210 CVEs tracked today. 16 Critical, 58 High, 70 Medium, 21 Low.
-
CVE-2026-49777
CRITICAL
CVSS 10.0
Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed.
WordPress
Information Disclosure
-
CVE-2026-48907
CRITICAL
CVSS 10.0
Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create editor profiles without authentication, then leverage that capability to upload and execute arbitrary PHP code on the server. With a CVSS 4.0 score of 10.0 and the CVSS:4.0 'U:Red' urgency flag set by the vendor, this represents a critical broken-access-control flaw, though no public exploit has been identified at time of analysis.
PHP
Authentication Bypass
-
CVE-2026-47731
CRITICAL
CVSS 9.1
Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to direct the ait-bsc process to append attacker-controlled binary data to arbitrary files on the host filesystem, limited only by the OS permissions of the running process. Affected are AIT-Core 3.1.0 and all 2.x versions before 2.6.1, exploitable via a direct HTTP request if the BSC port is network-accessible or via a browser-based CSRF attack that works even against localhost-bound deployments. Publicly available exploit code exists (python_poc.py, attacker_tcp.py, and test1.html), though no CISA KEV listing was identified at time of analysis.
RCE
Denial Of Service
Python
Path Traversal
Canonical
-
CVE-2026-47670
CRITICAL
Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.
Privilege Escalation
RCE
Python
Docker
Command Injection
-
CVE-2026-47669
CRITICAL
Remote code execution in DbGate versions 7.1.8 and earlier allows network-adjacent attackers to achieve full container compromise via a Zip Slip flaw in the archive unzip endpoint. Because the default Docker deployment runs as root and the bundled 'none' authentication provider issues JWT tokens without credentials, any attacker reachable on the network can upload a malicious ZIP that writes files anywhere on the filesystem, including cron entries for code execution. Publicly available exploit code exists in the GHSA advisory itself, and an upstream patched release (7.1.9) is available.
Python
Docker
Path Traversal
-
CVE-2026-47668
CRITICAL
CVSS 10.0
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers execute arbitrary Node.js code by injecting JavaScript through the functionName parameter of the POST /runners/start JSON script runner. Default Docker deployments ship with Anonymous authentication enabled, making this exploitable without credentials (CVSS 10.0), and a public Nuclei template plus detailed PoC mean publicly available exploit code exists even though no CISA KEV listing was identified at time of analysis.
RCE
Docker
Node.js
-
CVE-2026-45750
CRITICAL
CVSS 9.0
Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitrary shell commands on remote SSH-managed hosts via the File Manager's resolvePath endpoint. The flaw stems from incomplete shell escaping that only handles double quotes while leaving command substitution syntax interpretable. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-v26q-rpv5-9m72) and CVSS 9.0 rating signal high impact across confidentiality, integrity, and availability of downstream SSH targets.
Command Injection
Termix
-
CVE-2026-45748
CRITICAL
CVSS 9.8
OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated attackers to execute arbitrary commands on the source SSH host via the POST /ssh/tunnel/connect endpoint. The flaw stems from user-controlled host record fields being interpolated directly into shell commands without escaping, yielding persistent code execution. No public exploit identified at time of analysis, but a vendor-released patch is available in version 2.3.2.
Command Injection
Termix
-
CVE-2026-45746
CRITICAL
CVSS 9.0
Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the trivial nature of incrementing/guessing an unvalidated identifier makes exploitation straightforward once a foothold account exists.
Authentication Bypass
Termix
-
CVE-2026-45744
CRITICAL
CVSS 9.9
Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticated user with an active File Manager SSH session to execute arbitrary OS commands on the connected remote host via the GET /ssh/file_manager/ssh/resolvePath endpoint. The vulnerability stems from improper shell escaping that fails to neutralize $(...) and backtick command substitution, yielding a CVSS 9.9 critical rating with scope change. No public exploit identified at time of analysis, but the vendor advisory (GHSA-37f4-wq95-pg33) provides sufficient technical detail to develop one trivially.
Command Injection
Termix
-
CVE-2026-11250
CRITICAL
CVSS 9.6
Information disclosure in Google Chrome DevTools prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to read potentially sensitive data from process memory by serving a crafted HTML page. The flaw stems from a use-after-free condition (CWE-416) in DevTools, and while Google rates the underlying Chromium severity as Low, the NVD CVSS of 9.6 reflects the cross-origin scope change possible when chained with a prior renderer compromise. No public exploit identified at time of analysis.
Information Disclosure
Google
Use After Free
Memory Corruption
-
CVE-2026-6274
CRITICAL
CVSS 9.8
Authentication bypass in DTS Electronics Redline WR3200 firmware versions 7.1.3 through 7.1.7 allows remote unauthenticated attackers to access functionality not properly constrained by ACLs, leading to full compromise of the device. The CVSS 9.8 rating reflects network-reachable exploitation with no privileges or user interaction required, though no public exploit identified at time of analysis. The flaw maps to CWE-287 (Improper Authentication) and was reported through Turkey's national CERT (USOM).
Authentication Bypass
-
CVE-2026-6209
CRITICAL
CVSS 9.1
Authorization bypass in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access restricted functionality and sensitive geospatial tracking data due to missing ACL enforcement. The CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) vector and CWE-284 classification indicate trivially exploitable broken access control affecting confidentiality and integrity of tracked entities. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication Bypass
-
CVE-2026-6208
CRITICAL
CVSS 9.1
Authorization bypass in HAVELSAN Inc. Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to access or modify other users' data by manipulating user-controlled identifiers. The CVSS 9.1 score reflects high confidentiality and integrity impact achievable over the network without authentication, though no public exploit identified at time of analysis. The flaw was reported by TR-CERT (Turkey's national CERT), suggesting coordinated disclosure for a regionally deployed product.
Authentication Bypass
-
CVE-2025-71318
CRITICAL
CVSS 9.3
Unauthenticated administrative access in Riello UPS NetMan 204 network management cards allows remote attackers to read sensitive configuration and invoke privileged power-control commands by requesting administrative pages directly. With CVSS 4.0 score 9.3, publicly available exploit code exists (Exploit-DB 52183), enabling attackers to trigger UPS shutdown, reboot, bypass-switching, and battery tests against the protected infrastructure without any credentials.
Authentication Bypass
Netman 204
-
CVE-2025-71317
CRITICAL
CVSS 9.3
Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.
Authentication Bypass
Netman 204
-
CVE-2026-50733
HIGH
CVSS 8.6
Remote code execution in the Markdown Preview Enhanced extension (versions before 0.8.28) allows attackers to run arbitrary JavaScript when a victim previews or exports a crafted markdown document containing a WaveDrom diagram. The flaw stems from the renderer evaluating untrusted markdown content with eval() across every render path - live preview, presentation mode, and HTML export - and can also be triggered via raw HTML <script type="WaveDrom"> injection. No public exploit identified at time of analysis; EPSS data was not provided, but the high CVSS 4.0 score (8.6) and trivial trigger via a shared markdown file make this a meaningful risk for developer workstations.
RCE
Code Injection
Markdown Preview Enhanced
-
CVE-2026-50593
HIGH
CVSS 7.3
Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.
Buffer Overflow
Integer Overflow
-
CVE-2026-50265
HIGH
CVSS 7.0
Local privilege escalation in libinput affects Red Hat Enterprise Linux 7, 8, 9, and 10 by allowing a local attacker with access to /dev/uinput to inject arbitrary udev properties via the libinput-device-group helper. Exploitation can result in root code execution through abuse of udev REMOVE_CMD properties that are run when a device is removed, mapping to CWE-78 (OS Command Injection). No public exploit identified at time of analysis, but the issue is vendor-confirmed by Red Hat.
RCE
Command Injection
-
CVE-2026-50264
HIGH
CVSS 7.8
Out-of-bounds heap write in X.Org X server and Xwayland DRI2 buffer handling allows a local authenticated client to corrupt server memory by requesting multiple DRI2BufferBackLeft attachments alongside one DRI2BufferFrontLeft. Successful exploitation crashes the display server or, when the X server runs setuid root (a still-common legacy deployment), enables local privilege escalation to root. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Privilege Escalation
Buffer Overflow
Memory Corruption
-
CVE-2026-50261
HIGH
CVSS 7.8
Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in SyncChangeCounter() that a local authenticated attacker can trigger by orchestrating two client connections - one creating multiple SyncCounters, the other destroying them while they are being changed. On systems where the X server still runs as root (common on legacy Linux setups), successful exploitation yields root code execution; at minimum it crashes the display server. No public exploit identified at time of analysis, but the bug is confirmed by Red Hat and a fix has landed upstream in xserver.
Privilege Escalation
Use After Free
Memory Corruption
-
CVE-2026-50260
HIGH
CVSS 7.8
Local privilege escalation in the X.Org X server and Xwayland arises from a use-after-free in FreeCounter() when SyncCounter objects are destroyed across multiple client connections. Authenticated local attackers on affected Red Hat Enterprise Linux 6 through 10 systems can crash the server or escalate to root when the X server runs with elevated privileges. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege Escalation
Use After Free
Memory Corruption
-
CVE-2026-50259
HIGH
CVSS 7.8
Stack-based buffer overflow in X.Org X server and Xwayland's _XkbSetMapChecks() function allows local authenticated attackers to crash the server or potentially escalate privileges to root when the X server runs with elevated privileges. The flaw resides in CheckKeyTypes() writing to a fixed mapWidths[256] stack buffer at a client-controlled offset, affecting Red Hat Enterprise Linux versions 6 through 10. No public exploit identified at time of analysis, but an upstream fix has been merged into the xserver repository.
Privilege Escalation
Buffer Overflow
Stack Overflow
-
CVE-2026-50258
HIGH
CVSS 7.8
Local privilege escalation in X.Org X server and Xwayland stems from an incomplete fix for CVE-2025-26597, where CheckKeyTypes() fails to clamp non-canonical key types to XkbMaxShiftLevel, enabling stack-based buffer overflows. Authenticated local users on Red Hat Enterprise Linux 6 through 10 can crash the display server or, when X runs as root, escalate to root privileges. No public exploit identified at time of analysis, though the upstream commit reveals the vulnerable code path and the prior CVE-2025-26597 has known exploitation history.
Privilege Escalation
Buffer Overflow
Stack Overflow
Canonical
-
CVE-2026-50257
HIGH
CVSS 7.8
Local privilege escalation in X.Org X server and Xwayland enables authenticated local users to trigger a use-after-free in miSyncDestroyFence() by racing two client connections against a shared fence object. Successful exploitation can crash the display server or escalate privileges to root when the X server runs as root, which remains common on legacy and embedded Linux deployments. No public exploit identified at time of analysis, but an upstream fix has been committed by the X.Org maintainers.
Privilege Escalation
Use After Free
Memory Corruption
-
CVE-2026-50256
HIGH
CVSS 7.8
Local privilege escalation in the X.Org X server and Xwayland stems from a stack-based buffer overflow during font alias resolution, where a 256-byte server-side stack buffer is overrun by libXfont2 alias target names of up to 1023 bytes. An authenticated local attacker who can influence font alias files can crash the server or, when the X server runs as root, escalate to root privileges. No public exploit is identified at time of analysis and CVSS is 7.8 (Local/Low complexity/Low privileges).
Privilege Escalation
Buffer Overflow
Stack Overflow
-
CVE-2026-50234
HIGH
CVSS 8.7
Unauthenticated arbitrary file read in Lyrion Music Server 9.2.0 allows remote attackers to retrieve sensitive files from the host by manipulating directory traversal sequences in file path parameters handled by the embedded web server. The flaw is network-reachable with no authentication or user interaction required, and publicly available exploit code exists via the Zero Science Lab advisory ZSL-2026-5992. No CISA KEV listing or EPSS score was provided, so widespread opportunistic exploitation has not been confirmed, but the low barrier to abuse makes opportunistic scanning likely.
Path Traversal
-
CVE-2026-49493
HIGH
CVSS 8.6
Arbitrary code execution in Markdown Preview Enhanced (shd101wyy) before 0.8.28 lets a crafted markdown document run attacker-controlled JavaScript when rendered or exported, because Bitfield fenced code blocks were evaluated through interpretJS() / vm.runInNewContext() instead of being parsed as data. CVSS 4.0 scores this 8.6 with network vector and active user interaction; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
RCE
Code Injection
Markdown Preview Enhanced
-
CVE-2026-49492
HIGH
CVSS 8.6
Remote code execution in Markdown Preview Enhanced before 0.8.28 on Windows allows attackers to inject OS commands through crafted markdown documents that abuse the diagram filename attribute, imported file paths, or the latex_engine code-chunk attribute, all of which were passed through a shell without validation. Exploitation requires the victim to preview the malicious document (UI:A), and no public exploit identified at time of analysis, though VulnCheck-published advisory details and a tagged fix release make weaponization straightforward.
Command Injection
Microsoft
Markdown Preview Enhanced
-
CVE-2026-48095
HIGH
CVSS 8.8
Remote code execution in 7-Zip versions 26.00 and earlier is achievable via a crafted NTFS image that triggers a heap buffer overflow in the archive handler, overwriting an adjacent C++ object's vtable pointer to hijack control flow. The flaw stems from an undefined-behavior shift in CInStream::GetCuSize() that under-allocates a buffer to just one byte, which is then written up to 256 MB of attacker-controlled data. Exploitation requires the victim to open or extract a malicious archive (UI:R), but the NTFS handler is enabled by default and is selected via signature matching regardless of file extension; no public exploit identified at time of analysis.
RCE
Buffer Overflow
Denial Of Service
Memory Corruption
-
CVE-2026-48017
HIGH
CVSS 8.8
Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with basic access to execute arbitrary OS commands by injecting JavaScript into the `functionName` parameter of the `POST /runners/load-reader` endpoint. The flaw stems from unsanitized string interpolation into a server-side script template, and the `require=null` sandbox is bypassed via `process.binding("spawn_sync")`. Publicly available exploit code exists (vendor-published PoC in the GHSA advisory), and the issue carries a CVSS 8.8 rating with low-complexity, low-privilege exploitation.
Privilege Escalation
RCE
Docker
Node.js
Code Injection
-
CVE-2026-47684
HIGH
CVSS 7.7
Server-Side Request Forgery in Sync-in Server versions 2.2.1 and earlier allows authenticated low-privileged users to bypass the private-IP blocklist by supplying URLs that resolve to IPv4-mapped IPv6 addresses (::ffff:127.0.0.1, ::ffff:10.x.x.x). The URL download feature's regExpPrivateIP regex fails to recognize the dual-stack representation, letting the server fetch internal resources it should refuse. No public exploit identified at time of analysis beyond the reporter's PoC; the issue is not listed in CISA KEV.
SSRF
Node.js
-
CVE-2026-47419
HIGH
CVSS 8.3
Cross-workspace Insecure Direct Object Reference in praisonai-platform before 0.1.4 allows any authenticated workspace member to read, modify, or delete AI agents belonging to entirely different workspaces by supplying a foreign agent UUID to the CRUD endpoints. The membership authorization gate checks only whether the caller belongs to the workspace in the URL path - it never verifies that the target agent actually resides in that workspace - so an attacker with any valid JWT can pivot across tenant boundaries. In multi-tenant deployments where agents store LLM API keys in runtime_config (BYOK), this also becomes a credential theft vector. No public exploit is identified at time of analysis, though GHSA-7p8g-6c6g-h9w7 publishes a complete step-by-step exploit chain.
Authentication Bypass
Python
-
CVE-2026-47387
HIGH
Stored cross-site scripting in NocoDB versions up to and including 2026.05.0 allows any user with editor role on a base to inject a javascript: URL into a shared form's redirect_url field, which executes in the NocoDB origin when an authenticated viewer submits the public share-link form. The payload can exfiltrate the session token from localStorage['nocodb-gui-v2'] and impersonate the viewer against authenticated APIs. No public exploit identified at time of analysis, but the vulnerability is documented in detail by the reporter and a vendor-released patch (2026.05.1) is available.
XSS
-
CVE-2026-47383
HIGH
Stored Cross-Site Scripting in NocoDB versions up to and including 2026.05.0 allows an authenticated user with comment permissions to inject HTML payloads into row comments that execute as JavaScript when other users hover over the comment in the expanded form view. The injected script runs in the NocoDB origin under the victim's session and can exfiltrate the auth JWT from localStorage, enabling account takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
XSS
-
CVE-2026-47261
HIGH
CVSS 7.5
File truncation bypass in wasmtime-wasi allows guest WebAssembly modules to truncate (destroy contents of) host files that should be read-only, by invoking the wasip2 `descriptor.open-at` or wasip1 `path_open` interfaces with only the `OpenFlags::TRUNCATE` flag set. The bug affects embeddings that combine `DirPerms::MUTATE` with `FilePerms::READ` (read-only file permissions plus directory mutation), defeating the host's enforced `FilePerms::WRITE` access control. No public exploit identified at time of analysis; CVSS 7.5 reflects the integrity-only impact (C:N/I:H/A:N).
Authentication Bypass
-
CVE-2026-47249
HIGH
CVSS 7.5
Remote denial of service in klever-go v1.7.17 allows any connected P2P peer to send a 442-byte compressed RequestDataType_HashArrayType message that expands into 200,000 decoded hash entries, driving roughly 156 MiB of heap pressure and synchronous CPU work per request inside TxResolver and TrieNodeResolver. The flaw stems from antiflood logic that only counts compressed wire size, leaving validator nodes exposed to resource exhaustion from repeated or concurrent malicious requests. Publicly available exploit code exists (vendor-published PoC) but the issue is not in CISA KEV; EPSS data was not provided.
Denial Of Service
-
CVE-2026-45749
HIGH
CVSS 8.1
Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account password to disable TOTP or regenerate backup codes via the POST /users/totp/disable and POST /users/totp/backup-codes endpoints, completely neutralizing the second factor. The flaw stems from these MFA-critical endpoints accepting the account password as the sole authentication factor, meaning credential stuffing, phishing, or a leaked password hash (referenced as GHSA-xxxx) is sufficient to defeat 2FA. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Information Disclosure
Termix
-
CVE-2026-45745
HIGH
CVSS 8.0
Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attackers positioned on the network path to steal login credentials and JWT/session tokens because the Electron client disables TLS certificate validation entirely. No public exploit identified at time of analysis and the issue is not in CISA KEV, but the CVSS 8.0 rating with scope-change and the absence of any vendor-released patch make this a meaningful concern for any user running Termix Desktop on untrusted networks.
Information Disclosure
Termix
-
CVE-2026-45743
HIGH
CVSS 8.1
Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control another user's connected SSH host via predictable session identifiers. Sixteen file-manager endpoints fail to verify ownership of the `sessionId` parameter, enabling read, write, delete, download, and execute operations on victim hosts. No public exploit identified at time of analysis, but the multi-tenant deployment model and low attack complexity make this a high-priority issue for shared installations.
Authentication Bypass
Termix
-
CVE-2026-45726
HIGH
CVSS 7.6
Sensitive credential disclosure in Sidero Labs Omni (versions 1.3.0–1.6.5 and 1.7.0–1.7.2) allows authenticated users with the low-privileged Reader role to read the ImportedClusterSecrets resource and exfiltrate the full CA private key bundle (Kubernetes, etcd, Talos, and service-account keys) of imported Talos clusters whose secrets have not been rotated. With those keys, attackers can mint cluster-admin certificates and seize complete control of the downstream cluster outside Omni's control plane. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Information Disclosure
Kubernetes
-
CVE-2026-45720
HIGH
CVSS 7.0
Authentication bypass via SAML session replay in Siderolabs Omni stems from a TOCTOU race condition in the SAML interceptor (internal/pkg/auth/interceptor/saml.go), where the SAMLAssertion 'Used' flag is checked and updated non-atomically. Concurrent requests bearing the same saml-session token can each observe Used==false, allowing an attacker who has intercepted a victim's token to authenticate multiple times as the victim and persist access by registering attacker-controlled public keys. No public exploit identified at time of analysis; the issue was reported by bugbunny.ai and fixed in Omni v1.6.6 and v1.7.3.
Denial Of Service
-
CVE-2026-45291
HIGH
CVSS 7.5
Denial of service in CloudburstMC Network versions prior to 1.0.0.CR3-20260418.124334-32 allows remote unauthenticated attackers to close the parent Netty channel, rendering the network layer inoperable. Any publicly accessible application depending on the affected library is exposed, and no public exploit has been identified at time of analysis. The CVSS 7.5 score reflects a high-availability impact with no confidentiality or integrity loss.
Information Disclosure
-
CVE-2026-45290
HIGH
CVSS 7.5
Denial of service in Cloudburst Network (cloudburstmc/network) versions prior to 1.0.0.CR3-20260417.085727-30 allows remote attackers to stall the underlying Netty event loop, rendering network processing inoperable for any publicly accessible application that depends on the library. The flaw scores CVSS 7.5 with a fully remote, low-complexity, unauthenticated availability impact, and no public exploit identified at time of analysis.
Denial Of Service
-
CVE-2026-25659
HIGH
CVSS 7.1
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade telecom packet core service by continuously sending a specially crafted message that triggers improper handling of missing values (CWE-230). The condition persists only while the attack is sustained - the system self-recovers once traffic stops - and no public exploit identified at time of analysis, but the CVSS 4.0 score of 7.1 reflects high availability impact on a carrier-grade network function.
Denial Of Service
Ericsson
-
CVE-2026-25658
HIGH
CVSS 7.1
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows adjacent network attackers to degrade service availability by continuously transmitting specially crafted messages that trigger improper handling of missing values (CWE-230). The affected PCG nodes crash repeatedly under sustained attack but self-recover once traffic stops, so impact is transient yet operationally significant for mobile core networks. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Denial Of Service
Ericsson
-
CVE-2026-25657
HIGH
CVSS 7.1
Denial of service in Ericsson Packet Core Gateway (PCG) versions prior to 1.30 allows an adjacent-network attacker to degrade service by continuously transmitting malformed messages that the gateway fails to parse safely. The condition causes recurring crashes that persist only while the attack is active, with automatic recovery once it stops, and no public exploit identified at time of analysis.
Denial Of Service
Ericsson
-
CVE-2026-21837
HIGH
CVSS 8.7
OS command injection in HCL Digital Experience 9.5 allows authenticated remote attackers to execute arbitrary operating system commands through the Digital Asset Management API, inheriting the privileges of the application service account and potentially achieving full host takeover and data compromise. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact over a network vector with low attack complexity and only low privileges required, though no public exploit identified at time of analysis. The vulnerability was disclosed by the vendor (HCL) and is tracked in ENISA's EUVD as EUVD-2026-34786.
Command Injection
-
CVE-2026-11369
HIGH
CVSS 7.1
Cross-tenant comment access in linqi BPM platform versions through 1.4.8.5 allows any authenticated user to read and write comments on arbitrary process objects across all business units by supplying a chosen GUID to the /api/Comment endpoints. The flaw stems from missing authorization checks on the relatedObjectId parameter and carries a CVSS 4.0 score of 7.1 with no public exploit identified at time of analysis. Because exploitation requires only low-privilege credentials and no user interaction, it is well-suited to insider abuse or post-compromise lateral movement within multi-tenant deployments.
Authentication Bypass
-
CVE-2026-11332
HIGH
CVSS 7.8
Arbitrary code execution in ansible-core's ansible-galaxy role install command allows malicious role authors to execute code on a victim's machine when the victim installs the role. The flaw stems from improper neutralization of argument delimiters (CWE-88) in the src field of meta/requirements.yml, allowing injection of arbitrary git configuration flags. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
RCE
-
CVE-2026-11307
HIGH
CVSS 8.8
Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by enticing a user to open a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) carrying a CVSS 8.8 rating, though Chromium rated its security severity as Low and no public exploit has been identified at time of analysis. User interaction is required, and code execution is constrained to the Chrome sandbox absent a chained sandbox escape.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-11306
HIGH
CVSS 8.8
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component, allowing a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted PDF file. While exploitation is constrained to the sandbox and requires user interaction (visiting a page or opening a PDF), the CVSS score of 8.8 reflects the high impact on confidentiality, integrity, and availability if combined with a sandbox escape. No public exploit identified at time of analysis, and CISA SSVC indicates exploitation status of 'none'.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-11305
HIGH
CVSS 8.8
Remote code execution in Google Chrome's PDFium component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox via a crafted PDF file. The flaw is a use-after-free memory corruption issue (CWE-416) requiring user interaction to open or render the malicious PDF, and no public exploit identified at time of analysis. Chromium rates the security severity as Low despite the CVSS 8.8 score, reflecting the sandbox containment of the resulting code execution.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-11304
HIGH
CVSS 8.8
Heap corruption in Google Chrome's PDFium component before version 149.0.7827.53 allows remote attackers to potentially execute arbitrary code by tricking a user into opening a crafted PDF file. The flaw is a use-after-free (CWE-416) carrying a CVSS 8.8 rating, though no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (11th percentile). Google rates the Chromium severity as Low despite the high CVSS, reflecting the requirement for user interaction and absence of observed exploitation.
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-11303
HIGH
CVSS 8.8
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the PDFium component that parses PDF documents. A remote attacker who lures a user into opening a crafted PDF can execute arbitrary code, though execution is contained within Chrome's renderer sandbox. No public exploit is identified at time of analysis, and SSVC indicates no observed exploitation.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-11301
HIGH
CVSS 8.8
Out-of-bounds memory access in Google Chrome's LiveCaption component prior to version 149.0.7827.53 allows a remote attacker to read beyond allocated buffers by delivering crafted network traffic to a user with the feature in use. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, though Google's Chromium tracker rated severity Low while NVD's CVSS scored it 8.8 High - a notable disparity worth weighing when prioritizing.
Buffer Overflow
Information Disclosure
Google
-
CVE-2026-11297
HIGH
CVSS 7.7
Navigation restriction bypass in Google Chrome on Android prior to 149.0.7827.53 allows a local attacker to circumvent Reader Mode input validation by supplying a malicious file. No public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.02% (4th percentile), but Google has released a fix in the stable channel. Chromium internally rates this as Low severity despite the elevated NVD CVSS of 7.7.
Authentication Bypass
Google
-
CVE-2026-11296
HIGH
CVSS 7.5
Privilege escalation in Google Chrome's ImageCapture component before 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox boundaries via a crafted HTML page. The flaw was reported by Google's internal security team and is rated medium-low by Chromium itself despite the 7.5 CVSS score, and no public exploit identified at time of analysis. SSVC indicates no known exploitation but total technical impact if successfully chained.
Privilege Escalation
Google
-
CVE-2026-11279
HIGH
CVSS 8.8
Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.
RCE
Buffer Overflow
Information Disclosure
Google
-
CVE-2026-11262
HIGH
CVSS 8.8
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the TabStrip component, enabling a remote attacker who lures a victim to a crafted HTML page to corrupt memory and execute arbitrary code within the renderer context. Google rates the underlying Chromium severity as Low, but the CVSS base score of 8.8 reflects the potential impact when chained with a sandbox escape. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
RCE
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-11256
HIGH
CVSS 8.3
Sandbox escape in Google Chrome's GPU process prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers an integer overflow. The flaw, tagged as a buffer overflow with information disclosure potential, requires user interaction and a chained renderer compromise, and no public exploit has been identified at time of analysis despite Chromium rating the underlying severity as Low.
Buffer Overflow
Information Disclosure
Google
-
CVE-2026-11255
HIGH
CVSS 7.5
Cross-origin data leakage in Google Chrome's Storage Access API affects desktop versions prior to 149.0.7827.53, enabling a remote attacker who has already compromised the renderer process to exfiltrate sensitive cross-origin information via a specially crafted HTML page. Google rates the underlying Chromium severity as Low, though NVD assigns CVSS 7.5 due to the unauthenticated network vector, and no public exploit identified at time of analysis.
Information Disclosure
Google
-
CVE-2026-11248
HIGH
CVSS 8.8
Navigation restriction bypass in Google Chrome's Lens component prior to version 149.0.7827.53 allows a remote attacker to circumvent browser security boundaries via a crafted HTML page. The flaw requires user interaction (UI:R) to trigger, but no authentication, and Google classifies the Chromium security severity as Low despite the NVD CVSS of 8.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Authentication Bypass
Google
-
CVE-2026-11242
HIGH
CVSS 7.5
Cross-origin data disclosure in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to leak data across origin boundaries by serving a crafted HTML page through the Plugins component. No public exploit has been identified at time of analysis, and Chromium rates the underlying issue as Low severity despite the NVD CVSS of 7.5. The flaw stems from insufficient validation of untrusted input (CWE-20) within Chrome's plugin handling path.
Information Disclosure
Google
-
CVE-2026-11241
HIGH
CVSS 8.0
Privilege escalation in Google Chrome's Cast component (versions prior to 149.0.7827.53) allows an adjacent network attacker to elevate privileges by delivering a crafted HTML page that exploits insufficient input validation. Exploitation requires the victim to interact with the malicious content, and no public exploit has been identified at time of analysis despite a CVSS score of 8.0. Google has classified the Chromium security severity as Low, suggesting the practical impact is more constrained than the numeric score implies.
Privilege Escalation
Google
-
CVE-2026-11239
HIGH
CVSS 7.5
Privilege escalation in Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to escape sandbox-style restrictions via the Extensions subsystem using a crafted HTML page. The flaw requires user interaction and high attack complexity, and is rated Low severity by the Chromium team despite the 7.5 CVSS score; no public exploit identified at time of analysis.
Privilege Escalation
Google
-
CVE-2026-10586
HIGH
CVSS 7.2
Server-Side Request Forgery in the Essential Blocks WordPress plugin (versions through 6.1.3) allows authenticated users with Author-level access or higher to coerce the WordPress server into making arbitrary outbound HTTP requests via the save_ai_generated_image() function. The flaw enables attackers to probe internal network services, read responses from internal endpoints, and potentially modify state on services that trust requests from the WordPress host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
WordPress
SSRF
-
CVE-2026-8914
HIGH
CVSS 8.4
Privilege escalation via eval-based command injection in Teltonika Networks RUTOS (7.22-7.23.2) and TSWOS (1.09-1.09.1) allows an authenticated lower-privileged operator to execute arbitrary commands as root through the rpc-profile component. The flaw stems from unsafe evaluation of user-controllable input in a Lua/UCI RPC handler and is constrained to local/management-plane access, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.4 reflects total host compromise once a low-tier admin account is obtained on the device.
Command Injection
Code Injection
-
CVE-2026-8714
HIGH
CVSS 7.1
Denial of service in the RTSP server of TP-Link Tapo C520WS v2 IP cameras allows adjacent network attackers to render the camera's video streaming service non-responsive by sending syntactically invalid RTSP input. The flaw is reachable without authentication or user interaction from the local network segment (CVSS 4.0 vector AV:A/PR:N/UI:N) and no public exploit identified at time of analysis. While confidentiality and integrity are unaffected, availability of the surveillance stream is fully impacted, which is operationally significant for a security camera.
Information Disclosure
TP-Link
Tapo C520Ws V2
-
CVE-2026-2379
HIGH
CVSS 8.2
Information disclosure in Arista EOS on platforms with hardware IPsec support can occur when physical interface flaps or specific agent restarts cause IPsec tunnels to re-establish while reusing existing Security Associations, leading to sequence number mismatches between endpoints. The CVSS 4.0 base score of 8.2 reflects high confidentiality impact reachable over the network, though attack requirements (AT:P) indicate specific preconditions must be met. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Information Disclosure
Eos
-
CVE-2025-59174
HIGH
CVSS 7.1
Denial-of-service in Ericsson Packet Core Controller (PCC) versions prior to 1.39 allows an adjacent-network attacker without credentials to degrade service by flooding the controller with specially crafted messages. The CVSS 4.0 score of 7.1 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Information Disclosure
Ericsson
-
CVE-2025-5090
HIGH
CVSS 7.1
Denial of service in Arista CloudVision Exchange (CVX) allows an attacker with high-privilege access to a connected switch to crash CVX agents by sending malformed TCP packets, causing instability across the CVX cluster. The flaw stems from improper input validation (CWE-20) of messages received from connected switches, and no public exploit has been identified at time of analysis.
Denial Of Service
-
CVE-2025-5089
HIGH
CVSS 7.1
Denial of service in Arista EOS switches and CloudVision Exchange (CVX) servers arises from improper input validation in the TCP messaging protocol that governs EOS-CVX cluster communication. Sending malformed messages in either direction - from a CVX server to an EOS switch, or vice versa - triggers a Sysdb agent crash on the EOS device (causing a soft reset) or agent crashes on the CVX server (causing cluster-wide instability). Exploitation requires the attacker to already hold high-privilege access on a device within the cluster, and no public exploit code or CISA KEV listing exists at time of analysis, making this a targeted insider or post-compromise threat rather than an opportunistic one.
Denial Of Service
Eos Cloudvision Exchange Cvx
-
CVE-2025-5088
HIGH
CVSS 8.7
Privilege escalation in Arista CloudVision Exchange (CVX) allows an authenticated attacker with network reach to the Redis service to obtain full root access across every server in the CVX cluster. The flaw stems from CVX's reliance on Redis for inter-node coordination combined with the fact that Redis traffic - including authentication - is transmitted in plaintext, meaning anyone who can sniff a single session can replay credentials to compromise the entire cluster. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege Escalation
Redis
-
CVE-2026-50592
MEDIUM
CVSS 6.4
Reflected cross-site scripting in Znuny's AdminCommunicationLog (communication log administration view) allows a low-privileged authenticated attacker to inject arbitrary JavaScript that executes in the context of other users' browsers, with changed scope indicating impact beyond the vulnerable component itself. Affected releases are Znuny LTS before 6.5.21 and Znuny before 7.3.3. No public exploit identified at time of analysis and this CVE does not appear in CISA KEV, though the low-complexity, network-accessible attack vector and changed scope elevate practical concern for deployments with untrusted low-privilege users.
XSS
-
CVE-2026-50591
MEDIUM
CVSS 5.4
Stored cross-site scripting in Znuny's user preferences mechanism allows an authenticated low-privileged attacker to inject persistent malicious scripts that execute in other users' browsers, crossing security boundaries (S:C) to potentially compromise administrator sessions or perform unauthorized actions on their behalf. Both the LTS branch (before 6.5.21) and the main release branch (before 7.3.3) are affected. Vendor-released patches exist for both branches; no public exploit identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
XSS
-
CVE-2026-50590
MEDIUM
CVSS 4.5
Arbitrary file access in Mimecast Incydr versions before 2.6.0 exposes endpoints to unauthorized read and write operations against files outside the application's intended scope, rooted in incorrect permission assignments (CWE-732). The CVSS 3.1 Changed Scope indicator (S:C) confirms that exploitation can reach resources beyond the Incydr agent boundary - meaningful given that Incydr is itself an insider risk monitoring platform that may store sensitive activity logs and configuration on the endpoint. Mimecast has released version 2.6.0 as the fix; no public exploit identified at time of analysis.
Information Disclosure
-
CVE-2026-50263
MEDIUM
CVSS 5.5
Use-after-free read in X.Org X server and Xwayland's CreateSaverWindow() function exposes heap memory to local authenticated users, resulting in information disclosure. A low-privileged local X client can manipulate window attributes and force screen saver activation to trigger a read from freed memory, leaking potentially sensitive heap contents (C:H/I:N/A:N). No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, an upstream fix commit has been published and a Red Hat advisory is available.
Information Disclosure
Use After Free
Memory Corruption
-
CVE-2026-50262
MEDIUM
CVSS 5.5
Out-of-bounds read in X.Org X server and Xwayland's GLX extension handler `__glXDisp_ChangeDrawableAttributes()` allows a local low-privileged user to disclose sensitive memory contents from the X server process. Faulty size validation permits reading a client-controlled number of bytes beyond the request buffer boundary, resulting in high confidentiality impact per CVSS. A secondary write path exists in the same function but is gated behind byte-swapped client support, which is disabled by default, substantially limiting its practical exposure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Buffer Overflow
Information Disclosure
-
CVE-2026-50235
MEDIUM
CVSS 5.1
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers via unsanitized advanced search parameters, enabling session token theft and account hijacking with a single user-click interaction. The changed scope (S:C) in the CVSS vector confirms the injected script executes outside the origin of the vulnerable application, amplifying cross-domain impact. No public exploit identified at time of analysis and no CISA KEV listing, but the ZeroScience Lab advisory reference is a known PoC-publishing outlet - PoC availability should be treated as likely pending confirmation.
XSS
-
CVE-2026-50233
MEDIUM
CVSS 6.9
Arbitrary filesystem directory listing in Lyrion Music Server 9.2.0 exposes any host directory to remote unauthenticated attackers via the readdirectory query, which accepts an unsandboxed folder parameter with no path restriction. Both the CLI service on TCP port 9090 and the HTTP JSON-RPC endpoint at /jsonrpc.js are affected, presenting a dual-protocol attack surface that requires no credentials in the default configuration. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity - a single unauthenticated network request - significantly lowers the real-world barrier to abuse.
Information Disclosure
-
CVE-2026-50232
MEDIUM
CVSS 5.1
Stored cross-site scripting in Lyrion Music Server 9.2.0 allows remote attackers to inject JavaScript payloads via media file metadata fields (GENRE, ARTIST, ALBUM) that execute when other users browse the web interface. With CVSS 7.2 and a changed scope, successful exploitation can reach management functions and disclose settings. No public exploit identified at time of analysis, and no CISA KEV listing.
XSS
-
CVE-2026-50231
MEDIUM
CVSS 5.1
Stored cross-site scripting in Lyrion Music Server 9.2.0's log viewer allows unauthenticated remote attackers to inject persistent JavaScript via unescaped template variables, executing arbitrary scripts in the browsers of administrators or other users who view the logs. Injection vectors include the search, lines, and path query parameters as well as indirect channels such as URLs, User-Agent headers, stream titles, and player names that get written to the server log. No public exploit identified at time of analysis, but the CVSS 7.2 score reflects a scope-changed impact (S:C) due to the cross-origin nature of XSS.
XSS
-
CVE-2026-50230
MEDIUM
CVSS 5.1
Reflected cross-site scripting in Lyrion Music Server 9.2.0 allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in a victim's browser by tricking them into visiting a crafted URL targeting the server.log endpoint's search parameter. The vulnerability carries a changed scope (S:C in CVSS), meaning malicious script executes in the context of the affected application's origin, enabling session theft, credential harvesting, or UI redressing against users of the media server interface. No public exploit is confirmed at time of analysis, and no KEV listing exists, but the advisory was published to zeroscience.mk - a research outlet that routinely accompanies disclosures with proof-of-concept code.
XSS
-
CVE-2026-49343
MEDIUM
CVSS 5.9
Throttler slot exhaustion in klever-go's account-data trie syncer enables unauthenticated remote attackers to permanently consume all `NumGoRoutinesThrottler` slots by causing repeated trie-node sync failures or timeouts during epoch bootstrap, halting node participation in consensus. Both `userAccountsSyncer.syncDataTrie()` and `kappAccountsSyncer.syncDataTrie()` call `StartProcessing()` but omit `EndProcessing()` on three distinct error paths, meaning each failed sync permanently leaks one slot for the lifetime of that throttler instance. A runtime proof-of-concept is publicly confirmed in GHSA-fw38-pc54-jvx9 showing that exactly N timeout failures exhaust a capacity-N throttler; no CISA KEV listing exists at time of analysis, but the operational impact on bootstrapping validators is severe.
Denial Of Service
-
CVE-2026-48112
MEDIUM
CVSS 6.5
Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.
Buffer Overflow
Integer Overflow
7 Zip
-
CVE-2026-48111
MEDIUM
CVSS 4.3
Off-by-one out-of-bounds read in 7-Zip's UEFI firmware image parser (versions 9.21-26.00) allows a network-adjacent attacker to trigger either a denial of service (application crash) or minor information disclosure of an adjacent static .rdata string literal into archive metadata, simply by convincing a user to open a crafted UEFI-containing archive. The vulnerability is reached automatically upon archive open with no special user action beyond opening the file, and affects default 7-Zip installations because the UEFI handler is enabled out-of-the-box. No public exploit code has been identified at time of analysis, no KEV listing exists, and the impact is bounded: there is no write primitive and no disclosure of heap data, secrets, or ASLR base addresses.
Buffer Overflow
Denial Of Service
Information Disclosure
7 Zip
-
CVE-2026-48104
MEDIUM
CVSS 4.2
Uninitialized heap read in 7-Zip's SquashFS archive handler (versions 9.18 through 26.00) can crash the application and leak raw heap memory contents when a user opens a specially crafted archive. The flaw originates in the `_blockToNode` array, which is allocated but never zero-initialized; an attacker-controlled `blockIndex` derived from the RootInode superblock field drives a binary search over uninitialized slots, producing a chained out-of-bounds read with no write primitive. No public exploit has been identified at time of analysis, and the description explicitly characterizes exploitation as heap-layout-dependent and not reliably triggerable, which is consistent with the CVSS AC:H rating and limits practical risk despite the network-deliverable attack surface.
Denial Of Service
Information Disclosure
-
CVE-2026-48103
MEDIUM
CVSS 4.3
Off-by-one heap out-of-bounds read in 7-Zip's WIM archive handler (versions 9.34-26.00) allows a remote unauthenticated attacker to trigger denial of service - and potentially minor information disclosure - by delivering a crafted WIM file. The vulnerability is zero-click exploitable in the GUI: 7zFM.exe automatically calls GetRawProp(kpidNtSecure) for every listed item, triggering the OOB read without any additional user interaction beyond opening or navigating to the malicious archive. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Buffer Overflow
Denial Of Service
Information Disclosure
Microsoft
-
CVE-2026-48101
MEDIUM
CVSS 6.5
Uninitialized heap memory disclosure in 7-Zip's UEFI capsule (.scap) parser exposes potentially sensitive heap contents when an unauthenticated remote attacker delivers a crafted capsule file that a user opens. The OpenCapsule function allocates a heap buffer sized by the attacker-controlled CapsuleImageSize field without zero-initialization, then silently ignores read failures on truncated files, causing the unread tail - containing raw heap data - to be surfaced as extracted file content. Affecting versions 9.21 through 26.00, a fix is available in 26.0.1; no public exploit code has been identified at time of analysis.
Information Disclosure
-
CVE-2026-48092
MEDIUM
CVSS 4.3
Heap memory disclosure in 7-Zip 9.34 through 26.00 (32-bit builds only) allows a remote unauthenticated attacker to leak arbitrary heap contents into attacker-controlled extracted files by supplying a crafted SquashFS archive. The root cause is a 32-bit integer overflow in the SquashFS ReadBlock function: because size_t is 32 bits on 32-bit builds, the addition of offsetInBlock and blockSize wraps modulo 2³², bypassing the fragment bounds check and directing memcpy to read heap memory preceding the intended cache buffer. No public exploit has been identified at time of analysis, and no CISA KEV listing exists. Version 26.01 patches the issue.
Buffer Overflow
Information Disclosure
-
CVE-2026-47680
MEDIUM
Path traversal vulnerabilities in Flux source-controller (CWE-23) expose two distinct attack surfaces on the controller pod. In the Bucket reconciler, an actor who can influence object keys in a referenced bucket can cause source-controller to write fetched data to arbitrary paths on the pod filesystem, escaping the per-reconciliation working directory sandbox. Separately, authenticated Kubernetes users with GitRepository create/update RBAC permissions can exploit the sparse-checkout feature (v1.6.0+) to enumerate file paths on the controller pod via the resource's status field. Both issues are patched in source-controller v1.8.5; no public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV.
Path Traversal
-
CVE-2026-47386
MEDIUM
OAuth authorization code exchange in NocoDB versions up to 2026.05.0 is vulnerable to a race condition that breaks the single-use guarantee enforced by PKCE. By submitting two or more concurrent token-exchange requests before the server atomically marks the authorization code as consumed, an attacker who controls a malicious OAuth client can obtain multiple valid (access_token, refresh_token) pairs from a single authorization code, resulting in unauthorized long-lived session access alongside the legitimate token. Fixed in 2026.05.1 via an atomic compare-and-swap database operation; no public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Information Disclosure
Race Condition
Microsoft
-
CVE-2026-47385
MEDIUM
Path traversal in NocoDB allows authenticated users with base-create permission to point a SQLite data source at any file readable or writable by the NocoDB server process, including its own internal state databases. The flaw exists in the SQLite client and base/integration create services, which accept a caller-supplied filename and pass it directly to filesystem calls without any path restriction or canonicalization. An attacker exploiting this can read or overwrite `noco.db`, tenant databases under `nc_minimal_dbs/`, or any other file accessible to the NocoDB process - enabling full internal state disclosure, cross-tenant data access, and destructive modification. No public exploit has been identified at time of analysis, and a vendor-released patch exists in version 2026.05.1.
Path Traversal
-
CVE-2026-47384
MEDIUM
SQL injection in NocoDB's bulk groupBy endpoint allows authenticated users holding column-create or column-rename permissions to read arbitrary data from the connected database by crafting a malicious column title. Affected versions are all NocoDB npm releases up to and including 2026.05.0; a vendor-released patch is available in 2026.05.1. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low complexity of exploitation once authenticated and the direct database read impact make prompt patching a priority for any internet-exposed NocoDB deployment.
SQLi
-
CVE-2026-47382
MEDIUM
Server-Side Request Forgery in NocoDB (npm/nocodb, versions up to and including 2026.05.0) allows authenticated users with connection-test permission to direct the NocoDB server process to open raw TCP sockets to attacker-specified internal destinations, including Redis instances, cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254), and internal databases. The vulnerable connection-test endpoint accepted user-supplied database hostnames without DNS resolution or address-range validation, effectively making NocoDB an unauthenticated SSRF proxy to the internal network from the server's vantage point. No public exploit has been identified at time of analysis; a vendor-released patch exists in version 2026.05.1.
SSRF
Redis
-
CVE-2026-47381
MEDIUM
Cross-workspace tenant isolation bypass in NocoDB exposes database integration credentials across organizational boundaries via the testConnection endpoint. Any authenticated user holding a creator or owner role on any base in any workspace can supply a foreign workspace's integration ID to invoke its connection test, gaining access to that workspace's stored database credentials and the ability to drive its underlying database. No public exploit code is identified at time of analysis, but vendor-released patch 2026.05.1 is available and resolves the issue.
Authentication Bypass
-
CVE-2026-47379
MEDIUM
Timing oracle in NocoDB's shared-view password authentication allows a network-positioned attacker to recover legacy plaintext passwords character-by-character through response time measurement. Affected installations are those where shared-view passwords were set before the bcrypt migration - passwords stored as bcrypt hashes (prefixed $2a$/$2b$) were never vulnerable. The strict-equality (===) JavaScript comparison leaked both password length and per-character prefix timing, enabling incremental brute-force without any prior authentication. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Information Disclosure
Oracle
-
CVE-2026-47378
MEDIUM
Hidden column exposure in NocoDB public shared-view endpoints allows unauthenticated attackers holding only a shared-view UUID to read data that view owners explicitly marked as hidden. Three independent bypass paths exist: groupBy parameters accept arbitrary column names and return raw cell values, filter and sort arrays accept hidden column IDs enabling boolean-blind row-count extraction, and the related-data list endpoint accepts link-column IDs from unrelated tables in the same base - leaking records beyond the intended view scope. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV, but the attack requires no credentials and targets a commonly shared URL, making any NocoDB deployment with public shared views and hidden sensitive columns an immediately addressable risk.
Authentication Bypass
-
CVE-2026-47377
MEDIUM
Open redirect in NocoDB's client-side hashRedirect plugin allows any attacker to silently send visitors from a legitimate NocoDB origin to an attacker-controlled domain by embedding a protocol-relative path in the URL hash fragment. All NocoDB npm releases prior to 2026.04.1 are affected; the flaw exists in `packages/nc-gui/plugins/hashRedirect.client.ts` where a single `startsWith('/')` check fails to exclude `//attacker.com/...` paths, which browsers resolve as absolute URLs. No public exploit has been identified at time of analysis, but the technique requires zero tooling and no authentication, making phishing campaigns against NocoDB users trivially constructable.
Open Redirect
-
CVE-2026-47376
MEDIUM
Reflected XSS in NocoDB's password-reset flow allows an unauthenticated attacker to execute arbitrary JavaScript in the victim's browser within the NocoDB origin by sending a crafted password-reset link. The vulnerability stems from the EJS server-side template rendering the reset token directly into a JavaScript string literal without escaping single quotes or backslashes, enabling string-context escape. Any NocoDB instance running versions prior to 2026.04.1 is affected; no public exploit identified at time of analysis, though the advisory includes a functional proof-of-concept payload.
XSS
-
CVE-2026-47375
MEDIUM
CVSS 6.0
SQL injection in NocoDB's Postgres formula engine exposes authenticated creators to arbitrary SQL execution via the unvalidated `direction` argument of the `ARRAYSORT(...)` formula function. All NocoDB instances on npm/nocodb versions prior to 2026.04.1 using Postgres-backed bases are affected; MySQL and SQLite backends are not. An attacker holding creator/owner-level `columnAdd` permission can inject persistent SQL that executes during column creation and re-executes on every subsequent read of the formula column, enabling confirmed denial-of-service and potentially broader data access depending on database-level permissions. No public exploit identified at time of analysis; this vulnerability is not listed in CISA KEV.
SQLi
PostgreSQL
-
CVE-2026-47279
MEDIUM
Hidden LTAR column exposure in NocoDB's public shared-view API allows anyone holding a valid share UUID to read linked records from columns the view owner explicitly hid. The handlers `publicMmList`, `publicHmList`, and `relDataList` enforced column-to-view-model membership but omitted a check on the per-column `show` flag, creating a gap between the public `/rows` response (which correctly omits hidden columns) and the relation sub-endpoints (which did not). All nocodb npm package versions up to and including 2026.05.0 are affected; a vendor-released patch is available in 2026.05.1. No public exploit code or CISA KEV listing is identified at time of analysis.
Authentication Bypass
-
CVE-2026-47250
MEDIUM
CVSS 6.1
Argument injection in the kubectl_generic tool of mcp-server-kubernetes (npm, ≤ 3.6.2) enables Kubernetes bearer token exfiltration through indirect prompt injection, allowing privilege escalation to the operator's full RBAC permissions. An attacker with limited cluster access plants a crafted JSON payload in pod log output; when an AI agent using the MCP server reads those logs and follows the injected instruction, kubectl_generic calls kubectl with attacker-controlled --server and --insecure-skip-tls-verify flags, forwarding the operator's kubeconfig bearer token to an attacker-controlled HTTPS endpoint. A fully working public PoC exists confirmed end-to-end on a live kind cluster using Claude Haiku; the fix is available in version 3.7.0. No active exploitation per CISA KEV is confirmed at time of analysis.
Privilege Escalation
Python
Kubernetes
Node.js
OpenSSL
-
CVE-2026-21826
MEDIUM
CVSS 6.1
Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attackers to manipulate HTTP Host headers, causing the application to generate attacker-controlled redirect URLs targeting victims - a classic open redirect primitive (CWE-601) confirmed by the Open Redirect tag. The CVSS 6.1 score reflects Changed scope (S:C), meaning impact crosses beyond the vulnerable component, with low confidentiality and integrity impact consistent with phishing and session-hijacking abuse. No public exploit code or CISA KEV listing has been identified at time of analysis.
Open Redirect
-
CVE-2026-21825
MEDIUM
CVSS 6.1
Reflected cross-site scripting in HCL Digital Experience Compose's search center allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser session. The CVSS Scope:Changed rating reflects that the injected script executes outside the originating application's security domain, enabling session hijacking, credential harvesting, or malicious UI redirection against authenticated portal users. No public exploit code and no active exploitation have been identified at time of analysis, though the low attack complexity and absence of privilege requirements make it trivially deliverable via phishing.
XSS
-
CVE-2026-21038
MEDIUM
CVSS 5.9
Out-of-bounds memory access in Samsung Android USB Driver for Windows (all versions prior to 1.9.5.0) allows a local attacker without elevated privileges to corrupt or read memory beyond allocated bounds, resulting in high availability impact and low integrity impact on the affected Windows host. Samsung has released version 1.9.5.0 as the corrective patch, documented under EUVD-2026-34810. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis, though the CVSS 4.0 AT:P modifier signals a required target-specific condition that narrows exploitability.
Buffer Overflow
Google
Samsung
Microsoft
-
CVE-2026-21037
MEDIUM
CVSS 6.9
Improper input validation in Samsung Members prior to version 5.8.01.5 allows local authenticated attackers to access arbitrary URLs and launch arbitrary Android activities using Samsung Members' application privileges. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:L/UI:N) confirms local access with low privileges and no additional preconditions, with the score of 6.9 reflecting a high availability impact on the vulnerable component alongside low integrity impact. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the ability to hijack privileged activity launches on Samsung devices makes it a meaningful local privilege-chaining vector.
Information Disclosure
Samsung
-
CVE-2026-21036
MEDIUM
CVSS 6.3
Improper authorization in Samsung Internet (Android browser) prior to version 30.0.0.39 allows a local attacker with low-level privileges to access sensitive information stored or processed by the browser, with downstream high-severity impact on subsequent systems as reflected in the CVSS 4.0 SC:H/SI:H/SA:H scores. The vulnerability requires only local access and no user interaction, making it exploitable by any co-resident low-privileged app or user account on the device. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and Samsung Mobile has released a patched version.
Information Disclosure
Samsung
-
CVE-2026-21035
MEDIUM
CVSS 6.5
Improper input validation in Samsung Plus TV prior to version 1.0.28.6 exposes sensitive information to unauthenticated remote attackers, requiring only passive user interaction. The CVSS 4.0 vector reveals a notable scope discrepancy: while the vulnerable component itself suffers only low confidentiality impact (VC:L), the subsequent system scope carries high confidentiality, integrity, and availability ratings (SC:H/SI:H/SA:H), suggesting that exploiting the Samsung Plus TV app can cascade into broader system-level compromise on the affected device. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Information Disclosure
Samsung
-
CVE-2026-21034
MEDIUM
CVSS 4.8
Samsung Auto for Android exposes audio configuration functionality through improperly exported application components, allowing a local attacker with low privileges to arbitrarily modify audio settings without authorization. Affected versions are Samsung Auto prior to 3.1.2.61 on Android 15 and prior to 3.2.0.38 on Android 16, as confirmed by the Samsung Mobile vendor advisory and EUVD-2026-34806. No public exploit is identified at time of analysis and this vulnerability has not been added to the CISA KEV catalog, placing it at low real-world priority despite the straightforward local attack path.
Information Disclosure
Google
Samsung
-
CVE-2026-21033
MEDIUM
CVSS 6.9
Improper export of the ExpressHomeWidgetReceiver Android component in Samsung Assistant (prior to version 9.3.14) enables a local attacker without special privileges to send crafted intents to the exposed receiver and execute arbitrary scripts on the device. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) with a local attack vector - an on-device malicious application is a realistic threat model. No public exploit has been identified and this CVE does not appear in CISA KEV at time of analysis.
Information Disclosure
Google
Samsung
-
CVE-2026-21032
MEDIUM
CVSS 6.9
Improper export of the SmartHomeWidgetReceiver Android component in Samsung Assistant prior to version 9.3.14 allows a local attacker without any privileges to send crafted intents directly to the exposed receiver and execute arbitrary scripts. The CVSS 4.0 score of 6.9 reflects high confidentiality impact (VC:H) constrained to the local attack surface (AV:L), aligning with the 'Information Disclosure' tag. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Information Disclosure
Google
Samsung
-
CVE-2026-21031
MEDIUM
CVSS 5.2
Improper authorization in Samsung's AppBlock application on Android 15 and 16 devices allows a local, low-privileged attacker to launch arbitrary Android Activities without proper permission checks. Exploitation requires passive user interaction (CVSS 4.0 UI:P) and local device access, but the confidentiality impact on the vulnerable system is rated High (VC:H), consistent with the reported Information Disclosure tag. No public exploit code exists and the vulnerability is not listed in CISA's KEV catalog at time of analysis; Samsung has released a patch in SMR Jun-2026 Release 1.
Information Disclosure
-
CVE-2026-21030
MEDIUM
CVSS 6.4
Improper access control in the MediaTek Audio HAL on Samsung Mobile Devices running Android 14, 15, and 16 permits local unprivileged attackers to invoke restricted privileged functions within the audio subsystem. The CVSS 4.0 subsequent system impact is rated High across confidentiality, integrity, and availability (SC:H/SI:H/SA:H), indicating that successful exploitation can cascade well beyond the Audio HAL itself to compromise broader device system components. No public exploit identified at time of analysis; Samsung has released a fix in SMR Jun-2026 Release 1.
Information Disclosure
Mediatek
-
CVE-2026-21029
MEDIUM
CVSS 6.8
Improper Android component export in Samsung's Galaxy Editing Service exposes privileged operations to local, low-privileged attackers on Android 14, 15, and 16 devices prior to SMR Jun-2026 Release 1. A malicious app installed on the device can directly invoke these exported components - bypassing intended permission controls - to execute operations with elevated privileges, resulting in high integrity impact on the vulnerable system. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Information Disclosure
Google
-
CVE-2026-21028
MEDIUM
CVSS 5.1
Improper access control in the AuditLogService component of Samsung Mobile Devices running Android 16 exposes sensitive audit log information to local attackers. The flaw, disclosed and patched by Samsung Mobile as part of their June 2026 Security Maintenance Release (SMR Jun-2026 Release 1), enables a local attacker without special privileges to both read and potentially modify sensitive data surfaced by the audit logging subsystem. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Information Disclosure
-
CVE-2026-21027
MEDIUM
CVSS 4.8
ImsSettings on Samsung Mobile Devices (Android 14, 15, 16) exposes an improperly exported Android application component, enabling locally authenticated low-privilege attackers to invoke the component and trigger its logging function, resulting in limited information disclosure. The vulnerability is patched in Samsung's SMR Jun-2026 Release 1 and is reported exclusively by Samsung Mobile. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the narrow, local-only impact.
Information Disclosure
Google
-
CVE-2026-21026
MEDIUM
CVSS 6.4
Improper export of Android application components in Samsung's SpriteWallpaper app enables local attackers without privileges to access sensitive information and achieve disproportionately high impact on subsequent system components. Devices running Android 16 prior to the SMR Jun-2026 Release 1 security update are affected. No public exploit has been identified at time of analysis, but the zero-privilege local requirement and high subsequent system impact (SC:H/SI:H/SA:H) elevate practical risk on shared or managed Android devices.
Information Disclosure
Google
-
CVE-2026-21025
MEDIUM
CVSS 6.9
Incorrect privilege assignment in the Telephony component of Samsung Mobile devices prior to SMR Jun-2026 Release 1 permits local attackers to access sensitive information without requiring prior privileges or user interaction. Affecting devices running Android 14, 15, and 16, the flaw stems from improper access controls within the telephony subsystem. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, but the low attack complexity and absence of privilege prerequisites lower the bar for local exploitation.
Information Disclosure
-
CVE-2026-21017
MEDIUM
CVSS 4.6
Improper privilege handling in Samsung's SecTelephonyProvider component allows local attackers on Samsung Mobile Devices to access files that should be restricted to privileged processes. Affected devices run Android 14, 15, and 16 prior to the SMR Jun-2026 Release 1 patch, spanning the full current Samsung Android support matrix. No public exploit code exists and no KEV listing has been issued; the CVSS 4.0 score of 4.6 reflects constrained real-world impact due to required local access and active user interaction.
Information Disclosure
-
CVE-2026-11346
MEDIUM
CVSS 5.3
Server-side request forgery in linqi's custom process creation feature allows authenticated attackers to conduct internal network reconnaissance by forcing the server to issue arbitrary outbound HTTP requests. Affected product is linqi by linqi GmbH (all versions per CPE cpe:2.3:a:linqi_gmbh:linqi:*). By embedding a crafted HTTP Request component inside a custom workflow process, the attacker can enumerate internal hosts and open ports through differential response analysis (Success, Failed, or 504 Gateway Time-out). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
SSRF
-
CVE-2026-11345
MEDIUM
CVSS 6.9
Authentication bypass in linqi's /api/Cdn/GetFile endpoint allows unauthenticated remote attackers to circumvent the ValidateAnonFileAccess authorization check by supplying an 'AnonFile' query parameter of exactly 256 characters. Despite the CVSS 4.0 score of 6.9 and a PR:N/AC:L attack vector suggesting easy, unauthenticated exploitation, the vendor's own advisory explicitly confirms the security impact is negligible: the only resources accessible via this bypass are minified JavaScript and CSS files already served publicly through a CDN. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing.
Authentication Bypass
Information Disclosure
-
CVE-2026-11344
MEDIUM
CVSS 5.5
Unrestricted file upload in code-projects Vehicle Management System 1.0 allows remote unauthenticated attackers to upload arbitrary files via the photo parameter of the New Driver Registration Form (newdriver.php), enabling remote code execution. Publicly available exploit code exists on GitHub, increasing the likelihood of opportunistic abuse against exposed instances despite no CISA KEV listing.
PHP
File Upload
-
CVE-2026-11342
MEDIUM
CVSS 5.5
SQL injection in code-projects Hotel and Tourism Reservation System 1.0 allows remote unauthenticated attackers to manipulate the 'room' parameter of /details.php to inject arbitrary SQL queries. Publicly available exploit code exists (published via GitHub by researcher and indexed by VulDB), increasing the likelihood of opportunistic exploitation against exposed instances. The flaw is reachable over the network with no privileges or user interaction, making any internet-facing deployment of this PHP application a viable target.
PHP
SQLi
-
CVE-2026-11334
MEDIUM
CVSS 5.5
SQL injection in tittuvarghese CollegeManagementSystem (rolling-release PHP project) allows remote unauthenticated attackers to manipulate the department_code parameter in dashboard_page/forms/fetch.php to inject arbitrary SQL. Publicly available exploit code exists (disclosed via VulDB and a GitHub issue), and because the project uses continuous delivery with no tagged versions, defenders cannot pin a fixed release. The maintainer has been notified but has not responded, increasing operational risk for any deployment.
PHP
SQLi
-
CVE-2026-11326
MEDIUM
CVSS 6.0
OpenAI Atlas before 1.2025.288.15 improperly exposed privileged browser APIs - including browser history access and tab open/close controls - to any web content loaded from *.openai.com origins, including the publicly accessible forum.openai.com. Because forum.openai.com harbored an independent cross-site scripting vulnerability, an attacker could chain the two weaknesses: inject a script via the forum XSS, which then silently invokes Atlas's privileged APIs against a visiting victim. No public exploit or CISA KEV listing has been confirmed at time of analysis, though a public security research blog (hacktron.ai) describes the attack surface; the EPSS score of 0.02% (4th percentile) reflects low observed exploitation probability.
XSS
Authentication Bypass
Openai Atlas
-
CVE-2026-11309
MEDIUM
CVSS 4.3
UI spoofing via Chrome's History component (versions prior to 149.0.7827.53) lets an unauthenticated remote attacker deceive users through a crafted HTML page, exploiting insufficient policy enforcement in History navigation handling. The attacker can manipulate browser UI elements perceived by the victim, creating phishing-class deception without any confidentiality or availability impact - consistent with Chromium's own 'Low' severity rating. No public exploit code exists and EPSS sits at 0.03% (11th percentile), indicating very low probability of in-the-wild exploitation at time of analysis.
Information Disclosure
Google
-
CVE-2026-11308
MEDIUM
CVSS 6.3
Privilege escalation in Google Chrome's Extensions subsystem, affecting all versions prior to 149.0.7827.53, allows a remote attacker who socially engineers a user into installing a crafted malicious extension to gain elevated privileges within the browser context, impacting confidentiality, integrity, and availability at a low-to-moderate level. The CVSS score of 6.3 (Medium) reflects the network-reachable attack vector offset by mandatory user interaction (UI:R), and Chromium's own security team rated this as Low severity - a notable downgrade from the NVD-calculated score. No public exploit code and no KEV listing have been identified at time of analysis, and the EPSS score of 0.01% (1st percentile) corroborates minimal observed exploitation activity.
Privilege Escalation
Google
-
CVE-2026-11302
MEDIUM
CVSS 4.3
Insufficient policy enforcement in Google Chrome for iOS (prior to 149.0.7827.53) allows remote unauthenticated attackers to bypass discretionary access controls via a crafted HTML page, resulting in limited integrity impact. User interaction is required, and exploitation probability is extremely low - EPSS sits at 0.02% (4th percentile). No public exploit identified at time of analysis, and Chromium's own security team rated this as 'Low' severity, consistent with the CVSS 4.3 score and SSVC's 'partial' technical impact assessment.
Authentication Bypass
Google
Apple
-
CVE-2026-11300
MEDIUM
CVSS 4.3
UI spoofing in Google Chrome's Permissions subsystem prior to version 149.0.7827.53 enables remote unauthenticated attackers to misrepresent the browser's permission interface by delivering a crafted HTML page to a victim. The flaw (CWE-451) results in low-integrity impact - the attacker can deceive a user into perceiving a false permissions state, potentially manipulating consent decisions. No public exploit code exists, EPSS is 0.03% (8th percentile), CISA SSVC rates exploitation as none, and Chromium's own severity assessment is Low, placing this firmly in the routine-patching tier rather than an urgent response priority.
Information Disclosure
Google
-
CVE-2026-11299
MEDIUM
CVSS 6.5
Integer overflow in Google Chrome's Fonts component (versions prior to 149.0.7827.53) enables remote attackers to read out-of-bounds process memory, potentially leaking sensitive in-memory data such as credentials or tokens. Exploitation is constrained by a mandatory user-interaction requirement - a victim must visit a specially crafted HTML page - and Chromium's own severity rating of Low tempers urgency relative to the NVD CVSS Medium score. No public exploit identified at time of analysis, and EPSS stands at 0.03% (11th percentile), indicating very low near-term exploitation probability.
Buffer Overflow
Information Disclosure
Google
-
CVE-2026-11298
MEDIUM
CVSS 4.3
Same-origin policy bypass in Google Chrome on iOS prior to 149.0.7827.53 allows a remote, unauthenticated attacker to violate cross-origin isolation by delivering a crafted HTML page to a victim. The flaw stems from an inappropriate implementation (CWE-346) in the iOS-specific Chrome codebase, meaning the iOS browser incorrectly validates origin boundaries in a way the desktop build does not. No active exploitation is confirmed (no CISA KEV listing), EPSS is 0.02% (4th percentile), and SSVC rates exploitation as none - placing this firmly in a routine patching priority rather than an emergency response.
Authentication Bypass
Google
Apple
-
CVE-2026-11276
MEDIUM
CVSS 5.1
Discretionary access control bypass in Google Chrome's Cast feature (prior to 149.0.7827.53) allows an attacker positioned on the local network segment to interfere with Cast functionality via crafted malicious network traffic. The vulnerability stems from improper privilege management (CWE-269) within the Cast implementation, resulting in limited confidentiality and integrity impact (CVSS 5.1). No public exploit code has been identified at time of analysis, and CISA KEV listing is absent; however, the no-authentication-required condition and the network-adjacent attack surface make this relevant for environments where Chrome's Cast feature is actively used on shared or untrusted network segments.
Privilege Escalation
Google
-
CVE-2026-11254
MEDIUM
CVSS 4.3
UI spoofing in Google Chrome's Permissions implementation prior to version 149.0.7827.53 allows a remote, unauthenticated attacker to deceive users through manipulated browser permission dialogs via a crafted HTML page. Exploitation requires user interaction - a victim must visit a malicious page - and the real-world impact is limited to low-integrity outcomes such as misleading users into granting or denying permissions under false pretenses. No public exploit code exists and this vulnerability has not been added to the CISA KEV catalog at time of analysis.
Information Disclosure
Google
-
CVE-2026-11253
MEDIUM
CVSS 4.3
Cross-origin data leakage in Google Chrome's Permissions subsystem (prior to 149.0.7827.53) enables remote unauthenticated attackers to read data across origin boundaries via a crafted HTML page. The flaw, classified as a race condition (CWE-362) in the Permissions implementation, undermines the browser's Same-Origin Policy enforcement - a foundational web isolation mechanism. No public exploit identified at time of analysis; a vendor-released patch is available in version 149.0.7827.53, and Google has rated this Low severity in Chromium security terms.
Information Disclosure
Google
Race Condition
-
CVE-2026-11252
MEDIUM
CVSS 4.3
Content Settings policy enforcement bypass in Google Chrome prior to 149.0.7827.53 enables remote attackers to circumvent discretionary access control by delivering a crafted HTML page to a victim who must interact with it. Rooted in CWE-284 (Improper Access Control), the flaw affects Chrome's Content Settings subsystem - which governs site-level permissions such as cookies, notifications, and script access - yielding a limited integrity impact with no confidentiality or availability consequences. No public exploit has been identified and the vulnerability is absent from CISA KEV; the vendor itself rates this as Low severity, consistent with the CVSS 4.3 base score.
Authentication Bypass
Google
-
CVE-2026-11249
MEDIUM
CVSS 4.7
Use-after-free in the Network component of Google Chrome prior to version 149.0.7827.53 enables an attacker who has already compromised the renderer process to read potentially sensitive data from process memory by delivering a crafted HTML page. The Changed scope (S:C) in the CVSS vector confirms the vulnerability crosses security boundaries - specifically from the renderer sandbox into the Network process - making this a secondary exploitation step rather than an initial access vector. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog; Google has released a patched stable channel build.
Denial Of Service
Google
Use After Free
Memory Corruption
-
CVE-2026-11246
MEDIUM
CVSS 5.3
Same-origin policy bypass in Google Chrome's IndexedDB implementation affects all versions prior to 149.0.7827.53, enabling an attacker who has already compromised the renderer process to cross origin boundaries via a crafted HTML page. The integrity-only impact (C:N/I:H/A:N) means a successful exploitation could allow unauthorized writes or data manipulation across origins, but does not directly expose confidential data. No public exploit code has been identified at time of analysis, and Google's own Chromium security team rated this Low severity; a vendor-released patch is available at version 149.0.7827.53.
Authentication Bypass
Google
-
CVE-2026-11245
MEDIUM
CVSS 4.3
UI spoofing in Google Chrome's Payments component prior to version 149.0.7827.53 enables a remote unauthenticated attacker to mislead users about payment interface elements via a crafted HTML page. The vulnerability stems from inappropriate implementation logic (CWE-451) that allows visual misrepresentation of critical payment-related UI, potentially facilitating phishing or payment fraud against end users who interact with a malicious page. No public exploit code has been identified at time of analysis, and Chromium's internal severity rating is Low, consistent with its limited integrity-only, user-interaction-dependent impact.
Information Disclosure
Google
-
CVE-2026-11243
MEDIUM
CVSS 5.4
Navigation restriction bypass in Google Chrome's Downloads subsystem prior to version 149.0.7827.53 enables a remote unauthenticated attacker to circumvent browser navigation controls by luring a user to a crafted HTML page. The flaw is rooted in an inappropriate implementation classified as CWE-346 (Origin Validation Error), meaning Chrome fails to properly validate the origin of requests or data within the Downloads flow. Rated Medium by CVSS (5.4) and Low by Chromium's own severity scale, no public exploit code or CISA KEV listing has been identified at time of analysis.
Authentication Bypass
Google
-
CVE-2026-11238
MEDIUM
CVSS 5.9
Inappropriate implementation in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a crafted Chrome Extension to access and read sensitive data from process memory. Exploitation requires social engineering a target user into installing a malicious extension, after which the extension can invoke under-guarded DevTools APIs to extract potentially sensitive in-memory content such as credentials, tokens, or session data. No public exploit has been identified at time of analysis, and the EPSS score of 0.01% indicates very low observed exploitation probability; however, the confidentiality impact is rated High by CVSS.
Authentication Bypass
Google
-
CVE-2026-10732
MEDIUM
CVSS 5.6
Arbitrary file write in the npm decompress package (all versions) exploits a second-generation Zip Slip bypass that circumvents protections introduced in the CVE-2020-12265 fix. By crafting a ZIP archive where a symlink entry and a same-named regular file share an identical path, an attacker leverages microtask scheduling order to write file contents through the unresolved symlink to arbitrary locations outside the extraction output directory, creating a realistic path to remote code execution. Publicly available exploit code exists per the E:P temporal modifier and a published PoC Gist, elevating real-world concern especially for applications processing untrusted archives in automated pipelines.
RCE
Path Traversal
-
CVE-2026-7473
MEDIUM
CVSS 6.9
Tunnel decapsulation logic in Arista EOS fails to verify the encapsulation protocol type, allowing any tunneled packet destined for a configured decapsulation IP to be silently unwrapped and forwarded into the network. Unauthenticated remote attackers (PR:N, AV:N per CVSS 4.0) can inject traffic into network segments by exploiting this check bypass on switches with VXLAN, decap-groups, or GRE configurations. The CVE description explicitly states this issue has been reported as exploited in the wild; however, a CISA KEV entry was not confirmed in the provided data. The integrity impact is assessed as low on both the vulnerable and subsequent systems per CVSS 4.0 (VI:L/SI:L), but the network trust boundary violation in a core switching context warrants elevated operational priority.
Information Disclosure
Eos
-
CVE-2026-48102
LOW
CVSS 3.1
Heap out-of-bounds read in 7-Zip versions 9.11 through 26.00 exposes up to 3 bytes of heap memory during UDF disc image parsing, triggering when a user opens or extracts a crafted .iso or .udf file. Impact is constrained to a 1-bit information-disclosure oracle per out-of-bounds byte (inferred from open/fail behavior) and potential denial of service under hardened allocators; no write primitive exists. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS Low score of 3.1 accurately reflects the limited real-world severity.
Buffer Overflow
Denial Of Service
Information Disclosure
Oracle
-
CVE-2026-47388
LOW
Unauthorized cross-tenant file read in NocoDB's MCP readAttachment tool allows any low-privilege MCP token holder to stream arbitrary attachment files from shared storage, including those belonging to unrelated bases and workspaces. Affected versions are all NocoDB releases up to and including 2026.05.0 (npm/nocodb). The root cause is CWE-639: the tool accepted caller-supplied path or URL values and streamed them directly without verifying that the referenced file's base_id matched the caller's MCP context. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Authentication Bypass
-
CVE-2026-47380
LOW
User enumeration via observable timing discrepancy in NocoDB's sign-in endpoint allows network-positioned attackers to determine whether an email address is registered. The authentication service (`auth.service.ts`) returned immediately for unknown users without executing a bcrypt password hash comparison, producing measurably shorter response times than for known users - a classic timing side-channel. No public exploit has been identified at time of analysis, but the technique requires no privileges and is straightforward to execute against any network-accessible NocoDB instance running versions prior to 2026.04.1.
Information Disclosure
-
CVE-2026-45723
LOW
CVSS 2.7
Path traversal in Siderolabs Omni's `CreateSchematic` gRPC endpoint allows an authenticated Operator to force the server to issue HTTP GET requests to arbitrary paths on the configured image-factory host by injecting `../` sequences into the `TalosVersion` field. The CVSS score of 2.7 (PR:H, C:L) reflects that exploitation requires a high-privilege Operator credential and yields only limited confidentiality impact - error body content from unintended image-factory endpoints is reflected back to the caller. No public exploit or CISA KEV listing exists at time of analysis, placing this in a low-priority patch tier for most deployments.
Path Traversal
-
CVE-2026-38579
None
Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substud...
PHP
XSS
N A
-
CVE-2026-37737
None
sanic-cors version 2.2.0 and prior contains an improper regular expression in the try_match() function in sanic_cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain un...
Authentication Bypass
N A
-
CVE-2026-36501
None
An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Denial Of Service
N A
-
CVE-2026-36500
None
An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.
Path Traversal
N A
-
CVE-2026-11362
None
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.
The format_event method (used by the event method) does not validate the content of the tags, w...
Code Injection
Datadog
-
CVE-2026-11341
LOW
CVSS 2.1
OS command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary shell commands on the device via the IMEI_value parameter of the /boafrm/formIMEISetup endpoint. The vulnerable function sub_412DA0 fails to sanitize attacker-controlled input before passing it to an OS-level command, granting low-privilege network access sufficient to achieve code execution with the confidence of a partial proof-of-concept. A publicly available exploit has been disclosed on GitHub, elevating practical risk beyond the CVSS 6.3 score alone.
Command Injection
D-Link
-
CVE-2026-11339
LOW
CVSS 2.1
Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows remote authenticated attackers to execute arbitrary OS commands via the `ussdValue` parameter of the `/boafrm/formUSSDSetup` endpoint, processed by the vulnerable `sub_41CF20` function without input sanitization. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation requiring only low-privilege credentials - a realistic threshold on consumer routers commonly deployed with default or weak passwords. A public proof-of-concept exploit is available on GitHub, materially elevating practical risk above what the moderate CVSS score of 6.3 suggests; no public exploit identified at time of analysis maps to confirmed active exploitation (not in CISA KEV).
Command Injection
D-Link
-
CVE-2026-11338
LOW
CVSS 1.9
Stored cross-site scripting in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows a remote attacker with high-privilege (admin-level) access to inject persistent malicious JavaScript into the Username field of the user management panel at /admin/?page=user/manage_user, which then executes in the browser of any other privileged user who visits that page. The vulnerability carries a CVSS base score of only 2.4 due to the combination of required high privileges, mandatory user interaction, and limited integrity-only impact with no confidentiality or availability consequence. No public exploit identified at time of analysis as a KEV-confirmed threat, but publicly available exploit code exists via a published Medium article and VulDB report.
XSS
-
CVE-2026-11337
LOW
CVSS 2.1
Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.
PHP
XSS
-
CVE-2026-11336
LOW
CVSS 2.1
Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.
PHP
Authentication Bypass
-
CVE-2026-11335
LOW
CVSS 2.1
Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.
PHP
Information Disclosure
Session Fixation
-
CVE-2026-11333
LOW
CVSS 2.1
Unrestricted file upload in tittuvarghese CollegeManagementSystem exposes the Student Data Upload endpoint (`dashboard_page/forms/upload_student_data.php`) to remote exploitation by authenticated low-privilege users, allowing arbitrary file types - including PHP web shells - to be uploaded to the server by manipulating the Student-Data-CSV argument. All deployed instances across all commits are affected given the project's rolling release model, and no vendor-released patch exists as the maintainer has not responded to responsible disclosure. Publicly available exploit code exists, raising real-world risk above what the CVSS 6.3 score alone implies.
PHP
File Upload
-
CVE-2026-11330
LOW
CVSS 2.0
Hash collision via field-boundary ambiguity in thedotmack/claude-mem through 11.0.1 allows a local low-privilege attacker to cause two semantically distinct observation records to produce identical content hashes, corrupting the SQLite-backed deduplication and integrity logic. The root cause is delimiter-free concatenation of three input fields in `computeObservationContentHash`, meaning different distributions of characters across `memorySessionId`, `title`, and `narrative` yield the same hash input and thus the same digest. No public exploit exists and exploitation is not confirmed actively in the wild; vendor-released fix version 12.0.0 is available.
Information Disclosure
-
CVE-2026-11329
LOW
CVSS 2.0
Weak cache key construction in onnx-mlir's torch backend (versions up to 0.5.0.0) omits tensor data type (dtype) from placeholder node hash keys, enabling cache collisions between semantically distinct nodes. A locally authenticated attacker with high-complexity manipulation can cause the compiler to incorrectly reuse cached compilation results across mismatched dtypes, yielding low-integrity and low-availability impacts. No public exploit is identified at time of analysis; the upstream fix is confirmed via commit 72c5187 and PR #3427.
Python
Information Disclosure
-
CVE-2026-11312
LOW
CVSS 1.9
Inefficient algorithmic complexity in bytedance InfiniStore up to version 0.2.33 allows a local, low-privileged attacker to partially degrade availability by triggering worst-case execution in the purge_kv_map function. The CVSS vector (AV:L/AC:L/PR:L/UI:N/A:L) confirms limited blast radius - local-only access with no confidentiality or integrity impact - but a public proof-of-concept exists per the GitHub issue tracker and is reflected in the E:P temporal modifier. No patch has been issued; the vendor has not responded to the coordinated disclosure.
Information Disclosure
-
CVE-2026-11295
None
Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Privilege Escalation
Chrome
Google
Android
-
CVE-2026-11294
None
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Chrome
Google
Clickjacking
-
CVE-2026-11293
None
Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
RCE
Chrome
Google
Use After Free
-
CVE-2026-11292
None
Insufficient policy enforcement in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
XSS
Chrome
Google
-
CVE-2026-11291
None
Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
Android
-
CVE-2026-11290
None
Integer overflow in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to cause a denial of service via a malicious file. (Chromium security severity: Low)
Denial Of Service
Chrome
Google
Integer Overflow
Android
-
CVE-2026-11289
None
Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
-
CVE-2026-11288
None
Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
-
CVE-2026-11287
None
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
Android
-
CVE-2026-11286
None
Insufficient validation of untrusted input in Wallet in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
XSS
Chrome
Google
-
CVE-2026-11285
None
Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
XSS
Chrome
Google
Apple
iOS
-
CVE-2026-11284
None
Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
-
CVE-2026-11283
None
Insufficient validation of untrusted input in Shortcuts in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
macOS
-
CVE-2026-11282
None
Insufficient policy enforcement in Sandbox in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Privilege Escalation
Linux
Chrome
Google
-
CVE-2026-11281
None
Integer overflow in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted ETW event. (Chromium security severity: Low)
Windows
Information Disclosure
Chrome
Google
Integer Overflow
-
CVE-2026-11280
None
Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Chrome
Google
Apple
iOS
Clickjacking
-
CVE-2026-11278
None
Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
Android
-
CVE-2026-11277
None
Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
iOS
-
CVE-2026-11275
None
Inappropriate implementation in Page Info in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
Android
-
CVE-2026-11274
None
Inappropriate implementation in DOM Distiller in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
Apple
iOS
-
CVE-2026-11273
None
Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)
XSS
Chrome
Google
-
CVE-2026-11272
None
Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)
Privilege Escalation
Chrome
Google
iOS
-
CVE-2026-11271
None
Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
-
CVE-2026-11270
None
Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
Android
-
CVE-2026-11269
None
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Low)
RCE
Chrome
Google
Code Injection
-
CVE-2026-11268
None
Uninitialized Use in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Windows
Information Disclosure
Chrome
Google
-
CVE-2026-11267
None
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
-
CVE-2026-11266
None
Inappropriate implementation in SafeBrowsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass Safe Browsing via a malicious file. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
-
CVE-2026-11265
None
Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
-
CVE-2026-11264
None
Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
XSS
Chrome
Google
-
CVE-2026-11263
None
Insufficient policy enforcement in WebAuthentication in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
Information Disclosure
Chrome
Google
Android
-
CVE-2026-11261
None
Inappropriate implementation in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
XSS
Chrome
Google
-
CVE-2026-11260
None
Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
XSS
Chrome
Google
-
CVE-2026-11259
None
Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)
Chrome
Google
Cors Misconfiguration
-
CVE-2026-11258
None
Inappropriate implementation in File System Access in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
-
CVE-2026-11257
None
Inappropriate implementation in Browser in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Authentication Bypass
Chrome
Google
-
CVE-2026-11251
LOW
CVSS 3.1
Insufficient policy enforcement in Google Chrome's Password Manager (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to bypass discretionary access control via a crafted HTML page, resulting in limited confidentiality exposure. This is a chained vulnerability: exploitation is contingent on a prior renderer process compromise, which substantially elevates attack complexity and limits realistic blast radius. No public exploit code exists and this CVE is not listed in the CISA KEV catalog. Google has rated this Low severity and released a fix in Chrome 149.0.7827.53.
Authentication Bypass
Google
-
CVE-2026-11247
LOW
CVSS 3.1
Cross-origin data leakage in Google Chrome's CustomTabs component on Android exposes sensitive information to remote attackers via a crafted HTML page. Affected versions are all Chrome for Android releases prior to 149.0.7827.53, where insufficient policy enforcement in the CustomTabs API fails to uphold cross-origin isolation guarantees. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed); the EPSS score of 0.03% (11th percentile) and a CVSS score of 3.1 (Low) together indicate low real-world exploitation likelihood.
Information Disclosure
Google
-
CVE-2026-11244
LOW
CVSS 3.1
Same-origin policy bypass in Google Chrome's WebAuthentication component affects all Chrome versions prior to 149.0.7827.53, exploitable only by a remote attacker who has already compromised the renderer process. Insufficient input validation in the WebAuthn subsystem allows crafted HTML pages to circumvent same-origin restrictions, resulting in limited confidentiality disclosure (C:L). Chromium's own severity classification is Low, consistent with the CVSS 3.1 score of 3.1, and no public exploit or CISA KEV listing has been identified at time of analysis. The mandatory prerequisite of renderer process compromise significantly constrains the realistic attacker population to sophisticated, multi-stage threat actors.
Authentication Bypass
Google
-
CVE-2026-11240
LOW
CVSS 3.1
Site isolation bypass in Google Chrome's Loader component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape Chrome's cross-site data boundary via a crafted HTML page. The vulnerability stems from insufficient validation of untrusted input in the Loader, enabling a post-exploitation primitive that leaks limited confidentiality data across site boundaries. With a CVSS score of 3.1 (Low), EPSS at 0.02% (6th percentile), no CISA KEV listing, and Chromium's own classification as Low severity, this represents a low-urgency chained-exploit stepping stone rather than a standalone critical threat; no public exploit identified at time of analysis.
Authentication Bypass
Google
-
CVE-2026-10879
None
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders.
The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four...
Buffer Overflow
Memory Corruption
Dbi
-
CVE-2026-10878
LOW
CVSS 2.1
Command injection in D-Link DWR-M920 router firmware versions 1.1.50 and 1.1.70 allows a low-privileged, remote-authenticated attacker to inject OS commands via the action_value parameter in the SMS management endpoint /boafrm/formSmsManage. The vulnerability resides in the C function sub_41C8E8 and stems from unsanitized user input being passed directly to a command interpreter (CWE-77). A public proof-of-concept exploit is available on GitHub, lowering the bar for exploitation despite the absence of CISA KEV listing.
Command Injection
D-Link
-
CVE-2026-10876
LOW
CVSS 2.1
Improper authorization in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows authenticated remote attackers with low privileges to manipulate the `page` argument on the `/admin/` endpoint, bypassing access controls and gaining unauthorized access to administrative functionality. The CVSS 4.0 vector (PR:L) confirms exploitation requires a valid low-privileged account rather than unauthenticated access. Publicly available exploit code exists (E:P in CVSS 4.0 vector, corroborated by a published Medium writeup), though the overall severity is rated Low (2.1) due to limited confidentiality, integrity, and availability impact with no scope change to subsequent systems.
Information Disclosure
-
CVE-2026-9270
None
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources.
The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change...
Code Injection
Datadog
-
CVE-2026-9088
LOW
CVSS 2.7
Information disclosure in Red Hat Build of Keycloak's group members endpoint allows a highly privileged but delegated administrator to bypass explicitly configured user profile attribute access controls. An administrator granted only delegated read access to group memberships and user data can invoke the group members API endpoint to retrieve user attributes that have been administratively denied to that role, circumventing the intended granularity of access control. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the CVSS score of 2.7 (Low) reflects the high privilege prerequisite and limited confidentiality impact.
Information Disclosure
-
CVE-2026-7763
None
A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a craf...
RCE
Buffer Overflow
Denial Of Service
Linux
Heap Overflow
-
CVE-2026-7762
None
A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a cr...
RCE
Buffer Overflow
Denial Of Service
Linux
Heap Overflow