Skip to main content
CVE-2026-4689 CRITICAL POC PATCH Act Now

A sandbox escape vulnerability exists in Firefox's XPCOM component due to incorrect boundary conditions and integer overflow, allowing attackers to bypass security sandboxing mechanisms. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw to escape the browser sandbox and potentially execute arbitrary code with elevated privileges on the affected system.

Mozilla Buffer Overflow Firefox Esr
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2019-25628 CRITICAL POC Act Now

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Download Accelerator Plus Dap
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-71275 CRITICAL POC Act Now

A critical unauthenticated remote code execution vulnerability exists in Zimbra Collaboration Suite PostJournal service version 8.8.15, allowing attackers to execute arbitrary system commands via SMTP injection through improper sanitization of the RCPT TO parameter using shell expansion syntax. A publicly available proof-of-concept exploit exists (PacketStorm), significantly increasing exploitation risk. With a CVSS score of 9.8 and network-accessible attack vector requiring no authentication or user interaction, this represents an immediate threat to exposed Zimbra installations.

RCE Command Injection Zimbra Collaboration Suite
NVD VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2019-25646 CRITICAL POC Act Now

Tabs Mail Carrier 2.5.1 contains a buffer overflow vulnerability in the MAIL FROM SMTP command that allows remote attackers to execute arbitrary code by sending a crafted MAIL FROM parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption RCE Mail Carrier
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-33475 CRITICAL POC PATCH Act Now

An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.

RCE Command Injection Docker
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33340 CRITICAL POC Act Now

A critical Server-Side Request Forgery (SSRF) vulnerability exists in the LoLLMs WEBUI application, allowing unauthenticated remote attackers to force the server to make arbitrary GET requests through the `/api/proxy` endpoint. All known existing versions of lollms-webui are affected, and as of publication, no patched version is available. Attackers can exploit this to access internal services, scan local networks, or exfiltrate sensitive cloud metadata such as AWS or GCP IAM tokens.

SSRF Authentication Bypass Lollms Webui
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-2417 CRITICAL CISA Emergency

Unauthenticated remote code execution in Pharos Controls Mosaic Show Controller firmware 2.15.3 enables attackers to bypass authentication and execute arbitrary commands with root privileges without user interaction. This critical vulnerability affects all instances exposed to network access with no available patch. The extremely low EPSS score suggests limited real-world exploitation despite the severe technical impact.

Authentication Bypass Mosaic Show Controller
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-4745 CRITICAL PATCH Act Now

A code injection vulnerability exists in dendibakh perf-ninja's Lua modules (specifically in ldo.C within labs/misc/pgo), allowing improper control of code generation that can lead to remote code execution. The vulnerability affects all versions of perf-ninja as indicated by the CPE specification. An attacker can exploit this flaw to inject and execute arbitrary code, with a vendor patch now available to remediate the issue.

Code Injection RCE Perf Ninja
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-4746 CRITICAL PATCH Act Now

Out-of-bounds write vulnerability in Proton versions before 1.6.16 allows remote attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability resides in the inflate.C module within the base/poco/Foundation components and can be exploited over the network without authentication or user interaction. A patch is available to remediate this critical flaw.

Buffer Overflow Proton
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.0%
CVE-2026-4688 CRITICAL PATCH Act Now

Sandbox escape in Mozilla Firefox's Disability Access APIs component due to a use-after-free memory vulnerability allows unauthenticated remote attackers to execute arbitrary code with full system compromise. Firefox versions below 149 and Firefox ESR below 140.9 are affected, with no patch currently available. The vulnerability is exploitable over the network without user interaction, presenting critical risk to all affected users.

Information Disclosure Memory Corruption Mozilla Use After Free Firefox Esr
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-4725 CRITICAL PATCH Act Now

Unauthenticated remote attackers can escape the Firefox sandbox through a use-after-free vulnerability in the Canvas2D graphics component, allowing arbitrary code execution on affected systems running Firefox versions prior to 149. The vulnerability requires no user interaction and impacts the entire system due to its critical severity and CVSS score of 10.0. No patch is currently available for this actively exploitable flaw.

Information Disclosure Memory Corruption Mozilla Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-4692 CRITICAL PATCH Act Now

A sandbox escape vulnerability exists in Firefox's Responsive Design Mode component that allows attackers to break out of the browser's security sandbox and access sensitive information. This affects Firefox versions prior to 149, Firefox ESR prior to 115.34, and Firefox ESR prior to 140.9. An attacker can exploit this vulnerability to disclose information by circumventing the sandbox restrictions that normally isolate web content from the browser's privileged context.

Mozilla Information Disclosure Firefox Esr
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-4755 CRITICAL PATCH Act Now

A critical input validation vulnerability (CWE-20) exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 that allows unauthenticated remote attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability was reported by GovTech CSG and has a CVSS score of 9.8, indicating network-accessible exploitation with no privileges or user interaction required. A patch is available from the vendor via GitHub pull request #193.

Google Information Disclosure Android
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4691 CRITICAL PATCH Act Now

Critical use-after-free in Mozilla Firefox's CSS parsing engine enables unauthenticated remote code execution with no user interaction required, affecting Firefox versions below 149, ESR 115.34, and ESR 140.9. An attacker can exploit this memory corruption vulnerability by crafting a malicious web page that triggers the vulnerability when rendered, achieving full system compromise. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4717 CRITICAL PATCH Act Now

Firefox's Netmonitor component contains a privilege escalation vulnerability that affects versions prior to 149 (ESR < 140.9), allowing unauthenticated attackers to gain elevated privileges through network-accessible attack vectors with no user interaction required. This critical flaw (CVSS 9.8) enables complete system compromise including confidentiality, integrity, and availability violations, with no patch currently available.

Mozilla Privilege Escalation Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4698 CRITICAL PATCH Act Now

A JIT miscompilation vulnerability exists in Firefox's JavaScript engine that can lead to information disclosure. This affects Firefox versions below 149, Firefox ESR below 115.34, and Firefox ESR below 140.9. An attacker can exploit this flaw through malicious JavaScript to extract sensitive information from the browser's memory, potentially compromising user data and system security.

Mozilla Memory Corruption Information Disclosure Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4696 CRITICAL PATCH Act Now

Unauthenticated remote attackers can achieve arbitrary code execution through a use-after-free memory corruption vulnerability in Firefox's text and font rendering engine, affecting Firefox versions below 149, ESR below 115.34, and ESR below 140.9. The vulnerability requires no user interaction or special privileges and allows complete compromise of confidentiality, integrity, and availability. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4711 CRITICAL PATCH Act Now

A use-after-free vulnerability in Firefox's Cocoa widget component allows remote code execution without user interaction or special privileges, affecting Firefox versions below 149 and ESR below 140.9. An attacker can exploit this memory corruption flaw over the network to achieve complete system compromise with high confidentiality, integrity, and availability impact. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4702 CRITICAL PATCH Act Now

A JIT (Just-In-Time) compilation miscompilation vulnerability exists in Firefox's JavaScript Engine that can lead to information disclosure. This affects Firefox versions below 149 and Firefox ESR versions below 140.9. An attacker can exploit this vulnerability through malicious JavaScript code to potentially disclose sensitive information from the browser's memory or process space.

Mozilla Memory Corruption Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4701 CRITICAL PATCH Act Now

Mozilla Firefox versions below 149 (and ESR versions below 140.9) contain a use-after-free vulnerability in the JavaScript Engine that enables unauthenticated remote attackers to achieve arbitrary code execution without user interaction. The memory corruption flaw allows complete compromise of affected systems through network-based attacks. No patch is currently available for this critical vulnerability.

Mozilla Use After Free Memory Corruption Information Disclosure Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4700 CRITICAL PATCH Act Now

This vulnerability is a mitigation bypass in Firefox's HTTP networking component that allows attackers to circumvent existing security controls. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected, enabling attackers to bypass authentication or other HTTP-level protections. While specific CVSS and EPSS scores are not provided, the mitigation bypass classification and Mozilla's issuance of security advisories indicate this requires prompt patching.

Mozilla Authentication Bypass Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4705 CRITICAL PATCH Act Now

An undefined behavior vulnerability exists in the WebRTC Signaling component of Mozilla Firefox and Firefox ESR, potentially enabling information disclosure attacks. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. While specific exploitation mechanics are not fully detailed in available public sources, the vulnerability is classified as an information disclosure issue that could allow attackers to extract sensitive data through malformed WebRTC signaling messages.

Information Disclosure Mozilla Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4723 CRITICAL PATCH Act Now

Firefox versions prior to 149 contain a use-after-free vulnerability in the JavaScript engine that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. The vulnerability affects all Firefox users and can be exploited over the network to gain complete control over an affected system. No patch is currently available.

Information Disclosure Memory Corruption Mozilla Use After Free Red Hat +1
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4721 CRITICAL PATCH Act Now

Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented.

Mozilla RCE Buffer Overflow Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4720 CRITICAL PATCH Act Now

Multiple memory safety bugs affecting Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR allow remote attackers to achieve arbitrary code execution through memory corruption vulnerabilities. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are confirmed affected, with evidence suggesting these memory corruption issues could be exploited under sufficient effort. The vulnerability class encompasses buffer overflow and memory safety defects that demonstrate exploitation potential, though no active public exploitation has been documented at this time.

Mozilla RCE Buffer Overflow Firefox Esr
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4710 CRITICAL PATCH Act Now

An incorrect boundary conditions vulnerability exists in Firefox and Firefox ESR's Audio/Video component that enables information disclosure attacks. Firefox versions below 149 and Firefox ESR versions below 140.9 are affected. Attackers can exploit improper boundary validation in audio/video processing to leak sensitive information from the browser process.

Mozilla Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4729 CRITICAL PATCH Act Now

Multiple memory safety bugs in Firefox 148 and Thunderbird 148 allow attackers to trigger memory corruption with potential for arbitrary code execution. Firefox versions prior to 149 are vulnerable, as confirmed by Mozilla security advisories. The vulnerability requires no user interaction beyond normal browsing and represents a critical elevation risk due to the presume-exploitable nature of the underlying memory corruption issues.

Mozilla RCE Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4739 CRITICAL PATCH Act Now

Integer overflow in the Expat XML parser module within InsightSoftwareConsortium ITK before version 2.7.1 allows remote attackers to cause denial of service or potentially execute arbitrary code through specially crafted XML input. The vulnerability affects all users of vulnerable ITK versions and requires only network access and user interaction to exploit. A patch is available in ITK 2.7.1 and later.

Buffer Overflow Integer Overflow Itk
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-4738 CRITICAL PATCH Act Now

A buffer overflow vulnerability in GDAL versions before 3.11.0 within the zlib infback9 module allows remote attackers to achieve arbitrary code execution or cause denial of service through specially crafted compressed data. The vulnerability requires user interaction to trigger but has a network attack vector with no authentication needed. A patch is available and should be applied immediately to affected GDAL installations.

Buffer Overflow Gdal Suse
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-4734 CRITICAL PATCH Act Now

A buffer overflow vulnerability in Modizer before v4.3 allows remote attackers to execute arbitrary code with high privileges by sending specially crafted input that bypasses memory boundary restrictions in the IMAP module. The network-accessible flaw requires minimal user interaction and affects the integrated libopenmpt curl library. A patch is available and should be applied immediately given the critical severity and confirmed attack vector.

Buffer Overflow Modizer
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-4744 CRITICAL PATCH Act Now

Out-of-bounds read vulnerability in Notepad3's Oniguruma regex engine (regcomp.C) allows local attackers with user interaction to trigger memory disclosure or potential code execution with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions before 6.25.714.1 and has a critical CVSS score of 9.3. A patch is available and users should update immediately.

Buffer Overflow Information Disclosure Notepad3
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-4283 CRITICAL Act Now

The WP DSGVO Tools (GDPR) plugin for WordPress contains an authentication bypass vulnerability that allows unauthenticated attackers to permanently destroy any non-administrator user account. Attackers can trigger immediate and irreversible account anonymization (randomizing passwords, overwriting usernames/emails, stripping roles, anonymizing comments, and wiping sensitive metadata) by submitting a victim's email address with a publicly available nonce. All versions up to and including 3.1.38 are affected, with a CVSS score of 9.1 indicating critical severity.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-4753 CRITICAL PATCH Act Now

RetroDebugger versions before 0.64.72 contain an out-of-bounds read vulnerability that allows remote attackers to cause denial of service and potentially disclose sensitive information without authentication or user interaction. The network-accessible vulnerability has a CVSS score of 9.1 and a patch is available.

Buffer Overflow Information Disclosure Retrodebugger
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-4750 CRITICAL PATCH Act Now

Out-of-bounds read in woof before version 15.3.0 allows remote attackers to trigger information disclosure and denial of service without authentication or user interaction. This critical vulnerability affects Debian systems and can be exploited over the network to leak sensitive data or crash the application. A patch is available and should be applied immediately.

Buffer Overflow Information Disclosure Woof
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-4716 CRITICAL PATCH Act Now

Mozilla Firefox versions below 149 and Firefox ESR below 140.9 contain memory safety flaws in the JavaScript Engine that enable remote code execution and denial of service attacks without user interaction or special privileges. An unauthenticated attacker can exploit improper boundary condition handling and uninitialized memory to achieve high-impact confidentiality violations and system availability disruption. No patch is currently available.

Mozilla Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-4715 CRITICAL PATCH Act Now

An uninitialized memory vulnerability exists in Firefox and Firefox ESR's Graphics Canvas2D component that can lead to information disclosure. Firefox versions prior to 149 and Firefox ESR versions prior to 140.9 are affected. An attacker can exploit this by crafting malicious Canvas2D operations to read uninitialized memory contents from the graphics rendering pipeline, potentially exposing sensitive data from the browser process.

Mozilla Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-4724 CRITICAL PATCH Act Now

An undefined behavior vulnerability exists in the Firefox Audio/Video component that could lead to information disclosure. This affects all Firefox versions prior to 149. While specific exploitation details are limited due to missing CVSS and CWE data, the vulnerability's classification as information disclosure suggests an attacker could potentially access sensitive audio or video processing data or bypass security boundaries within the multimedia subsystem.

Mozilla Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-33244 CRITICAL Act Now

NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.

Information Disclosure RCE Deserialization Denial Of Service Nvidia +2
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy