#CVE

NIST NVD goes risk-based: which SCA tools still miss Deferred CVEs

NVD API queries: kernel CVEs return Analyzed but SuperAGI CVE-2026-6584 stays Deferred with no CPE. Maps Snyk, Trivy, Grype, Dependabot, OSV-Scanner reliance on NVD vs GHSA/OSV.

Ollama CVE-2026-7482: crafted GGUF leaks heap memory from exposed API servers

Out-of-bounds read in Ollama's GGUF loader before 0.17.1. If your Ollama API is network-accessible, a crafted model file can exfiltrate env vars, API keys, system prompts, and conversation fragments from process memory.

PCPJack credential stealer chains 5 CVEs to worm through Docker, Kubernetes, Redis, and RayML

SentinelOne's PCPJack report broken down: initial access via Next.js and WordPress CVEs, lateral movement through Docker sockets, Kubernetes Secrets, Redis cron rewrite, and RayML job injection. IOCs and hardening steps included.

PAN-OS CVE-2026-0300 root RCE via Captive Portal already exploited with AD enumeration and SOCKS tunneling

PA-Series and VM-Series with User-ID Authentication Portal exposed to untrusted traffic. CL-STA-1132 achieved root RCE, wiped crash logs, enumerated AD, and deployed EarthWorm and ReverseSocks5. Patches start May 13; interim mitigations and forensic indicators for exposed portals.

Linux Dirty Frag (CVE-2026-43284) Gets Root Through ESP and RxRPC Page Cache Writes

Dirty Frag is a local privilege escalation that writes to the Linux page cache via ESP-in-UDP and RxRPC receive paths. The algif_aead workaround from Copy Fail doesn't help, and the two attack paths complement each other to bypass Ubuntu's AppArmor restrictions on user namespaces.

CVE-2026-0073: EVP_PKEY_cmp misuse in Wireless ADB gives adjacent attackers shell RCE on Android 14–16

Android's May 2026 bulletin patches CVE-2026-0073, a Wireless ADB auth bypass from mishandled EVP_PKEY_cmp return values. Adjacent network attackers bypass mutual TLS and get shell-level RCE on Android 14 through 16-qpr2. AOSP diff and impact breakdown included.

CVE-2026-26268: Git Hooks as a Sandbox Escape in Cursor

CVE-2026-26268, fixed in Cursor 2.5, allowed AI agents to rewrite insufficiently protected .git config and Git hooks, leading to out-of-sandbox RCE on the next Git operation.

Linux Kernel Copy Fail (CVE-2026-31431) Rewrites the Page Cache to Get Root

CVE-2026-31431 Copy Fail is a Linux kernel local privilege escalation bug that lets an unprivileged user write 4 controlled bytes into the page cache via AF_ALG + algif_aead. On containers and CI runners it turns into host compromise.

Microsoft Patches ASP.NET Core Privilege Escalation CVE-2026-40372

A regression in cryptographic signature validation introduced a CVSS 9.1 flaw into .NET 10.0. The Data Protection API implemented HMAC verification incompletely, opening the door to padding oracle attacks and forged authentication tokens.

CVE-2026-4326 in Vertex Addons for Elementor Lets Subscribers Install Arbitrary Plugins

The WordPress plugin Vertex Addons for Elementor (<= v1.6.4) has a broken authorization check in activate_required_plugins() that lets Subscriber-level users install and activate arbitrary plugins. CWE-862, CVSS 8.8.

Apache ActiveMQ Jolokia API RCE CVE-2026-34197 Added to CISA KEV, April 30 Deadline for Federal Agencies

CVE-2026-34197 (CVSS 8.8), an RCE in Apache ActiveMQ Classic that lurked for 13 years, was added to the CISA KEV catalog. Authenticated attackers can achieve remote code execution via the Jolokia API. Affects versions below 5.19.4 and 6.0.0–6.2.2.

NIST NVD Abandons Full CVE Enrichment, Shifts to Priority Triage

NIST has changed NVD's operational policy. Full CVE enrichment is over — only CISA KEV, federal software, and EO 14028 critical software will be prioritized.