6.8
CVE-2026-1653 - Local DivideβbyβZero Vulnerability in Lenovo Smart Connect Virtual Bus Driver Causing Blue Screen
A potential divide by zero vulnerability was reported in the Lenovo Virtual Bus driver used in Smart Connect that could allow a local authenticated user to cause a Windows blue screen error.
6.9
CVE-2026-1652 - Buffer Overflow in Lenovo Smart Connect Virtual Bus Driver Causing Windows BSOD
A potential buffer overflow vulnerability was reported in the Lenovo Virtual Bus driver used in Smart Connect that could allow a local authenticated user to corrupt memory and cause a Windows blue screen error.
8.4
CVE-2026-0940 - Improper BIOS Initialization Allowing Local Privilege Escalation on Lenovo ThinkPads
A potential improper initialization vulnerability was reported in the BIOS of some ThinkPads that could allow a local privileged user to modify data and execute arbitrary code.
7.5
CVE-2026-2368 - Improper Certificate Validation in Lenovo FileZ Allows Arbitrary Code Execution
An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to execute arbitrary code.
6
CVE-2026-1068 - Improper Certificate Validation in Lenovo FileZ Allows Sensitive Data Interception
An improper certificate validation vulnerability was reported in the Lenovo Filez application that could allow a user capable of intercepting network traffic to obtain sensitive user data from the application.
2.4
CVE-2026-0520 - Local Authenticated User Can Read Sensitive Data from Log File in Lenovo FileZ Android App
A potential vulnerability was reported in the Lenovo FileZ Android application that, under certain conditions, could allow a local authenticated user to retrieve some sensitive data stored in a log file.
3.7
CVE-2026-32109 - Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html`
Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note thatβ¦
2.3
CVE-2026-32108 - Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either theβ¦
5.4
CVE-2026-32104 - StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User'sβ¦
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifieβ¦
4.7
CVE-2026-32106 - StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at oβ¦