CVE-2026-2000
published 2026-02-06CVE-2026-2000: A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the…
PriorityP264high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
14.24%
96.1th percentile
A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dcn | dcme-320 | — | — |
| dcnetworks | dcme-320_firmware | <= 20260121 | — |
| github.com | cometbft_cometbft | >= 0 < 0.38.17 | 0.38.17 |
| github.com | cometbft_cometbft | >= 1.0.0-alpha.1 < 1.0.1 | 1.0.1 |
| chrome_chrome | — | — | |
| nyariv | sandboxjs | >= 0 < 0.8.36 | 0.8.36 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass
ghsa·2026-06-19
CVE-2026-54780 [LOW] CWE-327 CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass
CoreWCF: WS-Security Reference DigestMethod Algorithm-Suite Bypass
### Impact
CoreWCF’s WS-Security 1.0 receive pipeline validates the `SignatureMethod` of an incoming `ds:SignedInfo` against the configured `SecurityAlgorithmSuite`, but does not validate the `DigestMethod` declared on each `ds:Reference`. As a result, a sender can populate `ds:SignedInfo` with `SignatureMethod` values the suite accepts (for example rsa-sha256 under Basic256Sha256) while declaring a per-reference `DigestMethod` the suite rejects (for example http://www.w3.org/2000/09/xmldsig#sha1). The signature is then verified where it permits SHA-1 digests, and the message is accepted.
### Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
### Workarounds
None
GHSA
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
ghsa·2026-05-27
CVE-2026-45617 [HIGH] CWE-1333 LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
## Summary
The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `|||/g, '')
}
```
The regex contains four lazy patterns:
1. ``
2. ``
3. ``
4. ``
For an input like `' {
for (const n of [1000, 2000, 4000, 8000, 16000]) {
const payload = ' {
const payload = ')[^|)[^|)[^-]*)*-->|]*>/g,
''
)
```
This unrolls each lazy quantifier so each ``, ``, comment, or generic tag, and emit nothing for those ranges.
Either fix should be combined with charging the regex output cost honestly to `memoryLimit` and (defensively) capping input length up front:
```ts
export function strip_html (this: FilterImpl, v: string) {
const str = stringify(
GHSA
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
ghsa·2026-04-03
CVE-2026-34211 [MEDIUM] CWE-674 SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
## Summary
The `@nyariv/sandboxjs` parser contains unbounded recursion in the `restOfExp` function and the `lispify`/`lispifyExpr` call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a `RangeError: Maximum call stack size exceeded` that terminates the process.
## Details
The root cause is in `src/parser.ts`. The `restOfExp` function (line 443) iterates through expression characters, and when it encounters a closing bracket that doesn't match the expected `firstOpening`, it recursively calls itself at line 503:
```typescript
// src/parser.ts:486-505
} else if (closings[char]) {
// ...
if (c
GHSA
GHSA-6xm9-322m-9c67: A vulnerability was found in DCN DCME-320 up to 20260121
ghsa_unreviewed·2026-02-06
CVE-2026-2000 [MEDIUM] CWE-74 GHSA-6xm9-322m-9c67: A vulnerability was found in DCN DCME-320 up to 20260121
A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
GHSA
CometBFT allows a malicious peer to make node stuck in blocksync
ghsa·2025-02-03
CVE-2025-24371 [MEDIUM] CWE-703 CometBFT allows a malicious peer to make node stuck in blocksync
CometBFT allows a malicious peer to make node stuck in blocksync
Name: ASA-2025-001: Malicious peer can disrupt node's ability to sync via blocksync
Component: CometBFT
[OUTDATED] Criticality: Medium (Considerable Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))
**Update of Criticality on 2026-03-06**: We've made a mistake and over-rated the criticality of this bug in our initial triage. We have calibrated our vulnerability rating internally and updated the criticality of this bug to be Informational (Negligible Impact, Possible Likelihood)
Affected versions: Y`. For example:
```
B: {base: 100, latest: 2000}
B: {base: 100, latest: 1001}
B: {base: 100, latest: 1002}
...
```
`A` will be trying to catch up to
Chrome
Stable Channel Update for Desktop: CVE-2026-14024
vendor_chrome·2026-06-30
CVE-2026-14024 [MEDIUM] Stable Channel Update for Desktop: CVE-2026-14024
Stable Channel Update for Desktop
CVE-2026-14024: Use after free in Ozone. Reported by Google on 2026-05-30 [$2000][ 506482786 ] Low CVE-2026-14025: Use after free in Views
Reported by asjidkalam on 2026-04-26 [$1000][ 507263861 ] Low CVE-2026-14026: Incorrect security UI in SplitView
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2026-13794
vendor_chrome·2026-06-30
CVE-2026-13794 [HIGH] Stable Channel Update for Desktop: CVE-2026-13794
Stable Channel Update for Desktop
CVE-2026-13794: Insufficient validation of untrusted input in WebAppInstalls. Reported by Daniel Rodríguez on 2026-05-16 [$2000][ 476591032 ] High CVE-2026-13795: Insufficient policy enforcement in Chrome for iOS
Reported by maitai on 2026-01-17 [N/A][ 491894115 ] High CVE-2026-13796: Integer overflow in Chromecast
Severity: high
Red Hat
ImageMagick: ImageMagick: Denial of service via heap buffer overwrite in JP2 processing
vendor_redhat·2026-06-10·CVSS 4.0
CVE-2026-46559 [MEDIUM] CWE-787 ImageMagick: ImageMagick: Denial of service via heap buffer overwrite in JP2 processing
ImageMagick: ImageMagick: Denial of service via heap buffer overwrite in JP2 processing
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options. This issue has been patched in versions 6.9.13-48 and 7.1.2-23.
A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. An incorrect check during JPEG 2000 (JP2) image processing, when certain options are specified, can lead to a heap buffer overwrite of a single byte. This vulnerability could allow a local attacker to cause a denial of service (DoS) by crashing the application.
Package: I
Chrome
Stable Channel Update for Desktop: CVE-2026-11217
vendor_chrome·2026-06-02
CVE-2026-11217 [LOW] Stable Channel Update for Desktop: CVE-2026-11217
Stable Channel Update for Desktop
CVE-2026-11217: Insufficient policy enforcement in Fenced Frames. Reported by Tianyi Hu on 2026-02-25 [$2000][ 476862276 ] Low CVE-2026-11218: Inappropriate implementation in PlatformIntegration
Reported by Han Liu (Xi’an Jiaotong University, School of Cyber Science and Engineering) on 2026-01-19 [$2000][ 480074849 ] Low CVE-2026-11219: Insufficient data validation in Navigation
Severity: low
Chrome
Stable Channel Update for Desktop: CVE-2026-10992
vendor_chrome·2026-06-02
CVE-2026-10992 [MEDIUM] Stable Channel Update for Desktop: CVE-2026-10992
Stable Channel Update for Desktop
CVE-2026-10992: Insufficient data validation in Animation. Reported by heapracer (@heapracer) on 2026-03-17 [$2000][ 504160794 ] Medium CVE-2026-10993: Heap buffer overflow in Skia
Reported by M
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2026-10905
vendor_chrome·2026-06-02
CVE-2026-10905 [HIGH] Stable Channel Update for Desktop: CVE-2026-10905
Stable Channel Update for Desktop
CVE-2026-10905: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-25 [$3000][ 503420438 ] High CVE-2026-10906: Use after free in WebAuthentication
Reported by Weipeng Jiang (@Krace) of VRI on 2026-04-17 [$2000][ 489071023 ] High CVE-2026-10907: Out of bounds write in ANGLE
Severity: high
Chrome
Stable Channel Update for Desktop: CVE-2026-10016
vendor_chrome·2026-05-27
CVE-2026-10016 [HIGH] Stable Channel Update for Desktop: CVE-2026-10016
Stable Channel Update for Desktop
CVE-2026-10016: Use after free in DOM. Reported by pwn2addr on 2026-05-20 [$3000][ 504156069 ] Medium CVE-2026-10017: Out of bounds read in Headless
Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-19 [$2000][ 504175501 ] Medium CVE-2026-10018: Integer overflow in ANGLE
Severity: high
Red Hat
OpenEXR: OpenEXR: Signed integer overflow in HTJ2K decompression can lead to denial of service.
vendor_redhat·2026-04-21·CVSS 5.3
CVE-2026-39886 [MEDIUM] CWE-190 OpenEXR: OpenEXR: Signed integer overflow in HTJ2K decompression can lead to denial of service.
OpenEXR: OpenEXR: Signed integer overflow in HTJ2K decompression can lead to denial of service.
A flaw was found in OpenEXR, an image storage format for the motion picture industry. A remote attacker could exploit a signed integer overflow vulnerability in the HTJ2K (High-Throughput JPEG 2000) decompression path by providing a specially crafted EXR file. This flaw causes an internal bytes-per-line value to overflow, leading to undefined behavior. In certain environments, this could result in a heap out-of-bounds write, potentially causing a denial of service.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base,
Red Hat
ImageMagick: Magick.NET: ImageMagick: Denial of service via heap out-of-bounds write in JP2 encoder
vendor_redhat·2026-04-13·CVSS 5.5
CVE-2026-40310 [MEDIUM] CWE-1285 ImageMagick: Magick.NET: ImageMagick: Denial of service via heap out-of-bounds write in JP2 encoder
ImageMagick: Magick.NET: ImageMagick: Denial of service via heap out-of-bounds write in JP2 encoder
A flaw was found in ImageMagick. This vulnerability, a heap out-of-bounds write, occurs within the JPEG 2000 (JP2) encoder when processing an image with an invalid sampling index. A remote attacker could exploit this by providing a specially crafted image, which may lead to a denial of service (DoS) by causing the application to crash or become unstable.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: ImageMagick (Red Hat Enterprise Linux 6) - Out of support scope
Package: ImageMagick
Red Hat
gimp: GIMP: Remote Code Execution via malicious JP2 file parsing
vendor_redhat·2026-04-11·CVSS 7.8
CVE-2026-4152 [HIGH] CWE-131 gimp: GIMP: Remote Code Execution via malicious JP2 file parsing
gimp: GIMP: Remote Code Execution via malicious JP2 file parsing
A flaw was found in GIMP. A remote attacker could exploit this by tricking a user into opening a specially crafted JP2 (JPEG 2000) file. This flaw is due to a heap-based buffer overflow during JP2 file parsing, which allows for arbitrary code execution. Successful exploitation enables the attacker to execute code in the context of the current process.
Statement: This is an Important vulnerability in GIMP that could lead to arbitrary code execution. The flaw is a heap-based buffer overflow in the JP2 file parsing component. Exploitation requires user interaction, where a victim must open a specially crafted malicious JP2 file.
Mitigation: To mitigate this issue, users should avoid opening JP2 (JPEG 2000) files from untruste
Chrome
Stable Channel Update for Desktop: CVE-2026-3936
vendor_chrome·2026-03-10·CVSS 8.8
CVE-2026-3936 [MEDIUM] Stable Channel Update for Desktop: CVE-2026-3936
Stable Channel Update for Desktop
CVE-2026-3936: Use after free in WebView. Reported by Am4deu$ on 2026-02-05 [$3000][ 473118648 ] Low CVE-2026-3937: Incorrect security UI in Downloads
Reported by Abhishek Kumar on 2026-01-03 [$2000][ 474763968 ] Low CVE-2026-3938: Insufficient policy enforcement in Clipboard
Severity: medium
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-45696 OpenEXR: OpenEXR: Denial of Service and potential information disclosure via crafted EXR file
bugzilla·2026-06-18
CVE-2026-45696 [HIGH] CVE-2026-45696 OpenEXR: OpenEXR: Denial of Service and potential information disclosure via crafted EXR file
CVE-2026-45696 OpenEXR: OpenEXR: Denial of Service and potential information disclosure via crafted EXR file
OpenEXR is the reference implementation and specification for the EXR image format, widely used in the motion picture industry. In versions 3.4.0 through 3.4.11, the HTJ2K (High-Throughput JPEG 2000) decoder, ht_undo_impl() in OpenEXRCore is vulnerable to a heap-buffer-overflow READ. The ht_undo_imp function copies decoded pixels out of a per-line OpenJPH buffer using the EXR channel's declared width as the iteration count. The codestream embedded in the EXR chunk can declare different (smaller) tile/line dimensions than the EXR header advertises, but ht_undo_impl() does not validate this — it pulls width 32-bit samples from cur_line->i32[] without checking the OpenJPH line buffer'
Bugzilla
CVE-2026-52720 gstreamer1-plugins-bad-free: GStreamer: Heap buffer overflow via crafted VNC server rectangle in librfb
bugzilla·2026-06-09·CVSS 8.8
CVE-2026-52720 [HIGH] CVE-2026-52720 gstreamer1-plugins-bad-free: GStreamer: Heap buffer overflow via crafted VNC server rectangle in librfb
CVE-2026-52720 gstreamer1-plugins-bad-free: GStreamer: Heap buffer overflow via crafted VNC server rectangle in librfb
GStreamer librfb (RFB/VNC client) heap buffer overflow vulnerability. In rfbdecoder.c (gst-plugins-bad), the rectangle bounds check incorrectly validates area rather than individual dimensions: if (((w * h) + (x * y)) > (decoder->width * decoder->height)). A malicious VNC server can send a FramebufferUpdate with crafted x/y/w/h values (e.g., x=0, y=0, w=2000, h=1 on a 1920-wide framebuffer) that pass this check but extend beyond the framebuffer. The raw encoding function then performs memcpy(frame, p, raw_line_size) where raw_line_size = w * bytespp is larger than the framebuffer line, writing past the end of each line into adjacent heap memory. This results in a controll
Bugzilla
CVE-2026-39886 OpenEXR: OpenEXR: Signed integer overflow in HTJ2K decompression can lead to denial of service.
bugzilla·2026-04-21·CVSS 8.4
CVE-2026-39886 [HIGH] CVE-2026-39886 OpenEXR: OpenEXR: Signed integer overflow in HTJ2K decompression can lead to denial of service.
CVE-2026-39886 OpenEXR: OpenEXR: Signed integer overflow in HTJ2K decompression can lead to denial of service.
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 have a signed integer overflow vulnerability in OpenEXR's HTJ2K (High-Throughput JPEG 2000) decompression path. The `ht_undo_impl()` function in `src/lib/OpenEXRCore/internal_ht.cpp` accumulates a bytes-per-line value (`bpl`) using a 32-bit signed integer with no overflow guard. A crafted EXR file with 16,385 FLOAT channels at the HTJ2K maximum width of 32,767 causes `bpl` to overflow `INT_MAX`, producing undefined behavior confirmed by UBSan. On an
allocator-permissive host where the required ~64 GB allocati
2026-02-06
Published