CVE-2026-26422

Publié : 6 juin 2026

Modifié : 6 juin 2026

Lien officiel NVD

Score CVSS

8.4

HIGH

Description détaillée

clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Références et Patchs

https://github.com/clash-verge-rev/clash-verge-rev/commit/3bbcdbe5caacc2ffb713af69f2c93e202573f918 https://github.com/clash-verge-rev/clash-verge-service-ipc/releases/tag/v2.3.0 https://kaguranaku.me/posts/CVE-2026-26422/

Dernières Vulnérabilités

CVE-2026-11447

A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfo_backend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument device results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 4.7 is recommended to address this issue. Upgrading the affected component is recommended. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection".

VOIR DÉTAILS

CVE-2026-36229

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

VOIR DÉTAILS

CVE-2026-11441

A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component.

VOIR DÉTAILS