9.8
CVE-2026-0111 - OutβofβBounds Write Causing Remote Privilege Escalation in Android SMS Utility
In ns_GetUserData of ns_SmscbUtilities.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
7.6
CVE-2026-30967 - Parse Server OAuth2 authentication adapter account takeover via identity spoofing
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection β¦
9.8
CVE-2026-0110 - Memory corruption in Android message handler allows privilege escalation with no user interaction
In MM_DATA_IND of cn_NrSmMsgHdlrFromMM.cpp, there is a possible EoP due to memory corruption. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
7.5
CVE-2026-0109 - Android dhd_ip.c Denial of Service via TCP Data Info Retrieval
In dhd_tcpdata_info_get of dhd_ip.c, there is a possible Denial of Service due to a precondition check failure. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
4
CVE-2026-0108 - Misconfigured PowerVR GPU Register Protection Enables Local Information Disclosure
The register protection of the PowerVR GPU is incorrectly configured. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
8.4
CVE-2026-0107 - Local privilege escalation in Android gmc_ddr module due to confused deputy
In gmc_ddr_handle_mba_mr_req of gmc_mba_ddr.c, there is a possible escalation of privileges due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
8.4
CVE-2025-36920 -
In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
10
CVE-2026-30966 - Parse Server role escalation and CLP bypass via direct `_Join` table write
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any clβ¦
9.9
CVE-2026-30965 - Parse Server session token exfiltration via `redirectClassNameForKey` query parameter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting tβ¦
7.1
CVE-2026-30962 - Parse Server has a protected fields bypass via logical query operators
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check iβ¦