Skip to main content
CVE-2026-58453 CRITICAL POC Act Now

Default-credential authentication bypass in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets attackers log in to the anyka_ipc HTTP service on port 80 using the built-in admin username with an empty password, granting full access to snapshots, live video, network configuration, and factory-level API endpoints. Because the same interface exposes a SetMAC command-injection surface, this trivial access can be pivoted toward device-level code execution. Publicly available exploit code exists (published by VulnCheck), though this CVE is not listed in CISA KEV and no active exploitation is confirmed.

Command Injection Authentication Bypass C492A W6 Wi Fi Ip Camera
NVD GitHub
CVSS 4.0
9.3
EPSS
1.7%
CVE-2026-58457 CRITICAL POC Act Now

Unauthenticated OS command injection in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) lets network-adjacent attackers run arbitrary shell commands as root through the smacfilter_conf handler in the commuos web backend. Publicly available exploit code exists (published by VulnCheck/IEATASICS), and successful exploitation grants full device takeover; the flaw carries a CVSS 4.0 base score of 9.3 but is reachable only by attackers adjacent to the device's network. No public exploit is listed in CISA KEV, so this is proof-of-concept exposure rather than confirmed active exploitation.

Command Injection M300 Wi Fi Repeater
NVD GitHub
CVSS 4.0
9.3
EPSS
1.7%
CVE-2026-58127 CRITICAL POC Act Now

Unauthenticated remote code execution as SYSTEM affects Hyland PACSgear MediaWriter 5.2.1, which exposes an unauthenticated .NET Remoting TCP service (PacsgearMediaServerEngine.dll) on port 9000. Remote attackers abuse the MarshalByRefObject unmarshalling technique against the default ObjectURIs (RemoteObj/UIRemoteObj) to gain an arbitrary file read/write primitive, then chain it with DLL hijacking to execute code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck), making this a high-priority issue despite no CISA KEV listing at time of analysis.

Authentication Bypass RCE Pacsgear Mediawriter
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-58126 CRITICAL POC Act Now

Unauthenticated remote code execution in Hyland PACSgear PACS Scan 5.2.1 lets remote attackers gain SYSTEM-level control of medical imaging servers by abusing an exposed .NET Remoting TCP service (PGImageExchQueue.exe) on port 22222. The exposed service grants arbitrary file read/write with no authentication, which is chained with a DLL hijack in the PGImageExchangeQueueSvc.exe service to run code as NT AUTHORITY\SYSTEM. Publicly available exploit code exists (published by VulnCheck); there is no public exploit identified as actively exploited, as it is not listed in CISA KEV.

Authentication Bypass RCE Pacsgear Pacs Scan
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2026-34107 CRITICAL POC Act Now

OS command injection in Guardian language-system lets unauthenticated remote attackers run arbitrary shell commands by injecting metacharacters into the 'id' GET parameter of translate.php, which is concatenated directly into a PHP exec() call. Publicly available exploit code exists (published as a gist via VulnCheck), and the CVSS 4.0 base score of 9.3 reflects full compromise of confidentiality, integrity, and availability with no authentication or user interaction. There is no public exploit identified as actively exploited in CISA KEV, so the current risk is driven by ease of exploitation and public PoC rather than confirmed in-the-wild abuse.

Command Injection PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-34106 CRITICAL POC Act Now

Remote code execution in Guardian language-system allows unauthenticated attackers to run arbitrary OS commands by injecting shell metacharacters into the 'id' GET parameter of subtitles.php, which is concatenated directly into a PHP exec() call invoking jobs/subtitle_rendering.php. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation, and publicly available exploit code exists (published via VulnCheck), though there is no public exploit identified as being actively used in the wild at time of analysis.

Command Injection PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-57517 CRITICAL POC PATCH Act Now

Unauthenticated blind SQL injection in Control Web Panel (CWP) before 0.9.8.1225 lets remote attackers inject arbitrary SQL through the userRes POST parameter of the user endpoint, and because CWP's MySQL connection runs with root privileges the flaw escalates to full remote code execution via INTO DUMPFILE. Attackers write a PHP webshell into the web-accessible roundcube logs directory and execute commands as the cwpsvc account. Publicly available exploit code exists and a vendor patch has been released; this is a network, no-authentication, low-complexity issue (CVSS 4.0 9.3).

SQLi RCE PHP Control Web Panel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-34099 CRITICAL POC Act Now

Unauthenticated SQL injection in Guardian Language System lets remote attackers manipulate the backend database by injecting into the `id` GET parameter of job_info.php, which is concatenated directly into a SQL query with no sanitization. Because no authentication is required (CVSS 4.0 PR:N) and publicly available exploit code exists, any attacker who can reach the endpoint can extract database version, current user, schema names, and table contents via error-based injection. Reported by VulnCheck with a CVSS of 9.3; no public exploit identified as actively used in the wild (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-34105 CRITICAL POC Act Now

SQL injection in the Guardian language-system (translate_text.php) lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The CVSS 4.0 vector scores this 9.3 (Critical) with PR:N, and the VulnCheck advisory title labels it unauthenticated, though the CVE description states an authenticated attacker is required - this discrepancy should be verified. Publicly available exploit code exists, but there is no public exploit identified as being actively used in attacks (not in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34104 CRITICAL POC Act Now

SQL injection in Guardian Language-System's designer.php exposes the entire backend database to attackers who supply a crafted 'name' GET parameter, which is concatenated directly into a SELECT query without sanitization (CWE-89). VulnCheck reports this as remotely reachable and publicly available exploit code exists, though no public exploit is confirmed as actively used in the wild (not in CISA KEV). Note a source conflict: the CVE description labels the attacker 'authenticated' while the VulnCheck advisory and CVSS 4.0 vector (PR:N) describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34103 CRITICAL POC Act Now

SQL injection in Guardian Language-System's subtitles.php lets attackers extract arbitrary database contents by tampering with the id GET parameter, which is concatenated directly into a SELECT query without sanitization. The flaw is error-based and rated critical (CVSS 4.0 base 9.3, VC:H/VI:H/VA:H), publicly available exploit code exists (VulnCheck advisory plus a public gist PoC), and there is no public exploit identified as being used in active attacks. Note a source conflict: the CVE description labels the attacker 'authenticated,' but the CVSS vector (PR:N) and VulnCheck's advisory title both describe it as unauthenticated.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34102 CRITICAL POC Act Now

SQL injection in Guardian language-system via the 'id' GET parameter in job_info_get.php lets attackers inject arbitrary SQL into a query against the 'jobs' table, enabling error-based extraction of database contents. The CVSS 4.0 vector (AV:N/PR:N) and VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description text describes an 'authenticated attacker' - a discrepancy defenders should verify. Publicly available exploit code exists (VulnCheck/gist PoC), raising the practical risk despite no confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34101 CRITICAL POC Act Now

SQL injection in Guardian language-system's text_file.php lets remote attackers extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter. The flaw is a classic error-based SQLi (CWE-89) where user input is concatenated directly into a SELECT statement, and publicly available exploit code exists (reported by VulnCheck). No CISA KEV listing exists, so this represents publicly available exploit code rather than confirmed active exploitation.

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-34100 CRITICAL POC Act Now

Error-based SQL injection in Guardian Language System's media.php allows attackers to extract arbitrary database contents by injecting into the unsanitized 'id' GET parameter (CWE-89). Publicly available exploit code exists (published via a GitHub gist by VulnCheck), and the CVSS 4.0 vector (AV:N/AC:L/PR:N) plus the VulnCheck advisory title indicate unauthenticated network exploitation, though the CVE description conversely refers to an 'authenticated attacker' - a discrepancy defenders should verify. No public evidence of active in-the-wild exploitation (not listed in CISA KEV).

SQLi PHP Language System
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-58452 HIGH POC This Week

Authenticated remote code execution in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets a logged-in attacker run arbitrary OS commands via the HTTP PUT NetSDK/Factory SetMAC endpoint. The Wireless parameter is only partially validated by sscanf(), so a value shaped as a valid MAC prefix followed by a semicolon and shell payload survives validation and is passed unsanitized into an echo command run through system(). Publicly available exploit code exists (VulnCheck), and CVSS 4.0 rates it 8.7 (High); no public exploit identified in CISA KEV, so this is not confirmed actively exploited.

Command Injection RCE C492A W6 Wi Fi Ip Camera
NVD GitHub
CVSS 4.0
8.7
EPSS
2.4%
CVE-2026-58592 HIGH POC This Week

Reachable code execution in the Ladybird browser arises from a dangling-reference flaw (CWE-825) in the WebAssembly ESM-integration module loader, where a stack-local Wasm::FunctionType is captured by reference and read after destruction. A malicious web page can chain the resulting stale result-type data into an arbitrary write via the WASM-GC array.set handler and gain code execution in the WebContent process. Reported by VulnCheck with publicly available exploit code exists; it is not listed in CISA KEV, so no confirmed active exploitation, but a working PoC lowers the barrier for weaponization.

RCE Ladybird
NVD GitHub
CVSS 4.0
8.9
EPSS
0.3%
CVE-2026-58593 HIGH POC This Week

Author spoofing in NodeBB's ActivityPub federation allows a remote federated actor to forge posts and private messages attributed to arbitrary local users, including the administrator (uid 1). Because the inbound middleware validates the HTTP-signature actor and the origin of object.id but never binds attributedTo to the authenticated sender, an attacker with a valid remote signature can impersonate any local account. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified in CISA KEV and the flaw only affects instances with federation enabled.

Information Disclosure Nodebb
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-10750 HIGH POC PATCH This Week

Broken access control in the Royal MCP WordPress plugin before 1.4.26 lets any authenticated low-privileged user (e.g. Subscriber) invoke privileged MCP tools that skip capability checks after token authentication, exposing private content, full user/role enumeration, and create/modify/delete operations on other users' content. Reported by WPScan with a publicly available exploit and a vendor patch in 1.4.26; the CVSS 8.1 vector (PR:L) confirms authenticated but not administrative access is required. There is no public exploit identified as actively exploited - status is POC only, not CISA KEV.

WordPress Information Disclosure Royal Mcp
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-11794 HIGH POC PATCH This Week

Privilege escalation in the Advanced Form Integration - Connect Forms to 200+ Apps WordPress plugin before 2.1.1 allows unauthenticated visitors to provision a full administrator account through a public form. Because the plugin fails to restrict which WordPress role it assigns during user creation, any site that maps the user-role field to a public form input via an active integration exposes site takeover to anonymous submitters. Publicly available exploit code exists (reported by WPScan), though this is not listed in CISA KEV and requires a specific non-default integration configuration, so real-world exposure is narrower than the 8.1 CVSS suggests.

WordPress Information Disclosure Advanced Form Integration Connect Forms To 200 Apps
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-58454 HIGH POC This Week

Authenticated remote code execution in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets a logged-in attacker plant a shell script in writable JFFS2 persistent storage and invoke it via popen() through the authenticated Anyka config HTTP endpoint, yielding reboot-surviving persistent RCE. Publicly available exploit code exists (published by VulnCheck), though there is no confirmed active exploitation in CISA KEV. The CVSS 4.0 score of 7.7 reflects high attack complexity offset by full compromise of confidentiality, integrity, and availability.

Code Injection RCE C492A W6 Wi Fi Ip Camera
NVD GitHub
CVSS 4.0
7.7
EPSS
0.5%
CVE-2026-48815 HIGH POC PATCH GHSA This Week

Signature verification policy bypass in the sigstore npm package allows attackers to have unauthorized signing certificates accepted despite explicit OID-based restrictions. The documented `certificateOIDs` verify option - used by `sigstore.verify()` and `createVerifier()` to require specific Fulcio/workload-identity extension OIDs - is silently discarded during policy construction, so those extension constraints are never enforced while callers believe they are. Publicly available exploit code exists (a proof-of-concept in the advisory), but there is no evidence of active exploitation; EPSS/KEV not indicated in the source data.

Authentication Bypass Jwt Attack
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-11568 HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-49987 HIGH POC PATCH GHSA This Week

Arbitrary command execution in repomix (npm package, versions < 1.14.1) arises from argument injection in the `--remote-branch` CLI option, whose value is passed unsanitized into `git fetch` and `git checkout` subprocesses within `src/core/git/gitCommand.ts`. Because the branch value is not prefixed with a `--` positional delimiter and skips the `dangerousParams` blocklist that `validateGitUrl()` applies only to the URL, an attacker can inject options such as `--upload-pack` and, combined with an SSH or `file://` remote, execute an arbitrary payload binary with the invoking user's privileges. Publicly available exploit code exists, no active exploitation is confirmed (not in CISA KEV), and the flaw is fixed in v1.14.1.

RCE
NVD GitHub VulDB
CVSS 4.0
7.5
CVE-2026-13731 HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-11883 HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-48816 MEDIUM POC PATCH GHSA This Month

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity window checks by controlling the `integratedTime` field in an inclusionProof-only tlog entry. Because the inclusionProof-only code path in `@sigstore/verify` does not cryptographically bind `integratedTime` (unlike the signed inclusionPromise/set path), a low-privileged attacker who can present an untrusted bundle can cause the verifier to accept expired or not-yet-valid signing certificates as currently valid. A publicly available proof-of-concept exists; this vulnerability is not in CISA KEV.

Canonical Microsoft Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-44935 CRITICAL PATCH GHSA Act Now

Cross-tenant authorization bypass in Rancher Fleet allows a low-privileged tenant in a multi-tenant environment to read any ConfigMap or Secret across all namespaces of a shared downstream cluster and to deploy cluster-wide resources without being bound to a restricted service account. The flaw (CWE-863, CVSS 9.9) is exploitable by authenticated tenants who abuse valuesFrom in fleet.yaml (via GitRepo) or HelmOp/Bundle resources; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.6%
CVE-2025-15646 CRITICAL PATCH Act Now

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Memory Corruption Information Disclosure Html
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-51947 CRITICAL Act Now

Remote code execution in Pivotal CRM 6.6.4.08 (Aurea) arises from insecure deserialization in the Pivotal.Engine.Client.Services.Conversion.dll component, letting remote attackers run arbitrary code on the server. This is a bypass of the incomplete fix for CVE-2026-39253, and it remains exploitable on systems that only applied the earlier patch-ghi-15381-cwe-502-20251225.zip. No public exploit code has been identified, though public advisories exist for both this issue and its predecessor; EPSS is modest at 0.57% (43rd percentile) and it is not in CISA KEV.

Deserialization RCE N A
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-11387 CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation Sms Alert Sms Otp For Woocommerce Order Notifications Abandoned Cart Recovery
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-52186 CRITICAL Act Now

SQL injection in the UTT nv518G security gateway (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers inject arbitrary SQL through the gohead/sub_463bbc component, which per the advisory escalates to arbitrary code execution on the device. The flaw is unauthenticated (CVSS 9.8, PR:N) and publicly available exploit code exists via a GitHub write-up, though it is not listed in CISA KEV; EPSS is low at 0.27% (18th percentile), indicating no evidence of widespread automated exploitation yet.

SQLi RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-24270 CRITICAL Act Now

Authentication bypass in NVIDIA AIStore, a scalable distributed object-storage framework for AI/ML data pipelines, lets a remote attacker circumvent access controls (CWE-290) and reach protected functionality without valid credentials. Because the flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8), successful exploitation can enable information disclosure of stored datasets, tampering with training data, privilege escalation, and denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Nvidia Denial Of Service Information Disclosure Aistore Framework
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-57692 CRITICAL Act Now

Privilege escalation in the LCweb PrivateContent WordPress plugin (all versions up to and including 9.9.2) lets attackers obtain permissions beyond those intended, driven by an incorrect privilege assignment flaw (CWE-266). The Patchstack-assigned CVSS of 9.8 (network, no privileges, no user interaction) implies an attacker could gain administrator-level control over a WordPress site's protected content and settings. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Privatecontent
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-14405 CRITICAL PATCH Act Now

Arbitrary code execution within the renderer sandbox in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) can be triggered when a victim loads a crafted HTML page. The flaw stems from use of uninitialized memory in V8 and, while carrying a high CVSS base score of 9.6, was rated only Low severity by Chromium because code execution is confined inside the renderer sandbox and still requires a separate sandbox escape for full host compromise. No public exploit identified at time of analysis, and CISA's SSVC framework marks exploitation status as none.

RCE Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-14392 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Tint WebGPU shader compiler affects all Desktop builds prior to 150.0.7871.46, where a crafted HTML page triggers an out-of-bounds write (CWE-787) that a remote attacker can leverage to break out of the renderer sandbox. Reported internally by the Chrome team and rated High by Chromium, the flaw carries a CVSS 9.6 due to its scope-changing memory-corruption impact, but there is no public exploit identified at time of analysis and CISA's SSVC records exploitation status as none. A vendor patch is already available, so the practical priority is rapid browser updating rather than emergency mitigation.

Memory Corruption Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14387 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics library affects all desktop builds prior to 150.0.7871.46, where an integer overflow triggered by a crafted HTML page can break out of the renderer sandbox into the more-privileged browser process. A remote attacker who lures a victim to a malicious page could potentially compromise the host beyond the rendering sandbox. There is no public exploit identified at time of analysis, and CISA SSVC scores exploitation as 'none'.

Buffer Overflow Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14382 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker break out of the renderer sandbox when a victim visits a crafted HTML page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a critical 9.6 CVSS score due to the scope-changing sandbox escape. Google has shipped a fix and rates the Chromium severity as High; there is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14397 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS (versions prior to 150.0.7871.46) stems from an out-of-bounds write in ANGLE, the graphics abstraction layer that translates WebGL/OpenGL ES calls to native backends (Metal on Mac). A remote attacker who lures a victim to a crafted HTML page can corrupt memory in the GPU/graphics process to potentially break out of the renderer sandbox. There is no public exploit identified at time of analysis; Google rated the Chromium severity as Medium, and CISA's SSVC framework marks exploitation as none, though the CVSS base score is 9.6 due to the scope-changing sandbox-escape impact.

Memory Corruption Buffer Overflow Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14416 CRITICAL PATCH Act Now

Out-of-bounds read in the Dawn WebGPU implementation of Google Chrome before 150.0.7871.46 lets a remote attacker who lures a victim to a crafted HTML page potentially escape the renderer sandbox and disclose out-of-bounds memory. The upstream Chromium team rated the security severity as Low, yet the associated CVSS 3.1 base score is 9.6 due to a scope change and high triad impact. There is no public exploit identified at time of analysis, and the CISA SSVC decision framework records exploitation as none and automatable as no.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14420 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Dawn WebGPU implementation prior to 150.0.7871.46 lets a remote attacker use a crafted HTML page to trigger an out-of-bounds read and write, potentially breaking out of the renderer sandbox. Rated Critical by Chromium with a CVSS of 9.6 (scope-changed), it requires the victim to visit a malicious page but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14411 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component before 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim loads a malicious web page. The flaw stems from insufficient validation of untrusted input (CWE-20) in ANGLE and carries a CVSS 9.6 due to scope change and full CIA impact, though exploitation requires the user to visit attacker-controlled content. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC exploitation status assessed as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14390 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer lets a remote attacker who lures a victim to a crafted HTML page break out of the renderer sandbox and gain code execution in a higher-privilege context. All Chrome desktop builds prior to 150.0.7871.46 are affected. Chromium rated the underlying use-after-free High severity; no public exploit has been identified at time of analysis and SSVC records exploitation status as none.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14423 CRITICAL PATCH Act Now

Sandbox escape via type confusion in Tint, the WGSL shader compiler within Chrome's Dawn/WebGPU stack, affects Google Chrome desktop versions prior to 150.0.7871.46. A remote attacker who lures a victim to a crafted HTML page can trigger the flaw (CWE-843) to potentially break out of the renderer/GPU sandbox and gain broader access on the host. Rated High by Chromium with a CVSS 9.6 (scope-changed), though there is no public exploit identified at time of analysis and CISA SSVC currently records exploitation status as 'none'.

Memory Corruption Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14425 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics component affects all desktop builds prior to 150.0.7871.46, where a use-after-free condition lets a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Chromium rates the severity High and a fixed stable-channel build is available, but SSVC records no observed exploitation and no public exploit identified at time of analysis. The high CVSS (9.6) is driven by the scope change inherent to sandbox escape rather than confirmed real-world abuse.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14419 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Skia graphics library affects all desktop Chrome builds prior to 150.0.7871.46, where a use-after-free (CWE-416) triggered by a crafted HTML page can let a remote attacker break out of the renderer sandbox. Google rates the Chromium severity Critical and CVSS is 9.6, but there is no public exploit identified at time of analysis and CISA's SSVC records exploitation status as none. A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14417 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Dawn (WebGPU) component affects all desktop builds prior to 150.0.7871.46, where a use-after-free lets a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Google rates the Chromium severity Critical, and the CVSS 3.1 score of 9.6 reflects a scope-changing memory-corruption bug. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though a vendor patch is already shipping in the Stable channel.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14424 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on macOS (versions prior to 150.0.7871.46) stems from a use-after-free in Dawn, Chrome's WebGPU/graphics abstraction layer, and allows a remote attacker who lures a victim to a crafted HTML page to potentially break out of the renderer sandbox and gain higher-privileged code execution on the host. The flaw is rated High by Chromium and carries a CVSS 9.6 due to its network attack vector, low complexity, and scope change. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, and CISA's SSVC framework currently marks exploitation as 'none' though technical impact as 'total'.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14398 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 150.0.7871.46 lets a remote attacker break out of the renderer sandbox when a victim opens a crafted HTML page. Rated Critical by Chromium with a 9.6 CVSS score, the flaw is a use-after-free (CWE-416) requiring only that the target visit a malicious site. No public exploit or active exploitation is identified at time of analysis, and CISA's SSVC assessment lists exploitation as none.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-10539 CRITICAL Act Now

Unauthenticated command execution in BMC Control-M/Server (versions 9.0.20.x through 9.0.21.200) arises because a Control-M/Server communication command fails to sufficiently filter or sanitize user-supplied input, allowing an attacker to run unauthorized commands and potentially fully compromise the affected server. The flaw carries a critical CVSS 4.0 base score of 9.5 and is classified as an authentication bypass by Airbus, who reported it. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Control M Server
NVD VulDB
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-7840 CRITICAL Act Now

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reach the built-in HTTP administration port (default TCP 80) to overflow a fixed 1000-byte global buffer and corrupt adjacent .bss globals, leading to arbitrary code execution on the host. The flaw lives in wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c, where the request URI is copied via unchecked sprintf before any authentication check runs. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 combined with pre-auth network reachability makes this a high-priority issue.

Memory Corruption Buffer Overflow RCE Ultravnc
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
1.2%
Page 1 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy