8.7 and prior when processing animated GIFs due to improper frame buffer management, potentially leading to code execution.

A time-based blind SQL injection vulnerability in manikandan580 School-management-system 1.0 allows unauthenticated attackers to potentially execute arbitrary SQL queries and gain unauthorized access to sensitive information.

CVE-2026-33825 allows a locally authenticated attacker to escalate privileges in Microsoft Defender due to insufficient access control granularity.

An out-of-bounds read vulnerability in Microsoft Office Excel (CVE-2026-32188) allows a local attacker to potentially disclose sensitive information through a maliciously crafted Excel file.

CVE-2026-32189 is a use-after-free vulnerability in Microsoft Excel that allows a local attacker to execute arbitrary code by exploiting memory corruption.

CVE-2026-27914 is an improper access control vulnerability in Microsoft Management Console that allows a locally authorized attacker to elevate privileges.

CVE-2026-32198 is a use-after-free vulnerability in Microsoft Office Excel that allows an attacker to execute code locally on a vulnerable system.

A use-after-free vulnerability in Microsoft Office Word (CVE-2026-33095) could allow a local attacker to execute arbitrary code by opening a specially crafted document.

An improper input validation vulnerability (CVE-2026-26143) in Microsoft PowerShell allows an unauthorized local attacker to bypass security features.

CVE-2026-23657 is a use-after-free vulnerability in Microsoft Office Word allowing a local attacker to execute arbitrary code with user privileges.

A critical authentication bypass vulnerability (CVE-2026-34457) exists in OAuth2 Proxy when used with `auth_request`-style integration and either `--ping-user-agent` is set or `--gcp-healthchecks` is enabled, allowing unauthenticated access to protected resources.

CVE-2026-33120 is an untrusted pointer dereference vulnerability in Microsoft SQL Server that allows an authenticated attacker to achieve remote code execution over a network.

A Server-Side Request Forgery (SSRF) vulnerability in Webkul Krayin CRM v2.2.x allows attackers to scan internal resources by sending a crafted POST request to the /settings/webhooks/create endpoint.

CVE-2026-27913 describes an improper input validation vulnerability in Windows BitLocker that allows a local attacker to bypass security features.

CVE-2026-32149 is a vulnerability in Windows Hyper-V due to improper input validation, which allows an authorized, local attacker to execute arbitrary code.

CVE-2026-27912 describes an improper authorization vulnerability in Windows Kerberos, enabling an attacker on an adjacent network with valid credentials to elevate privileges.

CVE-2026-27929 is a time-of-check time-of-use (TOCTOU) race condition in Windows LUAFV that allows an authorized local attacker to elevate privileges.

CVE-2026-27927 is a race condition vulnerability in the Windows Projected File System that allows an authorized attacker to escalate privileges locally.

CVE-2026-26172 is a race condition vulnerability in Windows Push Notifications, allowing a locally authenticated attacker to elevate privileges.

CVE-2026-32158 is a race condition vulnerability in Windows Push Notifications that allows an authorized attacker to elevate privileges locally due to improper synchronization when using shared resources.

CVE-2026-32160 describes a race condition vulnerability in Windows Push Notifications that allows a locally authorized attacker to elevate privileges.

CVE-2026-26151 is a spoofing vulnerability in Windows Remote Desktop due to an insufficient UI warning for dangerous operations, allowing an unauthorized attacker to perform spoofing over a network.

CVE-2026-32068 is a race condition vulnerability in the Windows SSDP Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-32076 is an out-of-bounds read vulnerability in the Windows Storage Spaces Controller that allows an authorized local attacker to elevate privileges.

CVE-2026-33827 is a race condition vulnerability in Windows TCP/IP that allows an attacker to execute arbitrary code over the network by exploiting improper synchronization during concurrent execution using shared resources.