CVE-2026-9642

critical

Published 2026-05-26 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

9.8

Description

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

community-verified Authored 2026-05-29

{**Immediate actions:** 1. Block the vulnerable endpoint at your reverse proxy or WAF: ```nginx location ~ ^/api/db/ { deny all; return 403; } ``` 2. Restrict the database listener to localhost only. In DIAView config (`config/database.xml`): ```xml <listener bind="127.0.0.1" port="5432" /> ``` 3. Restart DIAView service: ```bash systemctl restart diaview ``` **Rollback:** Remove the nginx block and revert `database.xml` to original bind address. **Note:** This will break remote DB queries for legitimate integrations—coordinate with ops teams before applying. Test in staging first.}

Application impact

Vendor	Product	Versions	Fixed
deltaww	diaview	`{"endIncluding":"4.4.0"}`

References

https://www.tenable.com/security/research/tra-2026-44

CWEs

CWE-321

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.