Skip to main content
CVE-2026-32989 HIGH POC This Week

Precurio Intranet Portal 4.4 contains a CSRF vulnerability that allows attackers to trick authenticated users into uploading malicious files to the server, potentially leading to remote code execution with web server privileges. A public exploit is available via PacketStorm (file ID 215644), significantly lowering the barrier for exploitation. The vulnerability carries a CVSS score of 8.8 with network-based attack vector requiring only user interaction.

CSRF RCE Precurio Intranet Portal
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-33150 HIGH POC PATCH This Week

libfuse versions 3.18.0 through 3.18.1 contain a use-after-free vulnerability in the io_uring subsystem that allows local attackers to crash FUSE filesystem processes or execute arbitrary code when thread creation fails under resource constraints. The flaw occurs when io_uring initialization fails (e.g., due to cgroup limits), leaving a dangling pointer in session state that is dereferenced during shutdown. Public exploit code exists for this vulnerability, and no patch is currently available.

Memory Corruption RCE Denial Of Service Use After Free Libfuse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-33476 HIGH POC PATCH This Week

An unauthenticated directory traversal vulnerability exists in Siyuan kernel's /appearance/ endpoint, allowing remote attackers to read arbitrary files accessible to the server process without authentication. The vulnerability affects the Go-based Siyuan note-taking application (github.com/siyuan-note/siyuan/kernel) and has been assigned a CVSS score of 7.5 (High). A working proof-of-concept exploit is publicly available demonstrating successful file retrieval via crafted URLs containing path traversal sequences, and a patch has been released by the vendor.

Information Disclosure Authentication Bypass Path Traversal Microsoft Docker +2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.9%
CVE-2026-33484 HIGH POC PATCH GHSA This Week

{flow_id}/{file_name} endpoint, while all other file operation endpoints properly implement these security controls. A proof-of-concept exploit exists demonstrating that any attacker with knowledge of a flow UUID and filename can retrieve sensitive image data without credentials, posing a critical risk in multi-tenant deployments where cross-tenant data leakage can occur.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33497 HIGH POC PATCH GHSA This Week

Path traversal in Langflow's /profile_pictures endpoint allows unauthenticated remote attackers to read the application's secret_key through directory traversal in the folder_name parameter. Since the secret_key is used for JWT authentication, attackers can forge valid tokens to gain unauthorized system access. Public exploit code exists for this vulnerability and no patch is currently available.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4486 HIGH POC This Week

Remote code execution in D-Link DIR-513 1.10 via stack-based buffer overflow in the /goform/formEasySetPassword endpoint allows unauthenticated attackers to achieve full system compromise through a malicious curTime parameter. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from the vendor. An attacker with network access can execute arbitrary code with high privileges without user interaction.

Buffer Overflow D-Link Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-4493 HIGH POC This Week

Stack-based buffer overflow in Tenda A18 Pro MAC filtering configuration allows remote authenticated attackers to achieve full system compromise through manipulation of the deviceList parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw impacts the /goform/setMacFilterCfg endpoint with a CVSS score of 8.8.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4492 HIGH POC This Week

Remote code execution in Tenda A18 Pro firmware 02.03.02.28 allows authenticated attackers to achieve full system compromise through stack-based buffer overflow in the QoS configuration function. Public exploit code exists for this vulnerability and no patch is currently available, leaving deployed devices at immediate risk.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4491 HIGH POC This Week

Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows remote attackers with low privileges to achieve complete system compromise through manipulation of the SetIpMacBind function arguments. Public exploit code exists for this vulnerability, and no patch is currently available. An authenticated attacker can execute arbitrary code remotely without user interaction, affecting confidentiality, integrity, and availability of affected devices.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4490 HIGH POC This Week

Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 enables authenticated remote attackers to achieve code execution with high privileges through the setSchedWifi function. Public exploit code is available for this vulnerability, and no patch has been released, leaving affected devices exposed to active exploitation. An attacker with network access and valid credentials can trigger the overflow to compromise system integrity and confidentiality.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4489 HIGH POC This Week

Stack-based buffer overflow in Tenda A18 Pro firmware version 02.03.02.28 allows authenticated remote attackers to achieve complete system compromise through the /goform/fast_setting_wifi_set endpoint. Public exploit code is available and actively being weaponized against this unpatched vulnerability. Attackers with network access and valid credentials can execute arbitrary code with full system privileges.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4488 HIGH POC This Week

Remote code execution in UTT HiPER 1250GW firmware versions up to 3.2.7 allows authenticated attackers to overflow a buffer in the /goform/setSysAdm function via a malicious GroupName parameter. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can achieve complete system compromise including code execution, data theft, and denial of service.

Buffer Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4487 HIGH POC This Week

Unauthenticated attackers can trigger a buffer overflow in UTT HiPER 1200GW firmware versions up to 2.5.3-170306 via the /goform/websHostFilter endpoint, enabling remote code execution with full system compromise. Public exploit code is available and there is currently no patch, leaving affected devices at immediate risk. The vulnerability requires only network access and valid credentials to exploit, making it readily actionable for threat actors.

Buffer Overflow Hiper 1200Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-31904 HIGH CISA Act Now

Missing rate limiting in CTEK Chargeportal's WebSocket API enables remote attackers to launch denial-of-service attacks against electric vehicle charging infrastructure telemetry or conduct brute-force authentication attacks. All versions of Chargeportal are affected. CISA ICS-CERT has issued an advisory (ICSA-26-078-06), indicating focus on critical infrastructure risk. EPSS exploitation probability is low (0.08%, 23rd percentile), and no active exploitation or public exploit is confirmed. SSVC assessment indicates the vulnerability is automatable but has no confirmed exploitation, suggesting moderate real-world urgency despite the high CVSS 8.7 score.

Authentication Bypass Chargeportal
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-31903 HIGH CISA Act Now

Unlimited authentication attempts against the eParking.fi WebSocket API enable network-based denial-of-service attacks that suppress or mis-route electric vehicle charger telemetry, and enable credential brute-forcing to gain unauthorized system access. Reported by ICS-CERT, affecting all versions of the charging management platform. EPSS score of 0.07% (22nd percentile) suggests low widespread exploitation probability, though SSVC marks it as automatable with partial technical impact. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 with AV:N/PR:N/AC:L indicates trivial remote exploitation against unauthenticated endpoints.

Authentication Bypass Eparking Fi
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-25086 HIGH CISA Act Now

WebCTRL Premium Server contains a port binding vulnerability that allows an attacker with local access to bind to the same network port used by the WebCTRL service. This enables the attacker to send malicious packets and impersonate the legitimate WebCTRL service without injecting code into the application, potentially compromising confidentiality and integrity of building automation system communications. The vulnerability affects Automated Logic's WebCTRL Premium Server and has been disclosed by ICS-CERT, though no KEV listing or public POC is currently documented.

Code Injection Webctrl Premium Server
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-32666 HIGH CISA Act Now

WebCTRL Premium Server systems contain an authentication bypass vulnerability arising from BACnet protocol's inherent lack of network layer authentication, compounded by WebCTRL's failure to implement additional validation. An attacker with network access can spoof BACnet packets targeting either the WebCTRL server or associated AutomatedLogic controllers, which will process the spoofed packets as legitimate traffic. This vulnerability has a CVSS score of 7.5 with high integrity impact and is disclosed through ICS-CERT advisory ICSA-26-078-08.

Authentication Bypass Webctrl Premium Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32950 HIGH PATCH This Week

SQLBot, an intelligent data query system based on large language models and RAG, contains a critical SQL injection vulnerability in the /api/v1/datasource/uploadExcel endpoint that allows authenticated users with minimal privileges to achieve remote code execution on the backend server. SQLBot versions prior to 1.7.0 are affected, and attackers can exploit unsafe concatenation of Excel sheet names into PostgreSQL table names and COPY statements to inject malicious SQL commands. The vulnerability enables arbitrary command execution as the postgres user, database takeover, and sensitive file exfiltration including /etc/passwd and /etc/shadow.

SQLi RCE PostgreSQL Command Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33289 HIGH This Week

An LDAP injection vulnerability in SuiteCRM's authentication flow allows attackers to manipulate LDAP queries by injecting control characters into user-supplied input, potentially leading to authentication bypass or information disclosure. The vulnerability affects SuiteCRM versions prior to 7.15.1 and 8.9.3, which are open-source CRM systems widely deployed in enterprise environments. While no active exploitation has been reported (not in CISA KEV), the network-exploitable nature and potential for authentication bypass makes this a serious concern for organizations using affected versions.

Authentication Bypass Information Disclosure LDAP Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33479 HIGH This Week

The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.

PHP RCE CSRF Code Injection
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-33288 HIGH This Week

SQL injection in SuiteCRM's authentication layer when directory support is enabled allows authenticated attackers with low-privilege directory credentials to execute arbitrary SQL commands and escalate privileges to administrator level. The vulnerability stems from insufficient input sanitization of usernames in local database queries. SuiteCRM versions prior to 7.15.1 and 8.9.3 are affected, with no patch currently available.

Privilege Escalation SQLi Suitecrm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-33507 HIGH This Week

A Cross-Site Request Forgery (CSRF) vulnerability in the AVideo platform's plugin upload endpoint allows unauthenticated attackers to achieve Remote Code Execution by tricking authenticated administrators into visiting a malicious webpage. The vulnerability combines missing CSRF token validation on the pluginImport.json.php endpoint with explicitly configured SameSite=None session cookies over HTTPS, enabling cross-origin session hijacking. A proof-of-concept exploit has been published demonstrating full compromise by uploading a malicious plugin containing a PHP webshell.

PHP RCE CSRF Command Injection Path Traversal +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4451 HIGH PATCH This Week

A renderer process sandbox escape vulnerability exists in Google Chrome prior to version 146.0.7680.153 due to insufficient input validation in the Navigation component. An attacker who has already compromised the renderer process can exploit this via a crafted HTML page to escape the sandbox and gain elevated privileges on the host system. A patch is available from Google, and the vulnerability is tracked in the EUVD database with High severity classification.

Google Information Disclosure Ubuntu Debian Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33124 HIGH PATCH This Week

{username}/password endpoint, combined with a failure to invalidate existing JWT tokens upon password change and absence of password strength validation. An attacker who obtains a valid session token through XSS, accidental exposure, cookie theft, compromised device, or unencrypted HTTP sniffing can permanently hijack victim accounts by changing their password while maintaining session access through non-invalidated tokens. This vulnerability has not been reported as actively exploited in the wild (KEV status unknown), but the straightforward nature of the attack and the common exposure vectors for JWT tokens make this a practical threat requiring immediate patching.

XSS Authentication Bypass Frigate
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4447 HIGH PATCH This Week

A sandbox escape vulnerability exists in Google Chrome's V8 JavaScript engine prior to version 146.0.7680.153, allowing remote attackers to execute arbitrary code within the Chrome sandbox through a crafted HTML page. This is a High severity issue affecting millions of Chrome users across Windows, macOS, and Linux platforms. The vulnerability is triggered via web-based attack vector (HTML page delivery) and does not require user interaction beyond visiting a malicious website.

RCE Google
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4464 HIGH PATCH This Week

Heap corruption in Google Chrome's ANGLE graphics library prior to version 146.0.7680.153 can be triggered remotely through a malicious HTML page, potentially enabling arbitrary code execution on affected systems. The vulnerability stems from an integer overflow condition that requires only user interaction with a crafted webpage, affecting Chrome users across Windows, macOS, and Linux platforms. A patch is available and security professionals should prioritize updating to the latest Chrome version to mitigate this high-severity risk.

Google Buffer Overflow Ubuntu Debian Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4462 HIGH PATCH This Week

An out of bounds read vulnerability exists in the Blink rendering engine of Google Chrome prior to version 146.0.7680.153, allowing remote attackers to read memory outside intended buffer boundaries via a specially crafted HTML page. This vulnerability (CWE-125) has been classified as High severity by the Chromium security team and enables information disclosure attacks without requiring user interaction beyond visiting a malicious webpage. A vendor patch is available, and the vulnerability affects 9 Debian releases, indicating widespread downstream impact across Linux distributions.

Google Buffer Overflow Information Disclosure Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4461 HIGH PATCH This Week

Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 enables remote code execution when users visit malicious websites, affecting Chrome, Ubuntu, and Debian systems. An unauthenticated attacker can craft a specially designed HTML page to trigger memory corruption and achieve complete system compromise without user interaction beyond visiting the page. A patch is available for immediate deployment.

Google Information Disclosure Ubuntu Debian Chrome +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4460 HIGH PATCH This Week

Memory disclosure in Google Chrome's Skia rendering engine prior to version 146.0.7680.153 enables unauthenticated attackers to read out-of-bounds memory contents by tricking users into visiting malicious web pages. Affected users across Chrome, Ubuntu, and Debian distributions face potential information leakage including sensitive data from process memory. A patch is available for immediate deployment.

Google Buffer Overflow Information Disclosure Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4457 HIGH PATCH This Week

Heap memory corruption in Google Chrome's V8 engine (versions prior to 146.0.7680.153) stems from type confusion vulnerabilities that can be triggered through malicious HTML pages without user privileges. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution or crash the browser. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available.

Google Memory Corruption Information Disclosure Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4456 HIGH PATCH This Week

A use-after-free vulnerability in Google Chrome's Digital Credentials API prior to version 146.0.7680.153 enables attackers with a compromised renderer process to escape the sandbox and potentially achieve code execution through a specially crafted HTML page. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems, requiring user interaction to trigger but presenting high impact across confidentiality, integrity, and availability. A patch is available in Chrome 146.0.7680.153 and later versions.

Denial Of Service Google Memory Corruption Use After Free Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4454 HIGH PATCH This Week

Heap memory corruption in Google Chrome versions prior to 146.0.7680.153 can be triggered through a use-after-free vulnerability in the Network component when a user visits a malicious HTML page. An unauthenticated remote attacker can exploit this to achieve arbitrary code execution with high integrity and confidentiality impact. A patch is available for Chrome, Ubuntu, and Debian users.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4452 HIGH PATCH This Week

Heap corruption in Google Chrome's ANGLE graphics library on Windows versions prior to 146.0.7680.153 can be triggered through integer overflow when processing maliciously crafted HTML pages. An unauthenticated remote attacker can exploit this vulnerability by deceiving users into visiting a malicious website, potentially achieving arbitrary code execution. A patch is available across affected platforms including Google Chrome, Microsoft Edge, and various Linux distributions.

Google Microsoft Buffer Overflow Ubuntu Debian +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4450 HIGH PATCH This Week

Heap corruption in Google Chrome's V8 engine prior to version 146.0.7680.153 can be triggered through out-of-bounds memory writes when a user visits a malicious webpage. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with high integrity and confidentiality impact. A security patch is available for affected users on Chrome, Ubuntu, and Debian systems.

Google Memory Corruption Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4449 HIGH PATCH This Week

Heap memory corruption in Google Chrome's Blink rendering engine prior to version 146.0.7680.153 can be triggered through a malicious HTML page, potentially enabling remote code execution. An unauthenticated attacker requires only user interaction to exploit this use-after-free vulnerability across network boundaries. A patch is available for affected Chrome, Ubuntu, and Debian users.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4441 HIGH PATCH This Week

Heap corruption in Google Chrome versions before 146.0.7680.153 results from a use-after-free vulnerability in the Base component, enabling remote attackers to execute arbitrary code through malicious HTML pages. The attack requires user interaction but no authentication, affecting Chrome on multiple platforms including Linux distributions. A patch is available to remediate this critical-severity vulnerability.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4459 HIGH PATCH This Week

Heap corruption in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered through out-of-bounds memory access when processing malicious HTML pages, enabling remote attackers to achieve arbitrary code execution without user interaction beyond viewing the page. The vulnerability affects Chrome, Ubuntu, and Debian systems, with patches now available across all platforms.

Google Information Disclosure Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4455 HIGH PATCH This Week

Heap buffer overflow in PDFium within Google Chrome versions prior to 146.0.7680.153 enables remote attackers to corrupt heap memory and potentially achieve code execution by delivering a malicious PDF file. The vulnerability requires user interaction to open the crafted PDF but no authentication or special privileges. Patches are available for affected Google Chrome, Ubuntu, and Debian systems.

Google Buffer Overflow Heap Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4448 HIGH PATCH This Week

Heap buffer overflow in Google Chrome's ANGLE graphics library (versions prior to 146.0.7680.153) enables remote attackers to corrupt heap memory and potentially achieve arbitrary code execution through malicious HTML pages requiring only user interaction. The vulnerability affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available and should be applied immediately given the high severity and attack accessibility.

Google Heap Overflow Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4446 HIGH PATCH This Week

Heap corruption via use-after-free in Google Chrome's WebRTC implementation (versions prior to 146.0.7680.153) enables remote attackers to achieve arbitrary code execution through malicious HTML pages, requiring only user interaction. The vulnerability affects Chrome, Ubuntu, and Debian systems with a CVSS score of 8.8, though a patch is available.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4445 HIGH PATCH This Week

Heap memory corruption in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to execute arbitrary code by tricking users into visiting malicious websites. The use-after-free vulnerability requires only user interaction and affects Chrome on multiple platforms including Ubuntu and Debian systems. A patch is available to address this high-severity flaw.

Google Use After Free Memory Corruption Denial Of Service Ubuntu +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4442 HIGH PATCH This Week

Google Chrome versions prior to 146.0.7680.153 contain a heap buffer overflow in CSS parsing that enables remote code execution when users visit malicious HTML pages. An unauthenticated attacker can trigger heap memory corruption through a crafted webpage, potentially achieving arbitrary code execution with user privileges. A patch is available and should be applied immediately to all affected systems.

Google Heap Overflow Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4440 HIGH PATCH This Week

This is a critical out-of-bounds read and write vulnerability in the WebGL implementation of Google Chrome prior to version 146.0.7680.153. The vulnerability allows a remote attacker to perform arbitrary memory read and write operations by crafting a malicious HTML page, potentially leading to information disclosure, code execution, or complete system compromise. The vulnerability affects multiple Debian releases and has been assigned ENISA EUVD ID EUVD-2026-13447; a vendor patch is available.

Google Buffer Overflow Memory Corruption Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4439 HIGH PATCH This Week

Out-of-bounds memory corruption in Google Chrome's WebGL implementation on Android prior to version 146.0.7680.153 enables remote attackers to escape the browser sandbox by delivering a malicious HTML page, requiring only user interaction. This critical vulnerability affects Chrome users on Android devices and could lead to complete system compromise if successfully exploited. A patch is available in Chrome 146.0.7680.153 and later versions.

Google Buffer Overflow Memory Corruption Ubuntu Debian +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4443 HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome's WebAudio component (versions prior to 146.0.7680.153) can be triggered remotely through malicious HTML, requiring only user interaction. An attacker can craft a weaponized webpage to break out of the Chrome sandbox and execute arbitrary code on affected systems. This high-severity vulnerability impacts Chrome, Ubuntu, and Debian users, with patches now available.

Google Heap Overflow RCE Buffer Overflow Ubuntu +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33025 HIGH PATCH This Week

Unauthenticated SQL injection in AVideo versions before 8.0 allows authenticated attackers to manipulate database queries through unsanitized sort parameters in POST requests, potentially leading to unauthorized data access or modification. The vulnerability stems from improper use of real_escape_string() on SQL identifiers rather than string literals, rendering the escaping mechanism ineffective. Affected organizations should upgrade to version 8.0 or implement WAF rules restricting sort parameter characters to alphanumeric and underscore values.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4463 HIGH PATCH This Week

Heap buffer overflow in Google Chrome's WebRTC component (versions prior to 146.0.7680.153) enables remote code execution when users visit a malicious webpage, requiring only user interaction to trigger the vulnerability. An attacker can exploit this heap corruption to execute arbitrary code with the privileges of the affected browser process. A patch is available for Chrome and affected Linux distributions including Ubuntu and Debian.

Google Heap Overflow Buffer Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-4444 HIGH PATCH This Week

Stack buffer overflow in Google Chrome's WebRTC implementation prior to version 146.0.7680.153 enables remote attackers to corrupt stack memory and achieve code execution through maliciously crafted HTML pages. The vulnerability affects Chrome, and potentially downstream products including Chromium-based browsers, requiring only user interaction and no authentication. A patch is available across affected platforms including Ubuntu and Debian.

Google Buffer Overflow Stack Overflow Ubuntu Debian +3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33075 HIGH This Week

FastGPT versions 4.14.8.3 and below contain a critical arbitrary code execution vulnerability in the fastgpt-preview-image.yml GitHub Actions workflow that allows external contributors to execute malicious code and exfiltrate repository secrets. The vulnerability stems from unsafe use of pull_request_target with attacker-controlled Dockerfile builds that are pushed to the production container registry, enabling both direct compromise and supply chain attacks. No patch was available at the time of public disclosure, making this an unpatched remote code execution affecting the AI Agent building platform across affected versions.

RCE Docker
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32888 HIGH This Week

Open Source Point of Sale (opensourcepos) contains a critical SQL Injection vulnerability in the Items search functionality when custom attribute search is enabled. An authenticated attacker with basic item search permissions can execute arbitrary SQL queries by manipulating the search GET parameter, which is directly interpolated into a HAVING clause without sanitization. The vulnerability affects all versions up to and including 3.4.1, carries a CVSS score of 8.8 (High), and had no patch available at the time of publication.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy