Argument injection in TOTOLINK X5000R router v9.1.0cu via setDiagnosisCfg handler allows unauthenticated remote code execution. EPSS 2.0% with PoC available.
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to properly validate token issuers, accepting tokens from different Keycloak realms. PoC available.
Critical vulnerability in ElementsKit Elementor Addons WordPress plugin allows unauthenticated access to critical functions. CVSS 10.0 affecting a widely-used WordPress plugin with 1M+ installations.
SQL injection in Order Up Online Ordering System 1.0 via /api/integrations/getintegrations endpoint allows unauthenticated database compromise.
Out-of-bounds read and write in Chrome Tint shader compiler on Mac before 145.0.7632.116. More severe than CVE-2026-3061 due to additional write capability enabling potential code execution.
Integer overflow in Crypt::NaCl::Sodium Perl module through version 2.001 on 32-bit systems. The Sodium.xs binding casts a size_t to int, causing overflow that could compromise cryptographic operations.
Out-of-bounds read in Google Chrome Media component before 145.0.7632.116 allows remote attackers to perform memory reads via crafted media content.
Improper certificate validation in Ayms node-To master Node.js module. The application does not properly validate TLS certificates, enabling man-in-the-middle attacks.