Rapid responses

Next.js, an open-source React framework developed by Vercel, provides structure, routing, and rendering solutions for building full-stack web applications.

Self-hosted Next.js applications using the built-in Node.js server are vulnerable to server-side request forgery (SSRF) within the WebSocket upgrade handling mechanism. A remote, unauthenticated attacker can exploit this flaw by sending crafted WebSocket upgrade requests. Successful exploitation allows the server to proxy requests to arbitrary internal or external destinations. This can expose sensitive internal services or cloud infrastructure endpoints, such as the Instance Metadata Service (IMDS), a local HTTP endpoint used by virtual machines to retrieve configurations, IP addresses, and IAM roles via a link-local address.

The following versions are affected:

• Next.js 13, 14, and 15: Versions 13.4.13 through 15.5.15
• Next.js 16: Versions 16.0.0 through 16.2.4

The Cisco Catalyst SD-WAN Controller serves as the centralized control-plane element, utilizing the Overlay Management Protocol (OMP) to manage routing intelligence, distribute security keys, and enforce network-wide policies. In contrast, the Cisco Catalyst SD-WAN Manager acts as the centralized management system, providing the graphical interface necessary for the configuration, monitoring, and orchestration of all devices within the fabric.

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

Note that there is evidence that this vulnerability is being exploited in the wild.

The following versions are affected:

• Catalyst SD-WAN releases prior to 20.9
• Catalyst SD-WAN release 20.9 versions prior to 20.9.9.1
• Catalyst SD-WAN release 20.10 versions prior to 20.12.7.1
• Catalyst SD-WAN release 20.11 versions prior to 20.12.7.1
• Catalyst SD-WAN release 20.12 versions prior to 20.12.5.4
• Catalyst SD-WAN release 20.12 versions prior to 20.12.6.2
• Catalyst SD-WAN release 20.13 versions prior to 20.12.7.1
• Catalyst SD-WAN release 20.13 versions prior to 20.15.5.2
• Catalyst SD-WAN release 20.14 versions prior to 20.15.5.2
• Catalyst SD-WAN release 20.15 versions prior to 20.15.4.4
• Catalyst SD-WAN release 20.15 versions prior to 20.15.5.2
• Catalyst SD-WAN release 20.16 versions prior to 20.18.2.2
• Catalyst SD-WAN release 20.18 versions prior to 20.18.2.2
• Catalyst SD-WAN release 26.1 versions prior to 26.1.1.1

Nginx is a high-performance, open-source software used primarily as a web server and reverse proxy to efficiently handle large volumes of simultaneous connections. It is widely favored for its speed and stability, often serving as a load balancer or HTTP cache to optimize the delivery of web content.

A heap-based buffer overflow vulnerability exists in the ngx_http_rewrite_module component of NGINX Plus and NGINX Open Source base products. The flaw is triggered when a rewrite directive is followed by a rewrite, if, or set directive that uses an unnamed PCRE capture group (e.g., $1, $2) whose replacement string contains a question mark (?). An unauthenticated, remote attacker may exploit this by sending specially crafted HTTP requests, causing a heap buffer overflow in the NGINX worker process and resulting in a service restart. On systems where Address Space Layout Randomization (ASLR) is disabled, exploitation may also allow arbitrary code execution.

The following product versions are affected:

• NGINX Plus: Versions R32 through R36
• NGINX Open Source: Versions 1.0.0 through 1.30.0
• NGINX Open Source: Versions 0.6.27 through 0.9.7
• NGINX Instance Manager: Versions 2.16.0 through 2.21.1
• F5 WAF for NGINX: Versions 5.9.0 through 5.12.1
• NGINX App Protect WAF: Versions 5.1.0 through 5.8.0
• NGINX App Protect WAF: Versions 4.9.0 through 4.16.0
• F5 DoS for NGINX: Version 4.8.0
• NGINX App Protect DoS: Versions 4.3.0 through 4.7.0
• NGINX Gateway Fabric: Versions 2.0.0 through 2.5.1
• NGINX Gateway Fabric: Versions 1.3.0 through 1.6.2
• NGINX Ingress Controller: Versions 5.0.0 through 5.4.1
• NGINX Ingress Controller: Versions 4.0.0 through 4.0.1
• NGINX Ingress Controller: Versions 3.5.0 through 3.7.2

PAN-OS is the proprietary operating system that powers all Palo Alto Networks Next-Generation Firewalls (NGFW) across physical, virtual, and cloud environments. It uses a Single-Pass Parallel Processing (SP3) architecture to provide deep visibility and control over network traffic by identifying applications, users, and content simultaneously.

Several versions of Palo Alto Networks PAN-OS are vulnerable to a high buffer overflow during IKEv2 handling. A remote, unauthenticated attacker can exploit this over the network to either gain elevated code execution or disrupt services entirely.

The following versions are affected

• PAN-OS versions 12.1.5 through 12.1.6, 12.1.2 through 12.1.4-h*.
• PAN-OS 11.2 versions 11.2.11 or later, 11.2.8 through 11.2.10-h*, 11.2.5 through 11.2.7-h*, or 11.2.0 through 11.2.4-h*.
• PAN-OS 11.1 versions 11.1.14 or later, 11.1.11 through 11.1.13-h*, 11.1.8 through 11.1.10-h*, 11.1.7 through 11.1.7-h*, 11.1.5 through 11.1.6-h*, 11.1.0 through 11.1.4-h*.

Note: This vulnerability only affects PA-Series hardware.

Severity & Risk Assessment

• Severity: High – Successful exploitation could allow an attacker to potentially execute arbitrary code on the vulnerable system.
• Risk: High – This vulnerability can be exploited by an unauthenticated remote attacker, meaning the barrier to entry for an attacker is low. This significantly increases the likelihood of widespread exploitation.

Exim is an open-source Mail Transfer Agent (MTA) for Unix-like operating systems that manages the routing and delivery of email messages via SMTP using a highly flexible and programmable configuration system.

Certain versions of Exim are susceptible to a critical remote code execution (RCE) vulnerability caused by a use-after-free condition in the BDAT body parsing path. The flaw is specifically triggered when Exim is configured to use GnuTLS, the default TLS library for many Debian-based distributions. The vulnerability occurs when a client sends a TLS close_notify alert mid-body during an SMTP CHUNKING (RFC 3030) transfer, followed by a final cleartext byte on the same TCP connection. This specific sequence leads to heap corruption, which a remote, unauthenticated attacker can leverage to execute arbitrary code on the system.

The following versions are affected:

• Exim: Versions prior to 4.99.3 (when configured with GnuTLS).

FortiAuthenticator is a centralized Identity and Access Management (IAM) solution that provides secure, identity-based access across a network by managing user authentication, multi-factor authentication (MFA), and single sign-on (SSO). It acts as a gatekeeper that integrates with existing directories to ensure only authorized users and devices can access critical resources across the Fortinet Security Fabric and third-party systems.

A improper access control vulnerability in multiple versions of Fortinet FortiAuthenticator may allow a remote attacker to execute unauthorized code or commands via crafted requests.

The following versions are affected:

• FortiAuthenticator 8.0: 8.0.0, 8.0.2
• FortiAuthenticator 6.6: Versions 6.6.0 through 6.6.8
• FortiAuthenticator 6.5: Versions 6.5.0 through 6.5.6

Fortinet FortiSandbox is a security appliance that identifies unknown threats by executing suspicious files in isolated virtual environments to monitor their behavior and then automates a response by sharing that intelligence across the network to block the detected threat.

A missing authorization vulnerability in multiple Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS
may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

The following versions are affected:

• FortiSandbox 5.0: Versions 5.0.0 through 5.0.1
• FortiSandbox 4.4: Versions 4.4.0 through 4.4.8
• FortiSandbox Cloud 24: All versions
• FortiSandbox Cloud 23: All versions
• FortiSandbox Cloud 5.0: 5.0.2 through 5.0.5
• FortiSandbox PaaS 23.4: 23.4 all versions
• FortiSandbox PaaS 23.3: 23.3 all versions
• FortiSandbox PaaS 23.1: 23.1 all versions
• FortiSandbox PaaS 22.2: 22.2 all versions
• FortiSandbox PaaS 22.1: 22.1 all versions
• FortiSandbox PaaS 21.4: 21.4 all versions
• FortiSandbox PaaS 21.3: 21.3 all versions
• FortiSandbox PaaS 5.0: 5.0.0 through 5.0.1
• FortiSandbox PaaS 4.4: 4.4.5 through 4.4.8

Ollama is an open-source framework designed for the local deployment, management, and execution of large language models (LLMs) on personal computing hardware.

Certain versions of Ollama are susceptible to a heap out-of-bounds read vulnerability within the GGUF model loader. A remote, unauthenticated attacker could exploit this by sending a specially crafted GGUF file to the /api/create endpoint. When the server processes a GGUF file where the declared tensor offset and size exceed the file’s actual length, the functions in fs/ggml/gguf.go and server/quantization.go (WriteTo()) read past the allocated heap buffer during the quantization process.

The resulting memory leak may expose sensitive information, including environment variables, API keys, system prompts, and concurrent user conversation data. This data can then be exfiltrated by uploading the resulting model artifact to an attacker-controlled registry via the /api/push endpoint. In the upstream distribution, the /api/create and /api/push endpoints lack authentication. While default deployments bind to 127.0.0.1, the documented OLLAMA_HOST=0.0.0.0 configuration is common in practice, leading to significant public Internet exposure.

The following versions are affected:

• Ollama: Versions prior to 0.17.1

PAN-OS is the proprietary operating system that powers all Palo Alto Networks Next-Generation Firewalls (NGFW) across physical, virtual, and cloud environments. It uses a Single-Pass Parallel Processing (SP3) architecture to provide deep visibility and control over network traffic by identifying applications, users, and content simultaneously.

Certain versions of PAN-OS across PA-Series and VM-series firewalls are susceptible to the following vulnerability:

• CVE-2026-0300: A critical buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) of Palo Alto Networks PAN-OS that allows an unauthenticated remote attacker to execute arbitrary code with root privileges.

This vulnerability is known to be exploited in the wild, as determined by its presence on the CISA.gov Known Exploited Vulnerabilities (KEV) list.

The following versions are affected:

• PAN-OS versions 12.1 through 12.1.4-h5, and 12.1.7.
• PAN-OS 11.2 versions through 11.2.4-h17, 11.2.7-h13, 11.2.10-hh6, and 11.2.12.
• PAN-OS 11.1 versions through 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15.
• PAN-OS 10.2 versions through 10.2.7-h34, 10.2.10-h36, 10.2.16-h21, 10.2.16-h7, and 10.2.18-h6.

Progress MOVEit Automation is a managed file transfer (MFT) orchestration tool used to automate the scheduled or event-driven movement and processing of data between disparate servers, cloud storage environments, and applications via a centralized management interface.

Certain versions of MOVEit Automation are susceptible to vulnerabilities within the service backend command port interfaces. Successful exploitation could allow an attacker to gain unauthorized access, obtain administrative control, or expose sensitive data.

• CVE-2026-4670: An authentication bypass vulnerability that allows a remote, unauthenticated attacker to gain unauthorized access to the system.

• CVE-2026-5174: An improper input validation vulnerability that allows a remote, low-privileged attacker to elevate their privileges.

The following versions are affected:

• MOVEit Automation: Version 2024.1.7 (16.1.7) and prior
• MOVEit Automation: Version 2025.0.8 (17.0.8) and prior
• MOVEit Automation: Version 2025.1.4 (17.1.4) and prior (Affected by CVE-2026-5174 only)

Apache HTTP Server is an open-source, cross-platform application that serves web content by processing requests via the Hypertext Transfer Protocol (HTTP).

Certain versions of Apache HTTP Server are affected by a double free vulnerability that may lead to remote code execution (RCE). This flaw occurs within the HTTP/2 protocol implementation when a stream undergoes an “early reset.” While further technical details are not publicly available at this time, the vulnerability involves a memory management error triggered during specific HTTP/2 communication sequences.

The following versions are affected:

• Apache HTTP Server: Version 2.4.66

Severity & Risk Assessment

• Severity: High – Successful exploitation could allow an attacker to potentially execute arbitrary code on the vulnerable system.
• Risk: High – This vulnerability can be exploited by a low-privileged remote attacker, meaning the barrier to entry for an attacker is low. This significantly increases the likelihood of widespread exploitation.

SonicWall SonicOS is the proprietary operating system that manages the networking, routing, and deep packet inspection security functions for SonicWall physical and virtual firewall appliances.

Certain versions of SonicOS across Gen 6, Gen 7, and Gen 8 firewall platforms are susceptible to the following vulnerabilities:

• CVE-2026-0204: A flaw in the access control mechanism may expose management interface functions under specific conditions. An unauthenticated attacker with adjacent network access could gain unauthorized access to management functionality, potentially leading to security control bypasses or administrative misuse.

• CVE-2026-0205: A post-authentication path traversal vulnerability allows an authenticated attacker with adjacent network access to interact with restricted services.

• CVE-2026-0206: A post-authentication stack-based buffer overflow allows a remote, high-privileged attacker to cause a denial-of-service (DoS) by crashing the firewall.

While unconfirmed, the initial authentication bypass (CVE-2026-0204) may provide an unauthenticated attacker with the privileges necessary to chain and exploit the subsequent path traversal and buffer overflow vulnerabilities.

The following versions are affected:

• Gen 6 Series (TZ 300/400/500/600, NSA 2650–6650, SOHO 250, SM 9200–9650): SonicOS version 6.5.5.1-6n and prior.
• Gen 7 Series (TZ 270–670, NSa 2700–6700, NSsp 10700–15700, NSv 270-870): SonicOS 7.0.1-5169 and prior, and 7.3.1-7013 and prior.
• Gen 8 Series (TZ 80–680, NSa 2800–5800): SonicOS version 8.1.0-8017 and prior.

XCP-ng (Xen Cloud Platform - next generation) is a bare-metal hypervisor based on the open-source Xen project that enables multiple virtual machines to run concurrently on a single physical server.

On April 24, 2026, researchers publicly disclosed an audit identifying 89 exploitable vulnerabilities. These issues primarily involve missing input validation across all writable Map(String,String) fields within eight XAPI object types. Consequently, an attacker with the vm-admin management role could theoretically “achieve full host filesystem read/write [access]” and execute “cross-VM data exfiltration” or “pool-wide compromise.” The report claims these actions are possible through “single API calls with no exploit code,” requiring neither a root shell nor triggering security alerts. These vulnerabilities reportedly persisted since the inception of the XAPI codebase (circa 2006). The researchers assigned a CVSS distribution of 5 critical, 28 high, 46 medium, and 10 low, stating that all versions of Citrix XenServer / Hypervisor, XCP-ng, and XAPI-based distributions were affected.

On April 28, 2026, the Xen Project (upstream) and XCP-ng (downstream) released advisories addressing these claims. The Xen Project issued technical advisories XSA-483 through XSA-489 to address the core source code. Notably, XSA-489 serves as a direct rebuttal to the April 24 audit, concluding that only five of the 89 claims were actionable. The remainder were identified as intended Role-Based Access Control (RBAC) functionality or, in several instances, appeared to be “AI hallucinations” within the researcher’s report. Simultaneously, XCP-ng published a blog providing specific security and maintenance updates focused on the practical impact on XCP-ng environments.

Vulnerability Details:

• CVE-2026-23556 (VSA-2026-007, XSA-483): A flaw where oxenstored keeps quota-related use counts across domain destruction. XCP-ng notes this could allow a privileged user in a guest domain to trigger a denial-of-service (DoS) condition by preventing other domains from starting; the XCP-ng advisory classifies this impact as critical.

• CVE-2026-23557 (XSA-484): A denial-of-service (DoS) vulnerability via the XS_RESET_WATCHES command in xenstored.

• CVE-2026-31786 (XSA-485): A Linux kernel out-of-bounds read via a Xen-related sysfs file, potentially leaking sensitive information.

• CVE-2026-23558 (VSA-2026-008, XSA-486): A race condition in grant table v2 status page mapping. XCP-ng notes this use-after-free (UAF) flaw could allow a privileged user in a HVM or PVH guest domain to escalate their privileges to the hypervisor level; the XCP-ng advisory classifies this impact as critical.

• CVE-2026-31787 (XSA-487): A Linux kernel double-free in the Xen privcmd driver; as it requires root privileges, the Xen Project considers the crash potential not security-relevant.

• CVE-2025-54505 (VSA-2026-010, XSA-488): Addresses “Floating Point Divider State Sampling” on certain AMD CPUs. While not a XCP-ng software vulnerability, this update mitigates a hardware issue to prevent a guest VM from inferring data from another VM; the XCP-ng advisory classifies this impact as moderate.

• XAPI RBAC Escalation (VSA-2026-011, XSA-489): This advisory confirms five actionable vulnerabilities: CVE-2026-23559, CVE-2026-23560, CVE-2026-23561, CVE-2026-23562, and CVE-2026-42486. While the first three may allow vm-admin role users to escalate to root privileges in the control domain, the flaw relies on advanced RBAC features not typically exposed in standard management tools or documentation; the XCP-ng advisory classifies this impact as low. This would only impact users with a specific configuration involving an XCP-ng pool using Active Directory for user management where the managed user has the XAPI role vm-admin.

Note: Current advisories suggest that Xen Project vulnerabilities CVE-2026-23557, CVE-2026-31786, CVE-2026-31787, CVE-2026-23562, and CVE-2026-42486 have not yet been addressed specifically by XCP-ng updates.

The following versions are affected:

• XCP-ng: Version 8.3

Note: XCP-ng 8.3 LTS is currently the only release not marked end-of-life (EOL). Therefore, older versions are likely susceptible to these vulnerabilities but fall outside the scope of current security patching and support.

cPanel & WHM comprises two primary components: WebHost Manager (WHM), the administrative interface for server-level infrastructure, and cPanel, the user-facing control panel for managing individual hosting accounts.

Certain versions of cPanel & WHM are affected by a critical login authentication vulnerability. While public details are currently limited, the changelogs for the affected versions cite a fix for an issue regarding session loading and saving (CPANEL-52908), released on April 28, 2026. This vulnerability does not currently have a CVE ID assigned.

Update (April 29, 2026): New details identify this flaw as an authentication bypass vulnerability, now tracked as CVE-2026-41940. The weakness resides in the login flow, enabling remote, unauthenticated attackers to gain full unauthorized access to the control panel.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• cPanel & WHM 110.0.x: Versions prior to 110.0.97 (11.110.0.97)
• cPanel & WHM 118.0.x: Versions prior to 118.0.63 (11.118.0.63)
• cPanel & WHM 126.0.x: Versions prior to 126.0.54 (11.126.0.54)
• cPanel & WHM 132.0.x: Versions prior to 132.0.29 (11.132.0.29)
• cPanel & WHM 134.0.x: Versions prior to 134.0.20 (11.134.0.20)
• cPanel & WHM 136.0.x: Versions prior to 136.0.5 (11.136.0.5)

Note: Servers running end-of-life or unsupported versions are also likely affected. It is strongly recommended that you upgrade your server to a supported, patched version immediately.

GitHub Enterprise Server (GHES) is a self-hosted version of GitHub that allows organizations to run an isolated instance of the platform on their own physical or virtual infrastructure, independent of external cloud services.

Certain versions of GHES are affected by a remote code execution (RCE) vulnerability due to improper neutralization of special elements. Successful exploitation could allow an authenticated, low-privileged user with push access to any repository, including one they created themselves, to achieve arbitrary command execution on the GitHub server via a single git push using crafted push option values containing an unsanitized delimiter character.

The following versions are affected:

• GHES 3.14.x: Versions prior to 3.14.25
• GHES 3.15.x: Versions prior to 3.15.20
• GHES 3.16.x: Versions prior to 3.16.16
• GHES 3.17.x: Versions prior to 3.17.13
• GHES 3.18.x: Versions prior to 3.18.7
• GHES 3.19.x: Versions prior to 3.19.4

Citrix XenServer, formerly known as Citrix Hypervisor, is a bare-metal hypervisor based on the open-source Xen project that enables multiple virtual machines to run concurrently on a single physical server.

On April 24, 2026, researchers publicly disclosed an audit identifying 89 exploitable vulnerabilities. These issues primarily involve missing input validation across all writable Map(String,String) fields within eight XAPI object types. Consequently, an attacker with the vm-admin management role “can achieve full host filesystem read/write [access], cross-VM data exfiltration, storage protocol injection, cross-hypervisor lateral movement, and pool-wide compromise through single API calls with no exploit code, no root shell, and no security alerts.” These vulnerabilities have persisted since the inception of the XAPI codebase (circa 2006). The researchers assigned the following CVSS severity distribution: 5 critical, 28 high, 46 medium, and 10 low.

These vulnerabilities do not currently have CVE IDs assigned.

The following products and versions are affected:

• Citrix Hypervisor or XenServer: All versions
• XCP-ng: All versions
• Any XAPI-based hypervisor distribution

Update (April 29, 2026): The Xen Project (upstream) and Citrix (downstream) released separate but related advisories to address these claims. The Xen Project issued technical advisories XSA-483 through XSA-489 to address the core source code. Notably, XSA-489 serves as a direct rebuttal to the April 24 audit, concluding that only five of the 89 claims were actionable. The remainder were identified as intended RBAC functionality or, in several instances, appeared to be “AI hallucinations” within the researcher’s report.

Simultaneously, Citrix released Security Bulletin CTX696527 to provide specific updates and hotfixes for commercial users, focusing on the practical impact to the XenServer environments.

Vulnerability Details:

• CVE-2026-23556 (XSA-483): A flaw where oxenstored keeps quota-related use counts across domain destruction. Citrix notes this could allow a privileged user in a guest VM to cause the host to crash or become unresponsive.

• CVE-2026-23557 (XSA-484): A Denial of Service (DoS) vulnerability via the XS_RESET_WATCHES command in xenstored.

• CVE-2026-31786 (XSA-485): A Linux kernel out-of-bounds read via a Xen-related sysfs file, potentially leaking sensitive information.

• CVE-2026-23558 (XSA-486): A race condition in grant table v2 status page mapping. Citrix notes this could allow a privileged user in a guest VM to compromise the host under specific circumstances.

• CVE-2026-31787 (XSA-487): A Linux kernel double-free in the Xen privcmd driver; as it requires root privileges, the Xen Project considers the crash potential not security-relevant.

• CVE-2025-54505 (XSA-488): Addresses “Floating Point Divider State Sampling” on certain AMD CPUs. While not a XenServer software vulnerability, this update mitigates a hardware issue to prevent a guest VM from inferring data from a different VM.

• XAPI RBAC Escalation (XSA-489): This advisory confirms five actionable vulnerabilities: CVE-2026-23559, CVE-2026-23560, CVE-2026-23561, CVE-2026-23562, and CVE-2026-42486. Citrix warns that the first three in particular may allow host administrators to gain access beyond the limits of their assigned RBAC role.

Note: Current advisories suggest that Xen Project vulnerabilities CVE-2026-23557, CVE-2026-31786, CVE-2026-31787, CVE-2026-23562, and CVE-2026-42486 have not yet been addressed specifically by Citrix updates.

The following versions are affected:

• Citrix XenServer: Version 8.4

Note: Citrix XenServer 9.x is currently in Public Preview and not covered by standard security bulletins; as such, it may be affected by these issues.

LiteLLM Proxy is an open-source gateway that enables applications to interact with multiple large language model (LLM) providers through a single, standardized API by translating requests into the specific formats required by each service.

Certain versions of LiteLLM Proxy are susceptible to multiple vulnerabilities that can be chained together to achieve remote code execution (RCE). In the official LiteLLM container images, the process runs as root. For deployments outside of these official containers, the code executes with the privileges of the user account running the proxy process. Research regarding the exploit chain involving GHSA-r75f-5x8p-qvmc and GHSA-xqmj-j6mv-4862 indicates that the vulnerable code path only triggers after the server has processed “a minimum amount of legitimate interaction.”

These vulnerabilities do not currently have CVE IDs assigned. Update (April 27, 2026): The advisories now reflect assigned CVE IDs; however, these remain in a “reserved” state, and further details have not yet been provided by the CNA.

Update (May 8, 2026): There is evidence that CVE-2026-42208 is being actively exploited in the wild.

• CVE-2026-42208: A SQL injection vulnerability exists in the API key verification process due to improper error handling. A remote, unauthenticated attacker can exploit this by sending a specially crafted Authorization header to any LLM API endpoint (e.g., /chat/completions). Successful exploitation allows an attacker to read or potentially modify database data, leading to unauthorized access to the proxy and the credentials it manages.

• CVE-2026-42203: A server-side template injection (SSTI) vulnerability in the /prompts/test API endpoint arises from the improper neutralization of user-supplied prompt templates, which are rendered without sandboxing. A crafted template can execute arbitrary code within the LiteLLM Proxy process. Successful exploitation allows a remote, authenticated user to access secrets in the process environment (e.g., provider API keys or database credentials) or execute arbitrary code on the host.

• CVE-2026-42271: An authenticated command execution vulnerability exists in the MCP stdio test endpoints (/mcp-rest/test/connection and /mcp-rest/test/tools/list), which are used to preview an MCP server before saving. A remote, low-privileged attacker can exploit this by providing a crafted server configuration in the request body. The command is spawned as a subprocess on the proxy host with the privileges of the proxy process.

The following versions are affected:

• LiteLLM: Versions 1.81.16 through 1.83.6

CrowdStrike Falcon LogScale (formerly Humio) is a log management and observability platform that ingests, stores, and enables real-time search of large-volume streaming data using an index-free architecture.

Certain versions of self-hosted LogScale are susceptible to an unauthenticated path traversal vulnerability. A remote, unauthenticated attacker could exploit a specific, exposed cluster API endpoint to read arbitrary files from the server filesystem. This vulnerability does not affect Next-Gen SIEM customers.

The following versions are affected:

• LogScale Self-Hosted (GA): Versions 1.224.0 through 1.234.0 (inclusive)
• LogScale Self-Hosted (LTS): Version 1.228.0 and 1.228.1