Skip to main content
CVE-2026-4689 CRITICAL POC PATCH Act Now

A sandbox escape vulnerability exists in Firefox's XPCOM component due to incorrect boundary conditions and integer overflow, allowing attackers to bypass security sandboxing mechanisms. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw to escape the browser sandbox and potentially execute arbitrary code with elevated privileges on the affected system.

Mozilla Buffer Overflow Firefox Esr
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2019-25628 CRITICAL POC Act Now

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Download Accelerator Plus Dap
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-71275 CRITICAL POC Act Now

A critical unauthenticated remote code execution vulnerability exists in Zimbra Collaboration Suite PostJournal service version 8.8.15, allowing attackers to execute arbitrary system commands via SMTP injection through improper sanitization of the RCPT TO parameter using shell expansion syntax. A publicly available proof-of-concept exploit exists (PacketStorm), significantly increasing exploitation risk. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this represents an immediate threat to exposed Zimbra installations.

RCE Command Injection Zimbra Collaboration Suite
NVD VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2019-25646 CRITICAL POC Act Now

Tabs Mail Carrier 2.5.1 contains a buffer overflow vulnerability in the MAIL FROM SMTP command that allows remote attackers to execute arbitrary code by sending a crafted MAIL FROM parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Mail Carrier
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-33475 CRITICAL POC PATCH Act Now

An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.

RCE Command Injection Docker
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33340 CRITICAL POC Act Now

A critical Server-Side Request Forgery (SSRF) vulnerability exists in the LoLLMs WEBUI application, allowing unauthenticated remote attackers to force the server to make arbitrary GET requests through the `/api/proxy` endpoint. All known existing versions of lollms-webui are affected, and as of publication, no patched version is available. Attackers can exploit this to access internal services, scan local networks, or exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.

SSRF Authentication Bypass Lollms Webui
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2019-25639 HIGH POC This Week

Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25643 HIGH POC This Week

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25641 HIGH POC This Week

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25635 HIGH POC This Week

Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Zeeways Matrimony Cms
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25636 HIGH POC This Week

Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25642 HIGH POC This Week

Unauthenticated SQL injection in Bootstrapy CMS allows remote attackers to extract sensitive database information or cause denial of service through multiple POST parameters in forum and contact modules. The vulnerability affects forum-thread.php (thread_id), contact-submit.php (subject), and post-new-submit.php (post-id) endpoints. Public exploit code exists via Exploit-DB #46590, though EPSS probability remains low at 0.06% (19th percentile), suggesting limited real-world exploitation despite ease of attack (AV:N/AC:L/PR:N). SSVC framework confirms proof-of-concept availability and automated exploitation potential with partial technical impact.

PHP SQLi Denial Of Service Bootstrap
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25640 HIGH POC This Week

SQL injection in Inout Article Base CMS allows remote unauthenticated attackers to extract sensitive database information or cause denial of service through malicious XOR-based and time-based SQL payloads injected via 'p' and 'u' parameters in GET requests to portalLogin.php. Public exploit code demonstrates the attack (Exploit-DB 46593), though EPSS scoring indicates low probability of widespread exploitation (0.06%, 19th percentile). No vendor patch has been identified, and the vendor website reference provides no security advisory, leaving deployments at continued risk.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2019-25630 HIGH POC This Week

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP RCE File Upload
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2019-25647 HIGH POC This Week

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE File Upload
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2019-25627 HIGH POC This Week

FlexHEX 2.71 contains a local buffer overflow vulnerability in the Stream Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overflow. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE File Upload Flexhex
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-22739 HIGH POC PATCH This Week

Spring Cloud Config Server contains a path traversal vulnerability when using the native file system backend, allowing unauthenticated remote attackers to access arbitrary files outside configured search directories by manipulating the profile parameter in requests. This affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2. With a CVSS score of 8.6 indicating high confidentiality impact with some integrity and availability impact, and network-based attack vector requiring no authentication, this represents a significant information disclosure risk for exposed Config Server instances.

Java Path Traversal
NVD HeroDevs VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2019-25634 HIGH POC This Week

Local arbitrary code execution in 4mhz Base64 Decoder 1.1.2 occurs when the application processes a maliciously crafted input file, causing a stack-based buffer overflow that overwrites the Structured Exception Handler (SEH) chain. Publicly available exploit code exists (Exploit-DB 46625) demonstrating an SEH overwrite chained with a POP-POP-RET gadget and an egghunter payload to reach attacker-supplied shellcode. Despite CVSS 8.6 and a working PoC, EPSS is only 0.01% (2nd percentile), reflecting the niche Windows utility and local-only attack vector.

Buffer Overflow Memory Corruption RCE Base64 Decoder
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25633 HIGH POC This Week

AIDA64 Extreme 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input through the email. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Aida64 Extreme
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25631 HIGH POC This Week

AIDA64 Business 5.99.4900 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH pointers with malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Aida64 Business
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25629 HIGH POC This Week

AIDA64 Extreme 5.99.4900 contains a structured exception handler buffer overflow vulnerability in the logging functionality that allows local attackers to execute arbitrary code by supplying a. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Aida64 Extreme
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25626 HIGH POC This Week

Local buffer overflow in River Past Cam Do 3.7.6's activation code field enables arbitrary code execution with SYSTEM privileges through specially crafted 608-byte input followed by shellcode and SEH chain overwrite. While exploitation requires local access and a publicly available exploit exists (Exploit-DB 46670), EPSS score of 0.01% indicates minimal real-world exploitation activity. The vulnerability affects a legacy multimedia application with no confirmed vendor patch, making it primarily relevant for environments still running this discontinued software.

Buffer Overflow RCE File Upload River Past Cam Do
NVD Exploit-DB VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2019-25637 HIGH POC This Week

X-NetStat Pro 5.63 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the EIP register through a 264-byte buffer overflow. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Netstat Pro
NVD Exploit-DB VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-2417 CRITICAL CISA Emergency

Unauthenticated remote code execution in Pharos Controls Mosaic Show Controller firmware 2.15.3 enables attackers to bypass authentication and execute arbitrary commands with root privileges without user interaction. This critical vulnerability affects all instances exposed to network access with no available patch. The extremely low EPSS score suggests limited real-world exploitation despite the severe technical impact.

Authentication Bypass Mosaic Show Controller
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2019-25638 HIGH POC This Week

Meeplace Business Review Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Denial Of Service
NVD Exploit-DB VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2019-25632 MEDIUM POC This Month

phpFileManager 1.7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the action, fm_current_dir, and filename parameters. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25644 MEDIUM POC This Month

WinMPG Video Convert 9.3.5 and older versions contain a buffer overflow vulnerability in the registration dialog that allows local attackers to crash the application by supplying oversized input. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Denial Of Service Winmpg Video Convert Local Dos Exploit
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25645 MEDIUM POC This Month

WinAVI iPod/3GP/MP4/PSP Converter 4.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by processing malformed AVI files. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Winavi Ipod 3Gp Mp4 Psp Converter
NVD Exploit-DB VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-4745 CRITICAL PATCH Act Now

A code injection vulnerability exists in dendibakh perf-ninja's Lua modules (specifically in ldo.C within labs/misc/pgo), allowing improper control of code generation that can lead to remote code execution. The vulnerability affects all versions of perf-ninja as indicated by the CPE specification. An attacker can exploit this flaw to inject and execute arbitrary code, with a vendor patch now available to remediate the issue.

Code Injection RCE Perf Ninja
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-4746 CRITICAL PATCH Act Now

Out-of-bounds write vulnerability in Proton versions before 1.6.16 allows remote attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability resides in the inflate.C module within the base/poco/Foundation components and can be exploited over the network without authentication or user interaction. A patch is available to remediate this critical flaw.

Buffer Overflow Proton
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-4688 CRITICAL PATCH Act Now

Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users.

Information Disclosure Memory Corruption Mozilla Use After Free Firefox Esr
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-4725 CRITICAL PATCH Act Now

Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.

Information Disclosure Memory Corruption Mozilla Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-4692 CRITICAL PATCH Act Now

A sandbox escape vulnerability exists in Firefox's Responsive Design Mode component that allows attackers to break out of the browser's security sandbox and access sensitive information. This affects Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9. An attacker can exploit this vulnerability to disclose information by circumventing the sandbox restrictions that normally isolate web content from the browser's privileged context.

Mozilla Information Disclosure Firefox Esr
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-4755 CRITICAL PATCH Act Now

A critical input validation vulnerability (CWE-20) exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 that allows unauthenticated remote attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability was reported by GovTech CSG and has a CVSS score of 9.8, indicating network-accessible exploitation with no privileges or user interaction required. A patch is available from the vendor via GitHub pull request #193.

Google Information Disclosure Android
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4691 CRITICAL PATCH Act Now

Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4717 CRITICAL PATCH Act Now

Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available.

Mozilla Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4698 CRITICAL PATCH Act Now

A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security.

Mozilla Memory Corruption Information Disclosure Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4696 CRITICAL PATCH Act Now

Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4711 CRITICAL PATCH Act Now

A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4702 CRITICAL PATCH Act Now

A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.

Mozilla Memory Corruption Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4701 CRITICAL PATCH Act Now

Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.

Mozilla Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4700 CRITICAL PATCH Act Now

This vulnerability is a mitigation bypass in Firefox's HTTP networking component that allows attackers to circumvent existing security controls. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected, enabling attackers to bypass authentication or other HTTP-level protections. While specific CVSS and EPSS scores are not provided, the mitigation bypass classification and Mozilla's issuance of security advisories indicate this requires prompt patching.

Mozilla Authentication Bypass Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4705 CRITICAL PATCH Act Now

An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially enabling information disclosure attacks. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. While specific exploitation mechanics are not fully detailed in available public sources, the vulnerability is classified as an information disclosure issue that could allow attackers to extract sensitive data through malformed WebRTC signaling messages.

Information Disclosure Mozilla Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4723 CRITICAL PATCH Act Now

Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4721 CRITICAL PATCH Act Now

Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented.

Mozilla RCE Buffer Overflow Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4720 CRITICAL PATCH Act Now

Multiple memory safety bugs affecting Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR allow remote attackers to achieve arbitrary code execution through memory corruption vulnerabilities. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are confirmed affected, with evidence suggesting these memory corruption issues could be exploited under sufficient effort. The vulnerability class encompasses buffer overflow and memory safety defects that demonstrate exploitation potential, though no active public exploitation has been documented at this time.

Mozilla RCE Buffer Overflow Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4710 CRITICAL PATCH Act Now

An incorrect boundary conditions vulnerability exists in Firefox and Firefox ESR's Audio/Video component that enables information disclosure attacks. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. Attackers can exploit improper boundary validation in audio/video processing to leak sensitive information from the browser process.

Mozilla Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4729 CRITICAL PATCH Act Now

Multiple memory safety bugs in Firefox 148 and Thunderbird 148 allow attackers to trigger memory corruption with potential for arbitrary code execution. Firefox versions prior to 149 are vulnerable, as confirmed by Mozilla security advisories. The vulnerability requires no user interaction beyond normal browsing and represents a critical elevation risk due to the presume-exploitable nature of the underlying memory corruption issues.

Mozilla RCE Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4623 MEDIUM POC PATCH This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in DefaultFuction Jeson-Customer-Relationship-Management-System affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides in the /api/System.php file where the 'url' parameter can be manipulated to force the server to make arbitrary requests. A publicly disclosed proof-of-concept exploit is available on GitHub, and patches have been released by the vendor.

PHP SSRF
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4617 MEDIUM POC This Month

SourceCodester Patients Waiting Area Queue Management System 1.0 contains an improper authorization flaw in the ValidateToken function of the Patient Check-In Module that allows unauthenticated remote attackers to bypass access controls. Public exploit code is available for this vulnerability, and no patch has been released. The attack requires no user interaction and could enable unauthorized access to patient check-in functionality.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy