Skip to main content

Microsoft

17284 CVEs vendor

Monthly

CVE-2026-58522 MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-58299 HIGH PATCH This Week

Remote code execution in Microsoft Edge for Android (Chromium-based) arises from a time-of-check to time-of-use (TOCTOU) race condition that an unauthenticated network attacker can win to run arbitrary code, though success requires the victim to interact (UI:R) and the timing window makes exploitation high-complexity. Microsoft (self-reported) has shipped an official fix, and the temporal signals (E:U, RC:C) indicate no public exploit identified at time of analysis despite confirmed technical validity. The flaw is credited to Microsoft/Google collaboration and tagged as an authentication-bypass-class issue.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58287 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a victim views attacker-controlled web content, stemming from a use-after-free memory-corruption flaw (CWE-416). The scope-changed CVSS vector (S:C) indicates the bug can breach the browser's sandbox boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis (CVSS E:U) and it is not listed in CISA KEV.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.4%
CVE-2026-58283 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-58282 MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.9
EPSS
0.4%
CVE-2026-56646 MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 expose sensitive information to unauthorized network actors, enabling spoofing attacks against users who interact with attacker-controlled content. The vulnerability maps to CWE-200, indicating that browser-internal sensitive data (likely origin, URL, or session context) is improperly disclosed across a network boundary, allowing an attacker to impersonate trusted content or identities. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS score of 6.5 with a network attack vector and no privilege requirement underscores meaningful real-world risk for any unpatched Edge deployment.

Google Microsoft Information Disclosure Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.7%
CVE-2026-57993 HIGH PATCH This Week

Server-side request forgery in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker coax a victim's browser into issuing forged network requests, enabling spoofing and disclosure of sensitive data over the network. Exploitation requires user interaction (visiting or interacting with attacker-controlled content), and the CVSS scope-change flag indicates the browser can be pivoted to reach resources beyond its own security boundary. No public exploit identified at time of analysis (CVSS E:U), but a vendor fix is already available and the finding is vendor-confirmed (RC:C).

SSRF Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.4
EPSS
0.6%
CVE-2026-57992 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run arbitrary code when a victim is lured into loading attacker-controlled web content that triggers a use-after-free memory corruption. The flaw carries a CVSS 3.1 base of 7.5 and requires user interaction, and the CVSS temporal metrics (E:U, RL:O, RC:C) indicate the issue is confirmed and officially patched with no public exploit identified at time of analysis. Because Edge shares Chromium's rendering engine, the underlying defect is likely rooted in an upstream Chromium/Blink component (the intel tags also reference Google).

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57988 HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.1
EPSS
0.5%
CVE-2026-57987 MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows unauthenticated network attackers to perform spoofing by inducing a victim user to visit a malicious page, causing the browser to issue forged requests to internal or external resources. The confidentiality impact is rated High (CVSS C:H), indicating that sensitive data accessible via the browser's network context may be exfiltrated through the SSRF channel. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

SSRF Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-57985 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-57984 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated attacker can trigger over the network when a victim loads attacker-controlled web content. Microsoft has released an official fix and rates the issue 7.5 (High), tempered by high attack complexity and required user interaction; the CVSS temporal data marks exploit maturity as Unproven (E:U), so there is no public exploit identified at time of analysis and no CISA KEV listing. The vendor tags ('Google', 'Use After Free', 'Denial Of Service') indicate this most likely tracks an upstream Chromium engine defect inherited by Edge.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57983 CRITICAL PATCH Act Now

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-57975 HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.

Memory Corruption Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56645 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a network attacker can trigger when a victim renders crafted web content. The CVSS 3.1 base score is 8.8 with a network vector requiring user interaction (UI:R), and Microsoft has released an official fix (RL:O). No public exploit identified at time of analysis — the temporal metric E:U marks exploit code as unproven — and it is not listed in CISA KEV.

Heap Overflow Microsoft Buffer Overflow Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-55945 MEDIUM PATCH This Month

Race condition in Microsoft Edge (Chromium-based) permits a locally authenticated, low-privileged attacker to disclose information beyond the intended security boundary, with the CVSS scope change (S:C) indicating impact can extend outside the directly vulnerable component - potentially across process or sandbox boundaries within the browser. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, placing it in a lower operational priority tier despite the scope change. Microsoft has released a patch via the MSRC advisory.

Information Disclosure Microsoft Race Condition Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-26247 CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Authentication Bypass Microsoft Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-26232 CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.

Information Disclosure Microsoft Gitea Gitea Open Source Git Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-55726 MEDIUM PATCH CISA This Month

Unauthenticated public listing of an Azure Blob Storage container exposes device log files across the entire Gardyn smart garden fleet to any internet-accessible actor. The misconfiguration affects all versions of Gardyn Home Firmware, Gardyn Studio Firmware, and the Gardyn Cloud API, meaning no specific patched version bounds the exposure - it is architectural rather than release-specific. Reported via ICS-CERT advisory ICSA-26-183-03, no confirmed active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis, though exploitation requires zero technical prerequisites beyond internet access and knowledge of the container URL.

Microsoft Information Disclosure Gardyn Home Firmware Gardyn Studio Firmware Gardyn Cloud Api
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-13079 HIGH This Week

Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.

Privilege Escalation Watchguard Microsoft Fireware Os
NVD VulDB
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-13084 HIGH This Week

Denial-of-service in WatchGuard Fireware OS lets a remote, unauthenticated attacker crash the IKEv2 VPN service by sending specially crafted IKEv2 messages that trigger a null pointer dereference (CWE-476). The flaw affects appliances running Mobile User VPN with IKEv2 or Branch Office VPN over IKEv2 with a dynamic gateway peer, spanning Fireware OS 11.10.2 through 2026.2. No public exploit identified at time of analysis; the CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss.

Watchguard Denial Of Service Microsoft Null Pointer Dereference Fireware Os
NVD VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-54998 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.

Authentication Bypass Microsoft Microsoft Exchange Online
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-26145 CRITICAL PATCH NEWS NO ACTION Monitor

Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. No public exploit has been identified at time of analysis, and Microsoft has released a fix through its Security Update Guide.

Authentication Bypass Microsoft Azure Synapse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-45499 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege elevation in Microsoft's Azure OpenAI service allows an authorized (low-privileged) attacker to abuse a server-side request forgery flaw (CWE-918) to force the service backend to issue attacker-controlled network requests, resulting in high confidentiality, integrity, and availability impact. The flaw carries CVSS 8.8 and requires only low privileges over the network with no user interaction, but currently shows no public exploit identified at time of analysis and a modest EPSS of 0.62%. Because Azure OpenAI is a Microsoft-hosted cloud service, remediation is delivered server-side by the vendor rather than requiring customer patching.

SSRF Microsoft Azure Open Ai
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-57100 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. The high CVSS of 8.8 is driven by total technical impact (C:H/I:H/A:H) against a cloud identity control plane.

SSRF Microsoft Microsoft Entra Provisioning Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-52792 Go HIGH PATCH GHSA This Week

Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Apple Microsoft Information Disclosure
NVD GitHub
CVE-2026-52830 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal Microsoft
NVD GitHub
CVSS 3.1
9.4
EPSS
0.4%
CVE-2026-49255 npm HIGH PATCH GHSA This Week

Arbitrary command execution in electerm (the open-source cross-platform SSH/SFTP/terminal client) allows a malicious remote server to run OS commands on the connecting user's desktop. The flaw lives in the rmrf(), mv() and cp() helpers in src/app/lib/fs.js, which build shell command strings by interpolating attacker-influenced file paths without escaping shell metacharacters; a hostile SSH/SFTP server that serves files with crafted names can break out of the quoted argument when the victim performs a file operation. Rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, so treat this as high-severity but not confirmed exploited.

Command Injection Microsoft
NVD GitHub
CVSS 3.1
8.8
CVE-2026-13379 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-11771 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-13122 MEDIUM PATCH This Month

Denial-of-service in OpenVPN via a reachable assertion (CWE-617) allows a remote, low-privileged attacker to crash the OpenVPN daemon under high-complexity, timing-specific conditions. All OpenVPN deployments running versions prior to v2.7.5 are affected; the fix is available in the v2.7.5 release disclosed pre-NVD via GitHub. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 (Medium) reflects the constrained exploitation path, though VPN service disruption carries meaningful operational impact for affected operators.

Microsoft Information Disclosure Openvpn Red Hat Suse
NVD GitHub
CVSS 4.0
5.9
EPSS
0.5%
CVE-2026-12996 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-13698 MEDIUM PATCH This Month

Memory leak in OpenVPN (pre-2.7.5) allows network-accessible unauthenticated attackers to exhaust server memory, resulting in high availability impact and denial of service. The flaw, classified CWE-401, requires specific attack prerequisites (CVSS 4.0 AT:P) and passive client interaction (UI:P), meaning it is not trivially exploitable against all default deployments. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis; vendor patch v2.7.5 is available.

Microsoft Information Disclosure Openvpn Red Hat Suse
NVD GitHub
CVSS 4.0
6.0
EPSS
0.5%
CVE-2026-12932 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-13117 PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
CVE-2026-14402 MEDIUM PATCH This Month

Uninitialized Use in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14384 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Windows prior to 150.0.7871.46 stems from an out-of-bounds read in ANGLE, the browser's graphics abstraction layer. Remote attackers can exploit this by serving a crafted HTML page to a Windows user, causing the ANGLE subsystem to read memory beyond its intended buffer boundary and exposing data belonging to a separate web origin. No public exploit code has been identified at time of analysis, and the EPSS score of 0.18% (8th percentile) indicates low exploitation probability in the near term.

Google Microsoft Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14391 MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-50138 Go HIGH PATCH GHSA This Week

Access-control bypass in the goshs WebDAV listener (Go package goshs.de/goshs/v2, all releases through v2.0.9) lets an authenticated WebDAV client write, delete, and create files even when the operator started the server with --read-only, --upload-only, or --no-delete. The mode-restriction flags are enforced only on the primary HTTP port, while the WebDAV port (-w/-wp) wires requests straight into golang.org/x/net/webdav.Handler with no guard, so PUT/DELETE/MKCOL/MOVE/COPY succeed regardless of operator intent. A working proof of concept is published in the GitHub Security Advisory (GHSA-3whc-qvhv-xqjp); publicly available exploit code exists, but there is no public exploit identified as being used in active attacks.

Authentication Bypass Microsoft
NVD GitHub
CVSS 3.1
8.1
CVE-2026-48978 Go LOW PATCH GHSA Monitor

Unvalidated bearer realm URL handling in oras-go v2 ≤ 2.6.0 enables two distinct attack primitives against users who run oras operations against a malicious, compromised, or man-in-the-middle'd registry: server-side request forgery (SSRF) to internal network endpoints including cloud instance metadata services, and TLS downgrade that exposes user credentials in plaintext. The OCI distribution spec legitimately allows cross-host realm references for split-auth deployments (e.g., Docker Hub's auth.docker.io pattern), but oras-go failed to block private IP literals, loopback addresses, and scheme downgrades from https to http - patterns that are never legitimate under any valid registry trust model. No active exploitation has been confirmed (not in CISA KEV), and a patch is available in v2.6.1.

SSRF Microsoft Docker
NVD GitHub
CVE-2026-50521 HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality and integrity with partial availability loss, making it a meaningful but not emergency patch priority for Edge-based endpoints.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
8.3
EPSS
0.8%
CVE-2026-48816 npm MEDIUM POC PATCH GHSA This Month

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity window checks by controlling the `integratedTime` field in an inclusionProof-only tlog entry. Because the inclusionProof-only code path in `@sigstore/verify` does not cryptographically bind `integratedTime` (unlike the signed inclusionPromise/set path), a low-privileged attacker who can present an untrusted bundle can cause the verifier to accept expired or not-yet-valid signing certificates as currently valid. A publicly available proof-of-concept exists; this vulnerability is not in CISA KEV.

Canonical Microsoft Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54161 CRITICAL Act Now

Remote OS command injection in Network UPS Tools upsmon (versions 2.8.3-2.8.5) allows a network-positioned attacker - acting as a man-in-the-middle on the plaintext 3493/tcp NUT protocol connection, operating a compromised upsd server, or controlling a rogue UPS device - to execute arbitrary shell commands as the upsmon service account. The vulnerability exists in the NOTIFYCMD alarm handler, where server-supplied ups.alarm text is interpolated directly into a shell command string and executed via system(), enabling injection of shell metacharacters. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the oss-security disclosure contains sufficient implementation detail to construct a working exploit.

Command Injection Microsoft
NVD VulDB
CVE-2026-49856 npm MEDIUM PATCH GHSA This Month

SSRF policy bypass in jshookmcp 0.3.1 allows an authenticated MCP client with network domain access to probe internal RFC 1918 and reserved addresses that are explicitly blocked by all other network tools on the same server. The `network_icmp_probe` and `network_traceroute` handlers call `resolveHostname` directly without invoking the central `resolveAuthorizedTransportTarget` guard, creating an inconsistent enforcement boundary. No CISA KEV listing exists, but proof-of-concept test code demonstrating the bypass via the `handleCallTool` dispatch path is included in the GitHub advisory (GHSA-c5r6-m4mr-8q5j), confirming exploitability without external traffic.

SSRF Microsoft Node.js RCE Oracle
NVD GitHub
CVSS 3.1
4.3
CVE-2026-7830 HIGH This Week

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication handshake and recover plaintext usernames and passwords. The rfbUltraVNC_MsLogonIIAuth scheme relies on a Diffie-Hellman exchange whose prime fits in an unsigned 64-bit integer and a private exponent derived from time(NULL)-seeded libc rand(), both of which are trivially solvable, so an attacker who sniffs or man-in-the-middles the exchange derives the shared key in seconds to a minute. There is no public exploit identified at time of analysis and no EPSS/KEV signal supplied; CVSS is 7.4 (AC:H reflecting the need to observe the handshake), and MS-Logon III (X25519 + AES-256-GCM) is not affected.

Microsoft Information Disclosure Ultravnc
NVD GitHub
CVSS 3.1
7.4
EPSS
0.2%
CVE-2026-44040 MEDIUM This Month

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can predict by observing network traffic and enumerating a roughly 31-bit seed space derived from wall-clock time and process ID. Successful seed reconstruction allows the attacker to forge or brute-force valid VNC authentication responses, effectively bypassing the RFB challenge-response mechanism and gaining unauthorized remote desktop access. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in the CISA KEV catalog; however, the mathematical basis for exploitation is straightforward given the small seed space.

Microsoft Information Disclosure Ultravnc
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14138 MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component on Windows (versions prior to 150.0.7871.47) enables a remote attacker to misrepresent the browser interface by luring a user into performing specific UI interaction gestures on a crafted HTML page. The flaw is Windows-platform-specific and rooted in an inappropriate implementation of the Progressive Web App installation UI flow. Google rates this Low severity; no public exploit identified at time of analysis, and EPSS data is not present in the provided intelligence, but the CVSS 4.2 score and required high-complexity user interaction significantly limit real-world risk.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-14124 HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for Windows before 150.0.7871.47 lets a local attacker leverage an inappropriate implementation in the CredentialProvider component to elevate privileges via a malicious file. Exploitation requires local access plus user interaction (UI:R), and though Google rated the Chromium security severity 'Low', the CVSS 3.1 base score is 7.8 (High) due to full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low at 0.11% (2nd percentile).

Privilege Escalation Microsoft Google Suse
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14122 HIGH PATCH This Week

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-14119 MEDIUM PATCH This Month

Type confusion in Chrome's Bluetooth stack on Windows (versions prior to 150.0.7871.47) enables an adjacent-network attacker to exfiltrate sensitive data from Chrome process memory by presenting a malicious Bluetooth peripheral. The CVSS 6.5 score reflects high confidentiality impact but no integrity or availability exposure; notably, Chromium's internal security team rated this Low severity, suggesting the memory regions accessible are constrained. No public exploit code and no CISA KEV listing exist at time of analysis, and exploitation is physically bounded by Bluetooth range.

Memory Corruption Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-14117 MEDIUM PATCH This Month

Memory disclosure via DevTools in Google Chrome on Windows (prior to 150.0.7871.47) enables a remote attacker to read sensitive process memory contents by delivering a crafted HTML page and manipulating the victim into performing specific UI gestures. The vulnerability is Windows-platform-exclusive and carries a Chromium-internal severity of Low, consistent with SSVC's assessment of no current exploitation and non-automatable delivery. No active exploitation or public exploit code has been identified at time of analysis, though the CVSS C:H rating reflects meaningful confidentiality risk if successfully triggered.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-14113 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process abuse a use-after-free in the Updater component via a crafted HTML page to break out of the browser sandbox. It is a second-stage bug that Chromium rated only Low severity despite the CVSS 9.6 score, with no public exploit identified at time of analysis and a low EPSS probability of 0.18% (8th percentile). Google has shipped a fixed Stable-channel build.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14094 HIGH PATCH This Week

Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14087 HIGH PATCH This Week

Heap corruption in Google Chrome's WebNN (Web Neural Network API) implementation on Windows, fixed in 150.0.7871.47, lets an attacker who has already compromised the renderer process trigger a heap buffer overflow via a crafted HTML page and potentially escalate beyond the sandbox. Chromium's own security team rated this Low severity, while NVD scores it 8.8; EPSS is low at 0.19% (9th percentile) and there is no public exploit identified at time of analysis. It is not listed in CISA KEV and SSVC records exploitation status as none.

Buffer Overflow Microsoft Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-14060 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows before 150.0.7871.47 allows a local attacker who plants a malicious file to elevate privileges after the victim interacts with it. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a 7.8 CVSS but was rated Low severity by Chromium's own team. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.13%, 3rd percentile), consistent with a local, interaction-dependent issue rather than a mass-exploitable one.

Privilege Escalation Microsoft Google Suse
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14055 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Windows prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by feeding crafted input to the Device Trust component via a malicious HTML page. NVD scores this 9.6 (Critical) while Google rates the Chromium security severity as Low, and there is no public exploit identified at time of analysis. EPSS is very low at 0.17% (7th percentile), and it is not listed in CISA KEV.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-14033 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.

Authentication Bypass Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14018 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-14015 MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's WebRTC subsystem on Windows allows remote attackers to leak sensitive data from other origins by directing victims to a specially crafted HTML page. All Chrome on Windows versions prior to 150.0.7871.47 are affected. No public exploit identified at time of analysis, and the EPSS score of 0.17% (7th percentile) signals low near-term exploitation probability despite the CVSS High confidentiality impact - consistent with Chromium's own 'Medium' severity designation and the inherent timing-sensitivity of race condition attacks.

Information Disclosure Microsoft Race Condition Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14010 MEDIUM PATCH This Month

Uninitialized memory use in Chrome's codec subsystem on Windows leaks process memory contents to remote attackers who can direct a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 on Windows are affected; exploitation requires no authentication but does require the victim to visit attacker-controlled content, placing this in the drive-by browsing threat category. No public exploit code has been identified at time of analysis, and Google has released a confirmed fix in stable channel 150.0.7871.47.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13990 MEDIUM PATCH This Month

UI spoofing in Google Chrome for Windows (prior to 150.0.7871.47) is enabled by insufficient input validation in the DataTransfer subsystem when the renderer process has already been compromised. A remote attacker who controls a compromised renderer can deliver a crafted HTML page that manipulates visual UI elements, potentially deceiving users into approving malicious permissions, revealing credentials, or performing unintended actions. No active exploitation has been confirmed (not in CISA KEV), and EPSS of 0.17% at the 7th percentile reflects minimal observed exploitation probability; however, exploitation as a second-stage payload in a renderer RCE chain remains a realistic concern for high-value targets.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13961 MEDIUM PATCH This Month

Process memory disclosure in Google Chrome DevTools on Windows (versions prior to 150.0.7871.47) allows a remote attacker to read potentially sensitive data from browser process memory by serving a crafted HTML page and convincing a user to perform specific UI gestures. The flaw stems from insufficient input validation (CWE-20) within the DevTools subsystem and is limited to the Windows platform. No public exploit code or CISA KEV listing has been identified at time of analysis, but the confidentiality impact is rated High by NVD.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-13958 MEDIUM PATCH This Month

Uninitialized memory use in the codec subsystem of Google Chrome on Windows exposes potentially sensitive process memory contents to remote attackers via a crafted HTML page. All Chrome for Windows releases prior to 150.0.7871.47 are affected; the flaw is platform-specific and does not affect Chrome on Linux, macOS, or mobile. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, though the CVSS C:H rating reflects meaningful confidentiality risk, and the uninitialized read could serve as a precursor step toward ASLR bypass in a chained attack.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13931 MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13925 HIGH PATCH This Week

Inappropriate implementation in Downloads in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)

RCE Microsoft Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13920 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page that abuses insufficient input validation in the Media component. Google rates the Chromium security severity as Medium and a fix is shipped in the stable channel, but no public exploit has been identified and EPSS exploitation probability is low at 0.21%. The high 9.6 CVSS reflects the total system compromise possible once chained, not standalone exploitability.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13875 MEDIUM PATCH This Month

Memory disclosure in Google Chrome's GPU component on Windows enables a remote attacker - who has already established renderer process compromise - to extract sensitive data from process memory via a crafted HTML page. Affected versions are all Chrome for Windows releases prior to 150.0.7871.47. This is a second-stage exploit component: it does not independently achieve remote code execution but can be chained with a renderer exploit to leak process memory contents, potentially exposing credentials, tokens, or other in-memory sensitive data. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-13869 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13860 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Autofill component on Windows (all versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to mislead users into interacting with forged security UI elements by convincing them to perform specific on-page gestures against a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an adversary to obscure or fabricate Autofill security indicators, potentially tricking users into submitting saved credentials or personal data to attacker-controlled destinations. No public exploit or CISA KEV listing has been confirmed; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13849 HIGH PATCH This Week

Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-13844 HIGH PATCH This Week

Local OS-level privilege escalation in Google Chrome on Windows (versions prior to 150.0.7871.47) arises from a use-after-free in the Chrome Updater component, letting a local attacker who can plant a malicious file on the system elevate to higher OS privileges. Google rates the Chromium severity as High and has released a fixed Stable channel build; there is no public exploit identified and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with a bug that requires local access and user interaction rather than mass remote exploitation.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13829 HIGH PATCH This Week

Insufficient validation of untrusted input in Settings in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13800 HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft Google Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13794 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows before version 150.0.7871.47 allows an attacker to run arbitrary code by luring a victim to a crafted HTML page and getting them to perform specific UI gestures against the WebAppInstalls component. Chromium rates the flaw High severity; no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), indicating the attack is not yet broadly commoditized despite the serious impact.

RCE Microsoft Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13787 HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) lets a remote attacker corrupt memory via malicious network traffic. Google rates the Chromium severity Critical, and a vendor patch is available, but there is no public exploit identified at time of analysis and EPSS is low at 0.24%. High attack complexity (AC:H) means the memory-corruption race is non-trivial to win reliably, tempering the CVSS 8.1 score.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-11906 MEDIUM This Month

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated low-privileged user to crash or hang the database server by submitting a crafted SQL query exploiting improper neutralization of special elements in XMLTable-derived column processing logic. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms this is remotely triggerable with minimal privileges, posing a realistic insider-threat or compromised-credential availability risk. No public exploit code or active exploitation has been identified at time of analysis.

IBM Denial Of Service Microsoft Db2
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-10564 HIGH This Week

Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.6 lets an attacker coerce the application into making arbitrary HTTP requests via the legacy RSSReaderComponent (rss.py) and the SearXNG component (searxng.py), which fetch user-controlled URLs without validation. These two components bypass the SSRF protections that were added in version 1.9.3, allowing reach into internal resources such as AWS/Azure/GCP instance metadata (IMDS) to steal IAM credentials and enumerate internal networks. The flaw is reachable directly by an authenticated user and indirectly through prompt injection in agentic workflows because the components are exposed with tool_mode=True; no public exploit identified at time of analysis.

SSRF IBM Microsoft Langflow
NVD
CVSS 3.1
8.2
EPSS
0.2%
CVE-2025-36372 MEDIUM This Month

IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 expose sensitive information through internal monitoring and event tables to authenticated low-privilege local users, a consequence of CWE-538 where sensitive data is inserted into storage locations accessible beyond the intended trust boundary. The CVSS vector confirms local-only attack surface (AV:L) with low-privilege authentication (PR:L) and high confidentiality impact, making this most relevant to insider threat scenarios or post-compromise lateral movement in multi-tenant Db2 environments. No public exploit code exists and the vulnerability is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.

IBM Microsoft Information Disclosure Db2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48796 NuGet MEDIUM POC PATCH GHSA This Month

Path traversal in CefSharp's `FolderSchemeHandlerFactory` (NuGet: cefsharp.common, assembly version 147.0.100) allows an embedded browser to serve local files from outside the configured `rootFolder` when sibling directories share a common name prefix. The root cause is a raw C# string prefix check (`filePath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase)`) that does not enforce directory boundaries, meaning a canonicalized path into a sibling directory such as `www2` passes validation intended to restrict access to `www`. A detailed proof-of-concept with exact request paths is publicly documented in the GitHub Security Advisory GHSA-85jm-cwp2-mvpv; no CISA KEV listing exists at time of analysis, indicating no confirmed active exploitation.

Path Traversal Microsoft
NVD GitHub
CVSS 3.1
5.3
CVE-2026-49451 NuGet HIGH PATCH GHSA This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE Privilege Escalation Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-13316 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged attackers to redirect internal HTTP requests to cloud metadata endpoints on AWS, GCP, and Azure environments. By manipulating HTTP parameters in the http_proxies_controller or http_proxy configuration files, an attacker can cause the Foreman server to issue forged requests to internal metadata services (e.g., AWS IMDS at 169.254.169.254), potentially harvesting IAM role credentials, access tokens, and environment configuration secrets. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the confidentiality impact is high given the value of cloud metadata credentials.

SSRF Microsoft Red Hat Satellite 6 Red Hat
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-48717 Maven MEDIUM PATCH GHSA This Month

PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. No public exploit has been identified at time of analysis, and a patch is available in version 16.1.1.

Authentication Bypass Microsoft
NVD GitHub
CVE-2026-58057 LOW POC PATCH Monitor

Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.

Microsoft RCE Flowise
NVD GitHub VulDB Exploit-DB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-58052 MEDIUM POC This Month

Mark-of-the-Web protection is bypassed in 7-Zip for Windows 26.02 and earlier when extracting crafted RAR5 archives, allowing an attacker to strip the Internet-zone marker (ZoneId=0) and spoof the extracted file's data stream content - directly defeating SmartScreen and Windows attachment warnings. The bypass exploits a gap between 7-Zip's exact-string guard ('Zone.Identifier') and the NTFS-canonical equivalent (':Zone.Identifier:$DATA') that a RAR5 STM record can supply; a second STM record ('::$DATA') additionally overwrites the default file data stream for content spoofing. A publicly available proof-of-concept exists; no vendor-released patched version has been confirmed at the time of analysis.

Microsoft Information Disclosure 7 Zip
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-59868 MEDIUM PATCH This Month

Sensitive application data exposure in HCL Traveler for Microsoft Outlook (HTMO) allows a local low-privileged attacker to read sensitive information - likely credentials, tokens, or session data written to application log files (CWE-532) - potentially enabling follow-on attacks against connected systems. The CVSS vector confirms local access with low privileges is sufficient to achieve high confidentiality impact, with no integrity or availability consequences. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Microsoft Information Disclosure Traveler For Microsoft Outlook
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2023-37524 HIGH PATCH This Week

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Microsoft Information Disclosure Traveler For Microsoft Outlook
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-49984 HIGH PATCH This Week

Authenticated path traversal in Kestra's local internal-storage backend (versions prior to 1.0.45 and 1.3.23) lets any low-privilege user with execution-view access read arbitrary files on the host. The flaw stems from validation ordering: the guard checks for '..' sequences before backslashes are normalized to forward slashes, so a Windows-style '..\..\..\' payload bypasses the check and is rewritten to a real traversal only after validation. There is no public exploit identified at time of analysis, and EPSS/KEV signals are absent, but the confidentiality impact is severe because it breaks the multi-tenant storage isolation boundary.

Path Traversal Microsoft Kestra
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.4%
CVE-2024-23581 HIGH PATCH This Week

The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Microsoft Information Disclosure Traveler For Microsoft Outlook
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-48770 MEDIUM PATCH This Month

Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.

Microsoft Buffer Overflow Information Disclosure Notepad Plus Plus
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.3%
CVE-2026-52783 HIGH PATCH This Week

Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Redis Microsoft Information Disclosure Openproject
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Relative path traversal in Microsoft Edge for Android (Chromium-based) before version 150.0.4078.48 permits a local, unprivileged attacker to read sensitive files outside the application's intended directory scope, achieving high confidentiality impact with minor integrity exposure. The flaw (CWE-23) stems from insufficient sanitization of relative path sequences in Edge's Android file-handling logic. No public exploit code or active exploitation has been identified at time of analysis, though a vendor patch is available and should be prioritized given the high confidentiality impact rating.

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge for Android (Chromium-based) arises from a time-of-check to time-of-use (TOCTOU) race condition that an unauthenticated network attacker can win to run arbitrary code, though success requires the victim to interact (UI:R) and the timing window makes exploitation high-complexity. Microsoft (self-reported) has shipped an official fix, and the temporal signals (E:U, RC:C) indicate no public exploit identified at time of analysis despite confirmed technical validity. The flaw is credited to Microsoft/Google collaboration and tagged as an authentication-bypass-class issue.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) allows an unauthorized attacker to run arbitrary code when a victim views attacker-controlled web content, stemming from a use-after-free memory-corruption flaw (CWE-416). The scope-changed CVSS vector (S:C) indicates the bug can breach the browser's sandbox boundary. Microsoft has released a fix; there is no public exploit identified at time of analysis (CVSS E:U) and it is not listed in CISA KEV.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) stems from a type-confusion memory-safety defect (CWE-843) that a remote, unauthenticated attacker can leverage over the network to misrepresent content or origin to the victim. Microsoft rates it CVSS 8.1 with a changed scope, driven largely by high integrity impact, though the CVSS vector's high attack complexity (AC:H) signals non-trivial exploitation. There is no public exploit identified at time of analysis (CVSS E:U), and it is not listed in CISA KEV; Microsoft has already shipped an official fix (RL:O).

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Spoofing in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker bypass an origin/security-context access control (CWE-284) to misrepresent trusted content or UI over a network. The flaw carries CVSS 8.1 with a scope-changed vector and high integrity impact, meaning a successful spoof can influence resources beyond the initially vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has shipped an official fix.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 expose sensitive information to unauthorized network actors, enabling spoofing attacks against users who interact with attacker-controlled content. The vulnerability maps to CWE-200, indicating that browser-internal sensitive data (likely origin, URL, or session context) is improperly disclosed across a network boundary, allowing an attacker to impersonate trusted content or identities. No public exploit code or CISA KEV listing exists at time of analysis; however, the CVSS score of 6.5 with a network attack vector and no privilege requirement underscores meaningful real-world risk for any unpatched Edge deployment.

Google Microsoft Information Disclosure +1
NVD VulDB
EPSS 1% CVSS 7.4
HIGH PATCH This Week

Server-side request forgery in Microsoft Edge (Chromium-based) lets a remote, unauthenticated attacker coax a victim's browser into issuing forged network requests, enabling spoofing and disclosure of sensitive data over the network. Exploitation requires user interaction (visiting or interacting with attacker-controlled content), and the CVSS scope-change flag indicates the browser can be pivoted to reach resources beyond its own security boundary. No public exploit identified at time of analysis (CVSS E:U), but a vendor fix is already available and the finding is vendor-confirmed (RC:C).

SSRF Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) lets an unauthenticated attacker run arbitrary code when a victim is lured into loading attacker-controlled web content that triggers a use-after-free memory corruption. The flaw carries a CVSS 3.1 base of 7.5 and requires user interaction, and the CVSS temporal metrics (E:U, RL:O, RC:C) indicate the issue is confirmed and officially patched with no public exploit identified at time of analysis. Because Edge shares Chromium's rendering engine, the underlying defect is likely rooted in an upstream Chromium/Blink component (the intel tags also reference Google).

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 1% CVSS 7.1
HIGH PATCH This Week

Code execution via relative path traversal in Microsoft Edge (Chromium-based) allows a remote unauthenticated attacker to run arbitrary code when a user is lured into interacting with attacker-controlled content, consistent with the CVSS PR:N/UI:R vector. Rated CVSS 7.1 with high integrity impact (I:H), low availability impact (A:L), and no confidentiality impact (C:N). No public exploit identified at time of analysis (exploit maturity Unproven, E:U) and the CVE is not in CISA KEV, but an official vendor fix is available (RL:O).

Path Traversal Microsoft Google +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in Microsoft Edge (Chromium-based) prior to version 150.0.4078.48 allows unauthenticated network attackers to perform spoofing by inducing a victim user to visit a malicious page, causing the browser to issue forged requests to internal or external resources. The confidentiality impact is rated High (CVSS C:H), indicating that sensitive data accessible via the browser's network context may be exfiltrated through the SSRF channel. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

SSRF Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) before version 150.0.4078.48 allows an unauthenticated remote attacker to run arbitrary code when a victim is lured into loading attacker-controlled web content. The flaw stems from improper input validation (CWE-20) and carries a high-severity CVSS of 8.8, though it requires user interaction and has no public exploit identified at time of analysis. EPSS risk is low (0.42%, 34th percentile) and CISA SSVC currently rates exploitation status as none.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that an unauthenticated attacker can trigger over the network when a victim loads attacker-controlled web content. Microsoft has released an official fix and rates the issue 7.5 (High), tempered by high attack complexity and required user interaction; the CVSS temporal data marks exploit maturity as Unproven (E:U), so there is no public exploit identified at time of analysis and no CISA KEV listing. The vendor tags ('Google', 'Use After Free', 'Denial Of Service') indicate this most likely tracks an upstream Chromium engine defect inherited by Edge.

Memory Corruption Google Microsoft +3
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Security-feature bypass in Microsoft Edge (Chromium-based) versions prior to 150.0.4078.48 lets a remote, unauthenticated attacker circumvent a browser security control over the network via improper authorization (CWE-285). Microsoft rates it CVSS 10.0 with a changed scope, meaning a successful bypass can affect resources beyond the browser's original security boundary. There is no public exploit identified at time of analysis, and CISA's SSVC framework records exploitation as 'none', so this is a high-severity but not currently-exploited issue with a vendor patch already available.

Authentication Bypass Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a type-confusion flaw (CWE-843) that an unauthenticated attacker can trigger when a victim visits a malicious web page. Microsoft has released an official fix, and while exploit maturity is currently unproven (no public exploit identified at time of analysis), the high confidentiality, integrity, and availability impact combined with network reach makes it a meaningful browser patch. The CVSS 3.1 base score is 7.5 with high attack complexity and required user interaction, tempering real-world exploitability.

Memory Corruption Authentication Bypass Microsoft +2
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a network attacker can trigger when a victim renders crafted web content. The CVSS 3.1 base score is 8.8 with a network vector requiring user interaction (UI:R), and Microsoft has released an official fix (RL:O). No public exploit identified at time of analysis — the temporal metric E:U marks exploit code as unproven — and it is not listed in CISA KEV.

Heap Overflow Microsoft Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Race condition in Microsoft Edge (Chromium-based) permits a locally authenticated, low-privileged attacker to disclose information beyond the intended security boundary, with the CVSS scope change (S:C) indicating impact can extend outside the directly vulnerable component - potentially across process or sandbox boundaries within the browser. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, placing it in a lower operational priority tier despite the scope change. Microsoft has released a patch via the MSRC advisory.

Information Disclosure Microsoft Race Condition +2
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.

Authentication Bypass Microsoft Gitea +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.

Information Disclosure Microsoft Gitea +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated public listing of an Azure Blob Storage container exposes device log files across the entire Gardyn smart garden fleet to any internet-accessible actor. The misconfiguration affects all versions of Gardyn Home Firmware, Gardyn Studio Firmware, and the Gardyn Cloud API, meaning no specific patched version bounds the exposure - it is architectural rather than release-specific. Reported via ICS-CERT advisory ICSA-26-183-03, no confirmed active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis, though exploitation requires zero technical prerequisites beyond internet access and knowledge of the container URL.

Microsoft Information Disclosure Gardyn Home Firmware +2
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.

Privilege Escalation Watchguard Microsoft +1
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Denial-of-service in WatchGuard Fireware OS lets a remote, unauthenticated attacker crash the IKEv2 VPN service by sending specially crafted IKEv2 messages that trigger a null pointer dereference (CWE-476). The flaw affects appliances running Mobile User VPN with IKEv2 or Branch Office VPN over IKEv2 with a dynamic gateway peer, spanning Fireware OS 11.10.2 through 2026.2. No public exploit identified at time of analysis; the CVSS 4.0 score of 8.7 reflects high availability impact with no confidentiality or integrity loss.

Watchguard Denial Of Service Microsoft +2
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Exchange Online allows an already-authenticated attacker to elevate their permissions over the network by exploiting an incorrect authorization check (CWE-863). Because Exchange Online is a cloud-hosted, multi-tenant service, a low-privileged authenticated user could gain elevated access to confidential data, tamper with mail/configuration, and disrupt availability. No public exploit has been identified at time of analysis, and the EPSS/exploit-maturity signal (E:U) indicates exploit code is currently unproven.

Authentication Bypass Microsoft Microsoft Exchange Online
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH NO ACTION Monitor

Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. No public exploit has been identified at time of analysis, and Microsoft has released a fix through its Security Update Guide.

Authentication Bypass Microsoft Azure Synapse
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege elevation in Microsoft's Azure OpenAI service allows an authorized (low-privileged) attacker to abuse a server-side request forgery flaw (CWE-918) to force the service backend to issue attacker-controlled network requests, resulting in high confidentiality, integrity, and availability impact. The flaw carries CVSS 8.8 and requires only low privileges over the network with no user interaction, but currently shows no public exploit identified at time of analysis and a modest EPSS of 0.62%. Because Azure OpenAI is a Microsoft-hosted cloud service, remediation is delivered server-side by the vendor rather than requiring customer patching.

SSRF Microsoft Azure Open Ai
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. The high CVSS of 8.8 is driven by total technical impact (C:H/I:H/A:H) against a cloud identity control plane.

SSRF Microsoft Microsoft Entra Provisioning Service
NVD VulDB
HIGH PATCH This Week

Source-code disclosure in the Algernon web/application server (Go, xyproto/algernon, tested at v1.17.8) lets an unauthenticated remote client retrieve the raw source of any public-path server-side script on Windows hosts by appending an NTFS-equivalent suffix (::$DATA, a trailing dot, or a trailing space) to the URL. Because filepath.Ext() does an exact suffix match, these forms are not recognized as .lua/.tl/.po2/.amber/.frm and fall through to the raw-file branch, while NTFS canonicalizes the name back to the real script, exposing embedded database credentials and the SetCookieSecret value used to forge session cookies. Publicly available exploit code exists (full PoC in the GitHub advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Apple Microsoft +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal +1
NVD GitHub
CVSS 8.8
HIGH PATCH This Week

Arbitrary command execution in electerm (the open-source cross-platform SSH/SFTP/terminal client) allows a malicious remote server to run OS commands on the connecting user's desktop. The flaw lives in the rmrf(), mv() and cp() helpers in src/app/lib/fs.js, which build shell command strings by interpolating attacker-influenced file paths without escaping shell metacharacters; a hostile SSH/SFTP server that serves files with crafted names can break out of the quoted argument when the victim performs a file operation. Rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV, so treat this as high-severity but not confirmed exploited.

Command Injection Microsoft
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial-of-service in OpenVPN via a reachable assertion (CWE-617) allows a remote, low-privileged attacker to crash the OpenVPN daemon under high-complexity, timing-specific conditions. All OpenVPN deployments running versions prior to v2.7.5 are affected; the fix is available in the v2.7.5 release disclosed pre-NVD via GitHub. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 5.9 (Medium) reflects the constrained exploitation path, though VPN service disruption carries meaningful operational impact for affected operators.

Microsoft Information Disclosure Openvpn +2
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
EPSS 1% CVSS 6.0
MEDIUM PATCH This Month

Memory leak in OpenVPN (pre-2.7.5) allows network-accessible unauthenticated attackers to exhaust server memory, resulting in high availability impact and denial of service. The flaw, classified CWE-401, requires specific attack prerequisites (CVSS 4.0 AT:P) and passive client interaction (UI:P), meaning it is not trivially exploitable against all default deployments. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis; vendor patch v2.7.5 is available.

Microsoft Information Disclosure Openvpn +2
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
PATCH Awaiting Data

Pre-NVD disclosure via GitHub release 'v2.7.5' (openvpn/openvpn). ### Security fixes: - openvpnserv (windows): fix DNS SearchList state pollution on (dis)connect. specific combinations of `--dns` config entries plus local DNS config could lead to corruption of pre-openvpn DNS config ([CVE-2026-13379](https://www.cve.org/CVERecord?id=CVE-2026-13379)) Bug found by 章鱼哥 (www.aipyaipy.com). - Fix use-after-free bug in ack_write_buf(), triggerable by a well-timed sequence of control channel + authentication packets ([CVE-2026-12996](https://www

Microsoft Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized Use in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome on Windows prior to 150.0.7871.46 stems from an out-of-bounds read in ANGLE, the browser's graphics abstraction layer. Remote attackers can exploit this by serving a crafted HTML page to a Windows user, causing the ANGLE subsystem to read memory beyond its intended buffer boundary and exposing data belonging to a separate web origin. No public exploit code has been identified at time of analysis, and the EPSS score of 0.18% (8th percentile) indicates low exploitation probability in the near term.

Google Microsoft Buffer Overflow +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Microsoft Google +1
NVD
CVSS 8.1
HIGH PATCH This Week

Access-control bypass in the goshs WebDAV listener (Go package goshs.de/goshs/v2, all releases through v2.0.9) lets an authenticated WebDAV client write, delete, and create files even when the operator started the server with --read-only, --upload-only, or --no-delete. The mode-restriction flags are enforced only on the primary HTTP port, while the WebDAV port (-w/-wp) wires requests straight into golang.org/x/net/webdav.Handler with no guard, so PUT/DELETE/MKCOL/MOVE/COPY succeed regardless of operator intent. A working proof of concept is published in the GitHub Security Advisory (GHSA-3whc-qvhv-xqjp); publicly available exploit code exists, but there is no public exploit identified as being used in active attacks.

Authentication Bypass Microsoft
NVD GitHub
LOW PATCH Monitor

Unvalidated bearer realm URL handling in oras-go v2 ≤ 2.6.0 enables two distinct attack primitives against users who run oras operations against a malicious, compromised, or man-in-the-middle'd registry: server-side request forgery (SSRF) to internal network endpoints including cloud instance metadata services, and TLS downgrade that exposes user credentials in plaintext. The OCI distribution spec legitimately allows cross-host realm references for split-auth deployments (e.g., Docker Hub's auth.docker.io pattern), but oras-go failed to block private IP literals, loopback addresses, and scheme downgrades from https to http - patterns that are never legitimate under any valid registry trust model. No active exploitation has been confirmed (not in CISA KEV), and a patch is available in v2.6.1.

SSRF Microsoft Docker
NVD GitHub
EPSS 1% CVSS 8.3
HIGH PATCH Exploit Unlikely This Week

Remote code execution in Microsoft Edge (Chromium-based) stems from a use-after-free (CWE-416) memory-corruption flaw that lets an authorized attacker run arbitrary code over a network within the browser process. Microsoft has shipped an official fix and rates it CVSS 8.3; the exploit-maturity metric is Unproven (E:U), meaning no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is high to confidentiality and integrity with partial availability loss, making it a meaningful but not emergency patch priority for Edge-based endpoints.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity window checks by controlling the `integratedTime` field in an inclusionProof-only tlog entry. Because the inclusionProof-only code path in `@sigstore/verify` does not cryptographically bind `integratedTime` (unlike the signed inclusionPromise/set path), a low-privileged attacker who can present an untrusted bundle can cause the verifier to accept expired or not-yet-valid signing certificates as currently valid. A publicly available proof-of-concept exists; this vulnerability is not in CISA KEV.

Canonical Microsoft Information Disclosure
NVD GitHub
CRITICAL Act Now

Remote OS command injection in Network UPS Tools upsmon (versions 2.8.3-2.8.5) allows a network-positioned attacker - acting as a man-in-the-middle on the plaintext 3493/tcp NUT protocol connection, operating a compromised upsd server, or controlling a rogue UPS device - to execute arbitrary shell commands as the upsmon service account. The vulnerability exists in the NOTIFYCMD alarm handler, where server-supplied ups.alarm text is interpolated directly into a shell command string and executed via system(), enabling injection of shell metacharacters. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the oss-security disclosure contains sufficient implementation detail to construct a working exploit.

Command Injection Microsoft
NVD VulDB
CVSS 4.3
MEDIUM PATCH This Month

SSRF policy bypass in jshookmcp 0.3.1 allows an authenticated MCP client with network domain access to probe internal RFC 1918 and reserved addresses that are explicitly blocked by all other network tools on the same server. The `network_icmp_probe` and `network_traceroute` handlers call `resolveHostname` directly without invoking the central `resolveAuthorizedTransportTarget` guard, creating an inconsistent enforcement boundary. No CISA KEV listing exists, but proof-of-concept test code demonstrating the bypass via the `handleCallTool` dispatch path is included in the GitHub advisory (GHSA-c5r6-m4mr-8q5j), confirming exploitability without external traffic.

SSRF Microsoft Node.js +2
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication handshake and recover plaintext usernames and passwords. The rfbUltraVNC_MsLogonIIAuth scheme relies on a Diffie-Hellman exchange whose prime fits in an unsigned 64-bit integer and a private exponent derived from time(NULL)-seeded libc rand(), both of which are trivially solvable, so an attacker who sniffs or man-in-the-middles the exchange derives the shared key in seconds to a minute. There is no public exploit identified at time of analysis and no EPSS/KEV signal supplied; CVSS is 7.4 (AC:H reflecting the need to observe the handshake), and MS-Logon III (X25519 + AES-256-GCM) is not affected.

Microsoft Information Disclosure Ultravnc
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can predict by observing network traffic and enumerating a roughly 31-bit seed space derived from wall-clock time and process ID. Successful seed reconstruction allows the attacker to forge or brute-force valid VNC authentication responses, effectively bypassing the RFB challenge-response mechanism and gaining unauthorized remote desktop access. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in the CISA KEV catalog; however, the mathematical basis for exploitation is straightforward given the small seed space.

Microsoft Information Disclosure Ultravnc
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's WebAppInstalls component on Windows (versions prior to 150.0.7871.47) enables a remote attacker to misrepresent the browser interface by luring a user into performing specific UI interaction gestures on a crafted HTML page. The flaw is Windows-platform-specific and rooted in an inappropriate implementation of the Progressive Web App installation UI flow. Google rates this Low severity; no public exploit identified at time of analysis, and EPSS data is not present in the provided intelligence, but the CVSS 4.2 score and required high-complexity user interaction significantly limit real-world risk.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

OS-level privilege escalation in Google Chrome for Windows before 150.0.7871.47 lets a local attacker leverage an inappropriate implementation in the CredentialProvider component to elevate privileges via a malicious file. Exploitation requires local access plus user interaction (UI:R), and though Google rated the Chromium security severity 'Low', the CVSS 3.1 base score is 7.8 (High) due to full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS probability is very low at 0.11% (2nd percentile).

Privilege Escalation Microsoft Google +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Type confusion in Chrome's Bluetooth stack on Windows (versions prior to 150.0.7871.47) enables an adjacent-network attacker to exfiltrate sensitive data from Chrome process memory by presenting a malicious Bluetooth peripheral. The CVSS 6.5 score reflects high confidentiality impact but no integrity or availability exposure; notably, Chromium's internal security team rated this Low severity, suggesting the memory regions accessible are constrained. No public exploit code and no CISA KEV listing exist at time of analysis, and exploitation is physically bounded by Bluetooth range.

Memory Corruption Information Disclosure Microsoft +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory disclosure via DevTools in Google Chrome on Windows (prior to 150.0.7871.47) enables a remote attacker to read sensitive process memory contents by delivering a crafted HTML page and manipulating the victim into performing specific UI gestures. The vulnerability is Windows-platform-exclusive and carries a Chromium-internal severity of Low, consistent with SSVC's assessment of no current exploitation and non-automatable delivery. No active exploitation or public exploit code has been identified at time of analysis, though the CVSS C:H rating reflects meaningful confidentiality risk if successfully triggered.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process abuse a use-after-free in the Updater component via a crafted HTML page to break out of the browser sandbox. It is a second-stage bug that Chromium rated only Low severity despite the CVSS 9.6 score, with no public exploit identified at time of analysis and a low EPSS probability of 0.18% (8th percentile). Google has shipped a fixed Stable-channel build.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)

Memory Corruption Google Microsoft +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's WebNN (Web Neural Network API) implementation on Windows, fixed in 150.0.7871.47, lets an attacker who has already compromised the renderer process trigger a heap buffer overflow via a crafted HTML page and potentially escalate beyond the sandbox. Chromium's own security team rated this Low severity, while NVD scores it 8.8; EPSS is low at 0.19% (9th percentile) and there is no public exploit identified at time of analysis. It is not listed in CISA KEV and SSVC records exploitation status as none.

Buffer Overflow Microsoft Google +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows before 150.0.7871.47 allows a local attacker who plants a malicious file to elevate privileges after the victim interacts with it. The flaw stems from insufficient validation of untrusted input (CWE-20) and carries a 7.8 CVSS but was rated Low severity by Chromium's own team. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.13%, 3rd percentile), consistent with a local, interaction-dependent issue rather than a mass-exploitable one.

Privilege Escalation Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Windows prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by feeding crafted input to the Device Trust component via a malicious HTML page. NVD scores this 9.6 (Critical) while Google rates the Chromium security severity as Low, and there is no public exploit identified at time of analysis. EPSS is very low at 0.17% (7th percentile), and it is not listed in CISA KEV.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome's Media component on Windows allows remote attackers to circumvent cross-origin security boundaries by delivering a specially crafted HTML page to a victim. All Chrome for Windows releases prior to 150.0.7871.47 are affected. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; EPSS at 0.18% (8th percentile) and SSVC exploitation status of 'none' consistently indicate low current real-world risk despite the potential severity of an isolation bypass.

Authentication Bypass Microsoft Google +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on Windows (versions prior to 150.0.7871.47) allows a local attacker to escalate to OS-level privileges via a malicious file that triggers a use-after-free condition. Google rates the Chromium security severity as Medium, though the CVSS base score is 7.8 (High) because the Updater runs with elevated (SYSTEM) privileges. There is no public exploit identified at time of analysis and EPSS is very low (0.11%, 1st percentile), indicating negligible observed exploitation activity.

Memory Corruption Google Microsoft +4
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data exfiltration in Google Chrome's WebRTC subsystem on Windows allows remote attackers to leak sensitive data from other origins by directing victims to a specially crafted HTML page. All Chrome on Windows versions prior to 150.0.7871.47 are affected. No public exploit identified at time of analysis, and the EPSS score of 0.17% (7th percentile) signals low near-term exploitation probability despite the CVSS High confidentiality impact - consistent with Chromium's own 'Medium' severity designation and the inherent timing-sensitivity of race condition attacks.

Information Disclosure Microsoft Race Condition +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory use in Chrome's codec subsystem on Windows leaks process memory contents to remote attackers who can direct a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 on Windows are affected; exploitation requires no authentication but does require the victim to visit attacker-controlled content, placing this in the drive-by browsing threat category. No public exploit code has been identified at time of analysis, and Google has released a confirmed fix in stable channel 150.0.7871.47.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome for Windows (prior to 150.0.7871.47) is enabled by insufficient input validation in the DataTransfer subsystem when the renderer process has already been compromised. A remote attacker who controls a compromised renderer can deliver a crafted HTML page that manipulates visual UI elements, potentially deceiving users into approving malicious permissions, revealing credentials, or performing unintended actions. No active exploitation has been confirmed (not in CISA KEV), and EPSS of 0.17% at the 7th percentile reflects minimal observed exploitation probability; however, exploitation as a second-stage payload in a renderer RCE chain remains a realistic concern for high-value targets.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Process memory disclosure in Google Chrome DevTools on Windows (versions prior to 150.0.7871.47) allows a remote attacker to read potentially sensitive data from browser process memory by serving a crafted HTML page and convincing a user to perform specific UI gestures. The flaw stems from insufficient input validation (CWE-20) within the DevTools subsystem and is limited to the Windows platform. No public exploit code or CISA KEV listing has been identified at time of analysis, but the confidentiality impact is rated High by NVD.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uninitialized memory use in the codec subsystem of Google Chrome on Windows exposes potentially sensitive process memory contents to remote attackers via a crafted HTML page. All Chrome for Windows releases prior to 150.0.7871.47 are affected; the flaw is platform-specific and does not affect Chrome on Linux, macOS, or mobile. No public exploit code has been identified and this vulnerability is absent from the CISA KEV catalog, though the CVSS C:H rating reflects meaningful confidentiality risk, and the uninitialized read could serve as a precursor step toward ASLR bypass in a chained attack.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

UI spoofing in Google Chrome on Windows (prior to 150.0.7871.47) allows a remote attacker who has already compromised the renderer process to manipulate the browser interface via a specially crafted HTML page, potentially deceiving users into interacting with falsified content or controls. The vulnerability stems from an inappropriate implementation in the Media component and is classified as medium severity (CVSS 6.5). No public exploit code or active exploitation has been identified - EPSS sits at the 11th percentile (0.21%) and no CISA KEV listing exists - and a vendor patch is confirmed available in Chrome 150.0.7871.47.

Authentication Bypass Microsoft Google +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Inappropriate implementation in Downloads in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)

RCE Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Windows before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page that abuses insufficient input validation in the Media component. Google rates the Chromium security severity as Medium and a fix is shipped in the stable channel, but no public exploit has been identified and EPSS exploitation probability is low at 0.21%. The high 9.6 CVSS reflects the total system compromise possible once chained, not standalone exploitability.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's GPU component on Windows enables a remote attacker - who has already established renderer process compromise - to extract sensitive data from process memory via a crafted HTML page. Affected versions are all Chrome for Windows releases prior to 150.0.7871.47. This is a second-stage exploit component: it does not independently achieve remote code execution but can be chained with a renderer exploit to leak process memory contents, potentially exposing credentials, tokens, or other in-memory sensitive data. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Autofill component on Windows (all versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to mislead users into interacting with forged security UI elements by convincing them to perform specific on-page gestures against a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an adversary to obscure or fabricate Autofill security indicators, potentially tricking users into submitting saved credentials or personal data to attacker-controlled destinations. No public exploit or CISA KEV listing has been confirmed; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local OS-level privilege escalation in Google Chrome on Windows (versions prior to 150.0.7871.47) arises from a use-after-free in the Chrome Updater component, letting a local attacker who can plant a malicious file on the system elevate to higher OS privileges. Google rates the Chromium severity as High and has released a fixed Stable channel build; there is no public exploit identified and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with a bug that requires local access and user interaction rather than mass remote exploitation.

Memory Corruption Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Insufficient validation of untrusted input in Settings in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on Windows before version 150.0.7871.47 allows an attacker to run arbitrary code by luring a victim to a crafted HTML page and getting them to perform specific UI gestures against the WebAppInstalls component. Chromium rates the flaw High severity; no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), indicating the attack is not yet broadly commoditized despite the serious impact.

RCE Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) lets a remote attacker corrupt memory via malicious network traffic. Google rates the Chromium severity Critical, and a vendor patch is available, but there is no public exploit identified at time of analysis and EPSS is low at 0.24%. High attack complexity (AC:H) means the memory-corruption race is non-trivial to win reliably, tempering the CVSS 8.1 score.

Memory Corruption Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in IBM Db2 11.5.0-11.5.9 and 12.1.0-12.1.4 allows an authenticated low-privileged user to crash or hang the database server by submitting a crafted SQL query exploiting improper neutralization of special elements in XMLTable-derived column processing logic. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) confirms this is remotely triggerable with minimal privileges, posing a realistic insider-threat or compromised-credential availability risk. No public exploit code or active exploitation has been identified at time of analysis.

IBM Denial Of Service Microsoft +1
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.6 lets an attacker coerce the application into making arbitrary HTTP requests via the legacy RSSReaderComponent (rss.py) and the SearXNG component (searxng.py), which fetch user-controlled URLs without validation. These two components bypass the SSRF protections that were added in version 1.9.3, allowing reach into internal resources such as AWS/Azure/GCP instance metadata (IMDS) to steal IAM credentials and enumerate internal networks. The flaw is reachable directly by an authenticated user and indirectly through prompt injection in agentic workflows because the components are exposed with tool_mode=True; no public exploit identified at time of analysis.

SSRF IBM Microsoft +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

IBM Db2 versions 11.5.0-11.5.9 and 12.1.0-12.1.4 expose sensitive information through internal monitoring and event tables to authenticated low-privilege local users, a consequence of CWE-538 where sensitive data is inserted into storage locations accessible beyond the intended trust boundary. The CVSS vector confirms local-only attack surface (AV:L) with low-privilege authentication (PR:L) and high confidentiality impact, making this most relevant to insider threat scenarios or post-compromise lateral movement in multi-tenant Db2 environments. No public exploit code exists and the vulnerability is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.

IBM Microsoft Information Disclosure +1
NVD VulDB
CVSS 5.3
MEDIUM POC PATCH This Month

Path traversal in CefSharp's `FolderSchemeHandlerFactory` (NuGet: cefsharp.common, assembly version 147.0.100) allows an embedded browser to serve local files from outside the configured `rootFolder` when sibling directories share a common name prefix. The root cause is a raw C# string prefix check (`filePath.StartsWith(rootFolder, StringComparison.OrdinalIgnoreCase)`) that does not enforce directory boundaries, meaning a canonicalized path into a sibling directory such as `www2` passes validation intended to restrict access to `www`. A detailed proof-of-concept with exact request paths is publicly documented in the GitHub Security Advisory GHSA-85jm-cwp2-mvpv; no CISA KEV listing exists at time of analysis, indicating no confirmed active exploitation.

Path Traversal Microsoft
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. A working reproduction payload is published in the GitHub advisory; the impact is availability-only with no code execution, and there is no public exploit identified beyond that payload and no evidence of active exploitation.

Authentication Bypass Microsoft RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Server-Side Request Forgery (SSRF) in Foreman's HTTP proxy controller within Red Hat Satellite 6 allows high-privileged attackers to redirect internal HTTP requests to cloud metadata endpoints on AWS, GCP, and Azure environments. By manipulating HTTP parameters in the http_proxies_controller or http_proxy configuration files, an attacker can cause the Foreman server to issue forged requests to internal metadata services (e.g., AWS IMDS at 169.254.169.254), potentially harvesting IAM role credentials, access tokens, and environment configuration secrets. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the confidentiality impact is high given the value of cloud metadata credentials.

SSRF Microsoft Red Hat Satellite 6 +1
NVD VulDB
MEDIUM PATCH This Month

PKCE bypass in OpenAM Community Edition through 16.0.6 allows an attacker who intercepts an OAuth2 authorization code to exchange it for tokens without supplying the required code_verifier. The token endpoint only enforces PKCE verification when the realm-wide codeVerifierEnforced setting is explicitly enabled - a setting that ships disabled by default - meaning omitting the code_verifier parameter silently skips the challenge check entirely. No public exploit has been identified at time of analysis, and a patch is available in version 16.1.1.

Authentication Bypass Microsoft
NVD GitHub
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Arbitrary code execution in Flowise before 3.1.3 on Windows allows an authenticated user with Custom MCP node configuration access to bypass the NODE_OPTIONS environment variable denylist by supplying the lowercase variant 'node_options', exploiting a case-sensitive string comparison against a case-insensitive OS. The injected NODE_OPTIONS --require directive causes the Flowise server process to load an attacker-controlled module when spawning a Custom MCP stdio child process. A publicly available proof-of-concept exists per VulnCheck; the vulnerability is not listed in CISA KEV, and exploitation is constrained by Windows platform dependency and the requirement for stdio mode to be explicitly enabled.

Microsoft RCE Flowise
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Mark-of-the-Web protection is bypassed in 7-Zip for Windows 26.02 and earlier when extracting crafted RAR5 archives, allowing an attacker to strip the Internet-zone marker (ZoneId=0) and spoof the extracted file's data stream content - directly defeating SmartScreen and Windows attachment warnings. The bypass exploits a gap between 7-Zip's exact-string guard ('Zone.Identifier') and the NTFS-canonical equivalent (':Zone.Identifier:$DATA') that a RAR5 STM record can supply; a second STM record ('::$DATA') additionally overwrites the default file data stream for content spoofing. A publicly available proof-of-concept exists; no vendor-released patched version has been confirmed at the time of analysis.

Microsoft Information Disclosure 7 Zip
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Sensitive application data exposure in HCL Traveler for Microsoft Outlook (HTMO) allows a local low-privileged attacker to read sensitive information - likely credentials, tokens, or session data written to application log files (CWE-532) - potentially enabling follow-on attacks against connected systems. The CVSS vector confirms local access with low privileges is sufficient to achieve high confidentiality impact, with no integrity or availability consequences. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Microsoft Information Disclosure Traveler For Microsoft Outlook
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Microsoft Information Disclosure Traveler For Microsoft Outlook
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authenticated path traversal in Kestra's local internal-storage backend (versions prior to 1.0.45 and 1.3.23) lets any low-privilege user with execution-view access read arbitrary files on the host. The flaw stems from validation ordering: the guard checks for '..' sequences before backslashes are normalized to forward slashes, so a Windows-style '..\..\..\' payload bypasses the check and is rewritten to a real traversal only after validation. There is no public exploit identified at time of analysis, and EPSS/KEV signals are absent, but the confidentiality impact is severe because it breaks the multi-tenant storage isolation boundary.

Path Traversal Microsoft Kestra
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

The HCL Traveler for Microsoft Outlook libraries are being flagged as potentially malicious software or an unrecognized application. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Microsoft Information Disclosure Traveler For Microsoft Outlook
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.

Microsoft Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Redis Microsoft Information Disclosure +1
NVD GitHub
Prev Page 8 of 193 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy