Security Vulnerabilities
Memory Corruption when accessing an output buffer without validating its size during IOCTL processing.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-04-06
Memory corruption when decoding corrupted satellite data files with invalid signature offsets.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-04-06
Cryptographic issue while copying data to a destination buffer without validating its size.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-04-06
Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-04-06
Memory corruption when buffer copy operation fails due to integer overflow during attestation report generation.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-04-06
Memory corruption while preprocessing IOCTL request in JPEG driver.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-04-06
Memory corruption while processing a frame request from user.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-04-06
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0.
CVSS Score
4.2
EPSS Score
0.0
Published
2026-04-06
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.
CVSS Score
6.1
EPSS Score
0.001
Published
2026-04-06
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-04-06