Skip to main content
CVE-2026-58452 HIGH POC This Week

Authenticated remote code execution in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets a logged-in attacker run arbitrary OS commands via the HTTP PUT NetSDK/Factory SetMAC endpoint. The Wireless parameter is only partially validated by sscanf(), so a value shaped as a valid MAC prefix followed by a semicolon and shell payload survives validation and is passed unsanitized into an echo command run through system(). Publicly available exploit code exists (VulnCheck), and CVSS 4.0 rates it 8.7 (High); no public exploit identified in CISA KEV, so this is not confirmed actively exploited.

Command Injection RCE C492A W6 Wi Fi Ip Camera
NVD GitHub
CVSS 4.0
8.7
EPSS
2.4%
CVE-2026-58592 HIGH POC This Week

Reachable code execution in the Ladybird browser arises from a dangling-reference flaw (CWE-825) in the WebAssembly ESM-integration module loader, where a stack-local Wasm::FunctionType is captured by reference and read after destruction. A malicious web page can chain the resulting stale result-type data into an arbitrary write via the WASM-GC array.set handler and gain code execution in the WebContent process. Reported by VulnCheck with publicly available exploit code exists; it is not listed in CISA KEV, so no confirmed active exploitation, but a working PoC lowers the barrier for weaponization.

RCE Ladybird
NVD GitHub
CVSS 4.0
8.9
EPSS
0.3%
CVE-2026-58593 HIGH POC This Week

Author spoofing in NodeBB's ActivityPub federation allows a remote federated actor to forge posts and private messages attributed to arbitrary local users, including the administrator (uid 1). Because the inbound middleware validates the HTTP-signature actor and the origin of object.id but never binds attributedTo to the authenticated sender, an attacker with a valid remote signature can impersonate any local account. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified in CISA KEV and the flaw only affects instances with federation enabled.

Information Disclosure Nodebb
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-10750 HIGH POC PATCH This Week

Broken access control in the Royal MCP WordPress plugin before 1.4.26 lets any authenticated low-privileged user (e.g. Subscriber) invoke privileged MCP tools that skip capability checks after token authentication, exposing private content, full user/role enumeration, and create/modify/delete operations on other users' content. Reported by WPScan with a publicly available exploit and a vendor patch in 1.4.26; the CVSS 8.1 vector (PR:L) confirms authenticated but not administrative access is required. There is no public exploit identified as actively exploited - status is POC only, not CISA KEV.

WordPress Information Disclosure Royal Mcp
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-11794 HIGH POC PATCH This Week

Privilege escalation in the Advanced Form Integration - Connect Forms to 200+ Apps WordPress plugin before 2.1.1 allows unauthenticated visitors to provision a full administrator account through a public form. Because the plugin fails to restrict which WordPress role it assigns during user creation, any site that maps the user-role field to a public form input via an active integration exposes site takeover to anonymous submitters. Publicly available exploit code exists (reported by WPScan), though this is not listed in CISA KEV and requires a specific non-default integration configuration, so real-world exposure is narrower than the 8.1 CVSS suggests.

WordPress Information Disclosure Advanced Form Integration Connect Forms To 200 Apps
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-58454 HIGH POC This Week

Authenticated remote code execution in JAIOTlink C492A-W6 Wi-Fi IP cameras (firmware 4.8.30.57701411) lets a logged-in attacker plant a shell script in writable JFFS2 persistent storage and invoke it via popen() through the authenticated Anyka config HTTP endpoint, yielding reboot-surviving persistent RCE. Publicly available exploit code exists (published by VulnCheck), though there is no confirmed active exploitation in CISA KEV. The CVSS 4.0 score of 7.7 reflects high attack complexity offset by full compromise of confidentiality, integrity, and availability.

Code Injection RCE C492A W6 Wi Fi Ip Camera
NVD GitHub
CVSS 4.0
7.7
EPSS
0.5%
CVE-2026-48815 HIGH POC PATCH GHSA This Week

Signature verification policy bypass in the sigstore npm package allows attackers to have unauthorized signing certificates accepted despite explicit OID-based restrictions. The documented `certificateOIDs` verify option - used by `sigstore.verify()` and `createVerifier()` to require specific Fulcio/workload-identity extension OIDs - is silently discarded during policy construction, so those extension constraints are never enforced while callers believe they are. Publicly available exploit code exists (a proof-of-concept in the advisory), but there is no evidence of active exploitation; EPSS/KEV not indicated in the source data.

Authentication Bypass Jwt Attack
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-11568 HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-49987 HIGH POC PATCH GHSA This Week

Arbitrary command execution in repomix (npm package, versions < 1.14.1) arises from argument injection in the `--remote-branch` CLI option, whose value is passed unsanitized into `git fetch` and `git checkout` subprocesses within `src/core/git/gitCommand.ts`. Because the branch value is not prefixed with a `--` positional delimiter and skips the `dangerousParams` blocklist that `validateGitUrl()` applies only to the URL, an attacker can inject options such as `--upload-pack` and, combined with an SSH or `file://` remote, execute an arbitrary payload binary with the invoking user's privileges. Publicly available exploit code exists, no active exploitation is confirmed (not in CISA KEV), and the flaw is fixed in v1.14.1.

RCE
NVD GitHub VulDB
CVSS 4.0
7.5
CVE-2026-13731 HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-11883 HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-10538 HIGH PATCH This Week

Server-side object injection in BMC Control-M/Server and Control-M/Enterprise Manager 9.0.20.x (and potentially earlier) lets an authenticated attacker abuse the messaging consumer to deserialize untrusted, type-unrestricted objects, triggering unintended server-side behavior that can escalate to full compromise of the automation server. The affected releases are already out of support, and the CVSS 4.0 base score is 8.9 (High) with high privileges and high attack complexity required. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Deserialization Control M Enterprise Manager Control M Server
NVD VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-7838 HIGH This Week

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB failure-response parser: a malicious or man-in-the-middle VNC server can send a reasonLen of 0xFFFFFFFF that wraps to 0 during buffer sizing, then stream 4 GiB into a 256-byte heap allocation. The flaw is reachable pre-authentication through connection-failure and auth-failure messages, so merely connecting a viewer to an attacker-controlled endpoint can corrupt the heap and potentially execute code as the user running the viewer. No public exploit identified at time of analysis, though the researcher confirmed a reliable heap-buffer-overflow write with AddressSanitizer.

Integer Overflow Buffer Overflow RCE Ultravnc
NVD GitHub
CVSS 4.0
8.7
EPSS
1.2%
CVE-2026-14383 HIGH PATCH This Week

Remote code execution in the V8 JavaScript engine of Google Chrome before 150.0.7871.46 allows a remote attacker who lures a victim to a crafted HTML page to execute arbitrary code — though notably only within the renderer sandbox rather than achieving full host compromise. Rated CVSS 8.8 and stemming from a code-generation flaw (CWE-94) in V8, it affects all Chrome desktop installations on the vulnerable channel; a fix has shipped, but there is no public exploit identified at time of analysis and CISA SSVC records exploitation status as none.

Code Injection Google RCE Suse
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-5136 HIGH This Week

Privilege escalation in Foreman (the engine behind Red Hat Satellite 6) lets an authenticated user holding usergroup-management permissions attach arbitrary roles - including the administrator role - to a user group and then enroll themselves, gaining full admin-level control. The Usergroup model fails to validate that the assigning user actually holds the roles being granted, breaking the RBAC delegation boundary. Rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and clear escalation path make it a strong patch priority.

Privilege Escalation Red Hat Satellite 6
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14407 HIGH PATCH This Week

Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

RCE Google Buffer Overflow Suse
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14430 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is an integer overflow in V8, rated High by Chromium and scored CVSS 8.8; exploitation requires user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis, and CISA SSVC records exploitation status as none, indicating no observed in-the-wild activity yet.

RCE Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14393 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) allows an attacker to run arbitrary code inside the renderer sandbox when a victim visits a crafted HTML page. The flaw is a use-after-free (CWE-416) reported by Google's own Chrome team; Chromium rated it Medium severity while NVD assigns CVSS 8.8. No public exploit has been identified at time of analysis, and CISA's SSVC framework records exploitation status as 'none'.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-12224 HIGH This Week

Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. No public exploit has been identified at time of analysis, and no EPSS or KEV signals were supplied; however, the issue is reported by Wordfence and exploitation is straightforward on sites where the Vendor Staff module is enabled and vendor self-registration is permitted.

Privilege Escalation WordPress Dokan Pro
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14431 HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (all channels prior to 150.0.7871.46) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a CWE-843 type-confusion bug rated High by Chromium and CVSS 8.8; there is no public exploit identified at time of analysis and CISA's SSVC framework marks exploitation status as none. Because CVSS is AV:N/PR:N with UI:R, exploitation is unauthenticated but requires the victim to open a malicious page.

Memory Corruption RCE Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14395 HIGH PATCH This Week

Out of bounds write in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption RCE Buffer Overflow Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14432 HIGH PATCH This Week

Use-after-free in Chrome's V8 JavaScript engine (versions before 150.0.7871.46) lets a remote attacker achieve arbitrary code execution inside the renderer sandbox by luring a victim to a crafted HTML page. Chromium rated this Medium severity, but the CVSS 8.8 reflects high confidentiality, integrity, and availability impact requiring only a single user click; there is no public exploit identified at time of analysis and CISA's SSVC framework records no known exploitation. Because scope is unchanged (S:U), code execution is confined to the sandbox and does not by itself constitute a full host compromise.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14403 HIGH PATCH This Week

Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14385 HIGH PATCH This Week

Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Heap Overflow Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-12158 HIGH This Week

Privilege escalation via Cross-Site Request Forgery in the RegistrationMagic WordPress plugin (all versions through 6.0.9.1) lets a remote attacker promote an arbitrary form submitter to administrator by forging a request to the process_request function, which lacks proper nonce validation. The attack plants a malicious Chronos automation task that later runs through WordPress cron, and it succeeds when a logged-in administrator is tricked into clicking an attacker-supplied link. No public exploit identified at time of analysis, and it is not listed in CISA KEV; risk is driven by the plugin's install base and the low technical bar of CSRF.

WordPress CSRF Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-49119 HIGH PATCH This Week

Arbitrary file read in Gradio before 6.16.0 lets remote unauthenticated attackers escape the FileExplorer component's configured root_dir by submitting path segments with traversal sequences ('../') or absolute paths, exploiting how os.path.join discards the root prefix when handed an absolute path. Any Gradio app exposing a FileExplorer is exposed, enabling exposure of sensitive files (source code, secrets, credentials) outside the intended directory. There is no public exploit identified at time of analysis, but the flaw was reported by VulnCheck and a vendor patch is available.

Path Traversal Gradio
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-14422 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's Tint component (the WGSL shader translator inside the Dawn/WebGPU stack) affects all desktop builds prior to 150.0.7871.46 and lets a remote attacker corrupt memory when a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS 3.1 score is 8.8, driven by high confidentiality, integrity, and availability impact requiring only that the user visit a malicious page. No public exploit identified at time of analysis, and the low EPSS score (0.19%, 9th percentile) indicates exploitation is not currently widespread.

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14394 HIGH PATCH This Week

Remote code execution risk in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.46) arises from a use-after-free that a remote attacker can trigger by luring a victim to a crafted HTML page, leading to heap corruption and potential arbitrary code execution in the renderer. The CVSS 8.8 rating reflects high impact with only user interaction (visiting a page) required, though Google rated the Chromium security severity as Low and no public exploit is identified at time of analysis. EPSS is low at 0.18% (8th percentile) and CISA SSVC records no known exploitation.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14415 HIGH PATCH This Week

Heap corruption in the V8 JavaScript engine of Google Chrome before 150.0.7871.46 lets a remote attacker who lures a user to a crafted HTML page and coaxes them into specific UI gestures potentially achieve memory corruption and code execution in the renderer. The flaw was reported internally by the Chrome team and is patched in the Stable channel; no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile). Note the tension in the signals: NVD/aggregator CVSS is 8.8 (High) while Google's own Chromium severity rating is Low.

Heap Overflow Buffer Overflow Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-50043 HIGH This Week

Authenticated OS command injection in Seiko Solutions SkyBridge MB-A100 and MB-A110 industrial LTE gateways allows an attacker who is already logged in with administrative privileges to execute arbitrary operating-system commands on the device. The CVSS 4.0 base score is 8.6 (High), reflecting full confidentiality, integrity, and availability impact once admin access is obtained, though the PR:H requirement confines exposure to authenticated administrators. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

Command Injection Skybridge Mb A100 Mb A110
NVD VulDB
CVSS 4.0
8.6
EPSS
1.1%
CVE-2026-58399 HIGH PATCH GHSA This Week

Authentication bypass in @acastellon/auth (npm package, aka antonio-castellon/module-auth) before 2.3.0 lets a remote unauthenticated attacker impersonate a trusted internal service by sending spoofed 'auth-user' and 'Host' request headers. The validateToken() middleware short-circuits its own token check when auth-user equals 'service-brother' and the Host header starts with the configured hostname - both fully client-controllable - so an attacker skips legacy/JWT/OIDC validation entirely. No public exploit identified at time of analysis, but the flaw is trivially reproducible from the advisory and carries CVSS 4.0 8.7 (high).

Authentication Bypass Module Auth
NVD GitHub
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-44938 HIGH PATCH GHSA This Week

Privilege-escalation via admission-control bypass in Rancher Fleet allows an attacker with git push access to a Fleet-monitored repository to overwrite Pod Security Standards (PSS) enforcement labels on target namespaces. Because Fleet's agent-side deployer failed to filter security-sensitive keys (notably the `pod-security.kubernetes.io/` prefix) from `namespaceLabels` in `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels`, an attacker can downgrade namespace admission enforcement and deploy privileged or otherwise restricted workloads that PSS would normally block. No public exploit identified at time of analysis; the flaw was privately reported through responsible disclosure by a NATO NCSC researcher and is not listed in CISA KEV.

Kubernetes Information Disclosure
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-13228 HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-12577 HIGH This Week

Denial-of-service exposure in the Delta Electronics DVP80ES3 programmable logic controller (part of the DVP-ES3 series) stems from an improperly implemented standard security check (CWE-358) that a remote, unauthenticated attacker can abuse over the network to force a loss of availability. The CVSS 4.0 base score is 8.7 (High), driven entirely by high availability impact with no confidentiality or integrity impact in the scored vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; note that the vendor's tags label this 'Information Disclosure,' which conflicts with the availability-only CVSS vector and should be verified against the Delta advisory.

Information Disclosure Dvp80Es3
NVD VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-13323 HIGH PATCH This Week

Stored cross-site scripting in Eclipse Open VSX Registry (versions 0.1.0 through before 1.0.2) allows an attacker who self-registers a publisher account to upload a VSIX containing malicious HTML that the /vscode/unpkg/ endpoint serves inline as text/html within the open-vsx.org origin, with no Content-Security-Policy or Content-Disposition: attachment header. When a logged-in victim is lured to the resulting URL, the script runs in the registry's origin and can steal session tokens, mint Personal Access Tokens, and publish trojanized extension versions - turning a single XSS into a supply-chain compromise of VS Code, VSCodium, Cursor, and Windsurf users. No public exploit is identified at time of analysis and EPSS risk is low (0.17%), but the downstream blast radius is severe.

XSS Eclipse Open Vsx Red Hat
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-57516 HIGH PATCH This Week

Remote code execution in Ray (the distributed compute/ML framework) before version 2.56.0 lets attackers run arbitrary code by feeding a malicious tar archive to the WebDataset reader. The read_webdataset() datasource invokes pickle.loads() on .pkl/.pickle entries and torch.load() with weights_only=False on .pt/.pth entries with no validation, so code executes inside every Ray remote worker that processes the archive. No public exploit has been identified at time of analysis, but the fix is available in Ray 2.56.0 and the issue is documented in a GitHub Security Advisory (GHSA-hhrp-gw25-jr43) and a VulnCheck advisory.

Deserialization RCE Ray
NVD GitHub
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-24260 HIGH This Week

Privilege escalation and container escape in NVIDIA Container Toolkit for Linux (and the GPU Operator that bundles it) stem from a time-of-check to time-of-use (TOCTOU) race condition that can lead to arbitrary code execution, privilege escalation, and data tampering across a scope boundary. A low-privileged attacker who can win the race may break out of the intended isolation boundary of GPU-enabled containers. No public exploit has been identified at time of analysis, and the CVE is not listed in CISA KEV; NVIDIA is the reporting source via its product-security advisory 5850.

Nvidia RCE Container Toolkit Gpu Operator Red Hat +1
NVD GitHub
CVSS 3.1
8.5
EPSS
0.5%
CVE-2026-50521 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality and integrity with partial availability loss, making it a meaningful but not emergency patch priority for Edge-based endpoints.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
8.3
EPSS
0.8%
CVE-2026-14428 HIGH PATCH This Week

Sandbox escape in Google Chrome on Android (versions prior to 150.0.7871.46) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page that abuses insufficient input validation in the Dawn WebGPU component. Google rates the Chromium severity as High, and the flaw carries a CVSS 8.3 with a scope-changing impact. There is no public exploit identified at time of analysis, and CISA SSVC records exploitation status as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14427 HIGH PATCH This Week

Sandbox escape in Google Chrome desktop before 150.0.7871.46 is possible through a heap buffer overflow in the Skia graphics library, letting an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page. Rated Critical by Chromium and CVSS 8.3, it is a second-stage bug: it presumes prior renderer code execution rather than granting initial access on its own. No public exploit identified at time of analysis, and CISA SSVC records exploitation status as none.

Heap Overflow Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14389 HIGH PATCH This Week

Sandbox escape in Google Chrome's Skia graphics library (versions before 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page. Rated Medium by Chromium but scored CVSS 8.3 due to scope change and total impact; there is no public exploit identified at time of analysis and SSVC reports no observed exploitation. Realistically it is a second-stage bug that must be chained with a prior renderer compromise, which raises the practical difficulty.

Buffer Overflow Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14429 HIGH PATCH This Week

Sandbox escape in Google Chrome (Skia graphics library) prior to 150.0.7871.46 allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page, elevating a contained renderer compromise into a full-privilege breakout on the host. Rated High severity by Chromium, it carries a CVSS 3.1 score of 8.3 (scope-changed) with no public exploit identified at time of analysis and CISA SSVC recording exploitation status as none. It is a second-stage vulnerability that must be chained with a prior renderer exploit, so it is not directly exploitable against a fresh browser.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14412 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by luring a victim to a crafted HTML page. This is a second-stage bug that chains with a prior renderer-level exploit rather than a standalone entry point; Chromium rates it High severity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with SSVC recording exploitation status as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14401 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics component on Android (versions prior to 150.0.7871.46) allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 8.3, the flaw stems from improper validation of untrusted input in ANGLE and requires renderer compromise plus user interaction as prerequisites. There is no public exploit identified at time of analysis, and CISA SSVC lists exploitation status as none.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14400 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. This is an out-of-bounds write (CWE-787) rated High by Chromium and scored CVSS 8.3. There is no public exploit identified at time of analysis and CISA SSVC lists exploitation as 'none', though the technical impact is rated 'total'.

Memory Corruption Buffer Overflow Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-14413 HIGH PATCH This Week

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.46) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. The flaw is an uninitialized-memory use (CWE-457) in ANGLE, reported by Google's own Chrome team and fixed in the June 2026 Stable channel update. No public exploit is identified at time of analysis, and CISA's SSVC framework records exploitation status as none, but the total technical impact and sandbox-escape nature make it a high-priority browser patch.

Information Disclosure Google Suse
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-44937 HIGH PATCH GHSA This Week

Unauthenticated webhook request forgery in Rancher Fleet (GitOps controller for Kubernetes) lets remote attackers manipulate GitRepo processing when the webhook endpoint is configured without a shared secret. Because the repository URL and path received from webhooks are used unsanitized as a regex replacement (CWE-345), an attacker who does not know the configured repository can force continuous re-cloning to exhaust management-cluster resources (DoS), and - if they have read access to the target Git repo and know its path - can downgrade running workloads to any historical revision. No public exploit is identified at time of analysis and it is not listed in CISA KEV; SUSE/Rancher has released fixed versions.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.2%
CVE-2026-2891 HIGH PATCH This Week

Denial of service in HP Poly Voice IP endpoints (CCX, Trio C60, and Edge E series) allows an attacker operating or impersonating a SIP server to render affected devices inoperable by returning malformed data during SIP signaling. The flaw is an uncontrolled-resource-consumption / improper-input-handling issue (CWE-400) that crashes or hangs the phone, disrupting voice service. HP has published advisory hpsbpy04096 and is releasing firmware updates; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV.

HP Denial Of Service Ccx Trio C60 Edge E
NVD VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-49998 HIGH PATCH GHSA This Week

Cross-tenant JWT authentication bypass in Centrifugo (v3 through v6) lets an attacker holding a valid token for one allowed issuer/tenant authenticate as a different issuer/tenant when the server uses dynamic JWKS endpoint templates. The flaw stems from the JWKS cache and singleflight lookup being keyed only by the JWT header 'kid', so a key fetched for tenant A is reused to verify a token claiming tenant B whenever both JWKS documents share the same 'kid' and tenant A's key is cached first. Publicly available exploit code exists in the form of a reporter-supplied Go unit-test PoC; there is no evidence of active exploitation, and the CVSS base score is 8.2 (AC:H, PR:L, scope-changed).

Authentication Bypass Jwt Attack Canonical
NVD GitHub
CVSS 3.1
8.2
CVE-2026-5120 HIGH This Week

Unauthorized cross-user data access in Dassault Systèmes BIOVIA Workbook (Release 2021 through Release 2026) stems from a race condition that lets one authenticated low-privilege user read data belonging to another user. Vendor 3DS tags the flaw as an authentication bypass, and its CVSS 3.1 score of 8.1 (AV:N/AC:L/PR:L) reflects network-reachable exploitation by any authenticated account with high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no EPSS or KEV signal supplied.

Authentication Bypass Race Condition Biovia Workbook
NVD
CVSS 3.1
8.1
EPSS
0.2%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy