Skip to main content
CVE-2026-2786 CRITICAL PATCH Act Now

Use-after-free in Firefox JavaScript Engine before 148. Fourth distinct JS engine UAF in this release.

Use After Free Memory Corruption Mozilla Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2785 CRITICAL PATCH Act Now

Invalid pointer in Firefox JavaScript Engine before 148. Incorrect pointer computation leads to memory corruption.

Mozilla Memory Corruption Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2781 CRITICAL PATCH Act Now

Integer overflow in NSS (Network Security Services) cryptographic library enables remote unauthenticated attackers to achieve arbitrary code execution with critical impact on confidentiality, integrity, and availability across Mozilla Firefox (<148, ESR <140.8) and Thunderbird (<148, ESR <140.8). The vulnerability carries a maximum CVSS 9.8 score with no exploitation barriers, though EPSS probability remains low (0.04%, 14th percentile) and no active exploitation is confirmed. Vendor patches available through Mozilla security advisories MFSA2026-13/15/16/17 with corresponding Red Hat updates deployed across enterprise distributions.

Integer Overflow Mozilla Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2767 CRITICAL PATCH Act Now

Use-after-free in Firefox JavaScript WebAssembly component before 148. WebAssembly-specific memory management bug.

Use After Free Memory Corruption Mozilla Information Disclosure Thunderbird
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2780 CRITICAL PATCH Act Now

Privilege escalation in Firefox Netmonitor component before 148. Developer tools component allows escalation from content to higher privileges.

Privilege Escalation Mozilla
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2799 CRITICAL PATCH Act Now

Use-after-free in Firefox DOM Core & HTML before 148. DOM object lifecycle error.

Use After Free Memory Corruption Mozilla Information Disclosure Thunderbird
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2797 CRITICAL PATCH Act Now

Use-after-free in Firefox JavaScript GC before 148. Second GC UAF, different from CVE-2026-2795.

Use After Free Memory Corruption Mozilla Information Disclosure Thunderbird
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2795 CRITICAL PATCH Act Now

Use-after-free in Firefox JavaScript GC component before 148. GC-specific UAF affecting only mainline Firefox and Thunderbird.

Use After Free Memory Corruption Mozilla Information Disclosure Thunderbird
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2790 CRITICAL PATCH Act Now

Same-origin policy bypass in Firefox Networking JAR component before 148. Allows cross-origin data access through JAR protocol handling.

Mozilla Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1229 CRITICAL PATCH Act Now

Incorrect computation in CIRCL cryptographic library's CombinedMult function for secp384r1 (P-384) curve. Produces wrong elliptic curve multiplication results for specific inputs, potentially breaking ECDSA signature verification.

Github Circl Suse Cloudflare
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-27593 CRITICAL PATCH Act Now

Password reset poisoning in Statamic CMS before 6.3.3/5.73.10 allows attackers to steal password reset tokens by manipulating the Host header in reset requests. Patch available.

Laravel Statamic
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-27208 CRITICAL Act Now

OS command injection in bleon-ethical/api-gateway-deploy npm package version 1.0.0. Attack chain enables remote code execution through crafted API gateway deployment configuration.

Docker Privilege Escalation Command Injection Api Gateway Deploy
NVD GitHub
CVSS 3.1
9.2
EPSS
0.2%
CVE-2025-40540 CRITICAL Act Now

Second type confusion vulnerability in SolarWinds Serv-U. Different attack vector from CVE-2025-40539 but same impact — arbitrary code execution.

Windows Serv U
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-40539 CRITICAL Act Now

Type confusion vulnerability in SolarWinds Serv-U enables arbitrary code execution. Second critical Serv-U vulnerability.

Windows Serv U
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-2806 CRITICAL PATCH Act Now

Uninitialized memory read in Firefox Graphics Text component before 148. Text rendering may expose uninitialized memory contents.

Mozilla Information Disclosure
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-27515 CRITICAL Act Now

Predictable session identifiers in Binardat 10G08-0800GSM network switch. Numeric session IDs are easily guessable, enabling session hijacking.

Information Disclosure 10g08 0800gsm Firmware
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2024-58041 CRITICAL Act Now

Insecure random number generation in Smolder 1.51 Perl testing framework. Uses rand() for cryptographic operations instead of a CSPRNG, enabling prediction of security tokens.

Information Disclosure Smolder
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-40538 CRITICAL Act Now

Broken access control in SolarWinds Serv-U allows unauthorized user creation by exploiting privilege assignment flaws. First of four critical Serv-U vulnerabilities.

Windows Serv U
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-40541 CRITICAL Act Now

IDOR vulnerability in SolarWinds Serv-U allows accessing objects belonging to other users. Fourth critical Serv-U vulnerability in this batch.

Windows Serv U
NVD
CVSS 3.1
9.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy