Security Vulnerabilities
Memory corruption when decoding corrupted satellite data files with invalid signature offsets.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-04-06
Cryptographic issue while copying data to a destination buffer without validating its size.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-04-06
Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-04-06
Memory corruption when buffer copy operation fails due to integer overflow during attestation report generation.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-04-06
Memory corruption while preprocessing IOCTL request in JPEG driver.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-04-06
Memory corruption while processing a frame request from user.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-04-06
Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024.
CVSS Score
8.5
EPSS Score
0.0
Published
2026-04-06
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0.
CVSS Score
4.2
EPSS Score
0.0
Published
2026-04-06
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.
CVSS Score
6.1
EPSS Score
0.001
Published
2026-04-06
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
CVSS Score
3.4
EPSS Score
0.0
Published
2026-04-06