342
CVEs
17
Critical
169
High
0
KEV
3
PoC
6
Unpatched C/H
93.6%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
17
HIGH
169
MEDIUM
126
LOW
27
Monthly CVE Trend
Affected Products (30)
Android
685
Chrome
369
Linux Kernel
88
Ubuntu
71
PHP
55
Windows
40
Java
29
Edge Chromium
25
Docker
24
Python
22
Yocto
21
Openwrt
20
Debian Linux
19
macOS
18
iOS
16
Open Redirect
13
Rdk B
12
Node.js
12
N A
8
Software Development Kit
8
Chrome Os
7
AI / ML
7
Edge
5
Fedora
5
Kubernetes
4
Helm Charts
4
Mobile Security Framework
4
Zephyr
4
Xtool Anyscan
4
Gallery
4
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-2031 | Remote code execution in Google Cloud Application Integration allows unauthenticated attackers to access exposed internal API endpoints and execute arbitrary code. The vulnerability stems from improper access controls on internal APIs that were inadvertently exposed to external networks. With a CVSS 4.0 score of 10.0, this represents a critical risk allowing both information disclosure and full system compromise without authentication. | CRITICAL | 10.0 | 0.3% | 50 |
|
| CVE-2026-40281 | Argument injection in Gotenberg v8.30.1 and earlier allows unauthenticated remote attackers to manipulate filesystem operations by embedding newline characters in PDF metadata values. The vulnerability bypasses an incomplete fix from v8.30.1 that sanitized only metadata keys while leaving values unvalidated, enabling injection of ExifTool pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink through the /forms/pdfengines/metadata/write endpoint. Attackers can move files to arbitrary paths (including overwriting /etc/passwd), create symlinks for read/write primitives, and persist data via hard links - all without authentication against default configurations. Vendor-released patch: version 8.31.0. CVSS 10.0 severity reflects the network attack vector (AV:N), no authentication requirement (PR:N), low complexity (AC:L), and scope change (S:C) enabling container escape scenarios. No public exploit identified at time of analysis, though complete PoC reproduction steps are documented in GitHub advisory GHSA-q7r4-hc83-hf2q. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2026-42589 | Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact. | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-30496 | The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated r | CRITICAL | 9.8 | 0.0% | 49 |
No patch
|
| CVE-2026-42090 | Remote code execution in Notesnook Desktop (Electron-based) via stored XSS in the note export-to-PDF flow allows unauthenticated remote attackers to execute arbitrary code when a user opens a maliciously crafted note. The vulnerability stems from unescaped HTML in exported note fields (title, headline, content) that execute in an Electron iframe with nodeIntegration enabled and contextIsolation disabled, escalating browser-based XSS to full RCE. Affects Notesnook Web/Desktop <3.3.15 and iOS/Android <3.3.20. CVSS 9.6 with changed scope (S:C) reflects privilege escalation from browser context to system-level code execution. EPSS and KEV data not provided, but requires user interaction (UI:R) to export/view the malicious note, limiting automated exploitation. | CRITICAL | 9.6 | 0.2% | 48 |
|
| CVE-2026-8511 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML pag | CRITICAL | 9.6 | 0.1% | 48 |
|
| CVE-2026-8580 | Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML p | CRITICAL | 9.6 | 0.1% | 48 |
|
| CVE-2026-7333 | Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML pa | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-7910 | Use-after-free in the Views component of Google Chrome versions prior to 148.0.7778.96 enables site isolation bypass after renderer compromise. A remote attacker who has already compromised the renderer process can escape sandbox protections via a malicious HTML page, potentially accessing cross-origin data or executing code outside the renderer sandbox. Patch released by Google in version 148.0.7778.96. EPSS score of 0.02% (3rd percentile) indicates very low probability of exploitation in the wild currently, with no evidence of active exploitation or public proof-of-concept at time of analysis. | CRITICAL | 9.6 | 0.0% | 48 |
|
| CVE-2026-7908 | Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to break out of the browser's security sandbox through a use-after-free vulnerability in the Fullscreen API component. Attackers can deliver exploitation via a specially crafted HTML page requiring only user visit to the page (no additional interaction). With CVSS 9.6 (Critical) and scope change indicating containment breach, this represents a serious risk to browser security model integrity. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis. | CRITICAL | 9.6 | 0.1% | 48 |
|
| CVE-2026-44211 | ## Summary The `kanban` npm package (used by the `cline` CLI) starts a WebSocket server on `127.0.0.1:3484` with no Origin header validation. Any web | CRITICAL | 9.6 | – | 48 |
No patch
|
| CVE-2026-7686 | Improper access controls in Adblock Plus up to version 4.36.2 on Chrome allow unauthenticated remote attackers to bypass Premium activation controls via manipulation of the postMessage function in premium.preload.js, granting temporary trial access to Premium features. The vulnerability affects a deprecated legacy activation flow and has publicly available exploit code; however, vendor analysis indicates the practical impact is limited because the licensing server issues only short-lived trial licenses (approximately 24 hours) that expire on next validation against real subscriptions, and the exploit has not been weaponized at scale. | MEDIUM | 5.5 | 0.0% | 48 |
PoC
|
| CVE-2026-44670 | Remote code execution in SiYuan's Electron desktop application allows authenticated attackers (or browser extensions on localhost) to inject malicious JavaScript through unescaped Attribute View names, escalating from stored XSS to arbitrary system command execution. The Go kernel backend stores AV names without HTML escaping, then embeds them via string replacement into HTML templates pushed over WebSocket. Three TypeScript renderer paths (render.ts, Title.ts, transaction.ts) consume this data using innerHTML/outerHTML without sanitization. Because the Electron main window runs with nodeIntegration:true and contextIsolation:false, script injection grants full Node.js API access—enabling attackers to spawn child processes (calc.exe/xcalc demonstrated in PoC), exfiltrate SSH keys, install backdoors, or pivot to cloud credentials. Payloads persist in JSON files under data/storage/av/, replicate across all sync transports (S3/WebDAV/cloud), survive .sy.zip export-import, and trigger for any user role (Administrator/Editor/Reader/Visitor) opening a document bound to the poisoned database view. CVSS 9.4 (Network/Low/None/High Confidentiality-Integrity-Availability + Scope Changed) reflects worst-case remote network vector, though the primary realistic attack path is via installed browser extensions (chrome-extension:// Origin explicitly allowlisted in session.go:277) calling the /api/transactions endpoint as an auto-granted admin on default installations with no Access Authorization Code. GitHub advisory GHSA-2h64-c999-c9r6 confirms patch available in kernel commit 0.0.0-20260512140701-d7b77d945e0d. No public exploit code identified at time of analysis, but detailed reproduction steps with curl payloads and Electron DevTools inspection are published in the advisory. | CRITICAL | 9.4 | 0.1% | 47 |
|
| CVE-2026-44588 | Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory. | CRITICAL | 9.4 | 0.1% | 47 |
|
| CVE-2026-42811 | CEL injection in Apache Polaris 1.4.0 allows authenticated users to escape credential access boundaries on Google Cloud Storage. Attackers can craft namespace or table identifiers containing single quotes and CEL fragments to break out of quoted strings in Credential Access Boundary conditions, escalating temporary table-scoped GCS credentials to effectively bucket-wide access. Confirmed in private testing: attackers obtained credentials intended for one table but successfully listed, read, created, and deleted objects across unrelated tables and external prefixes within the entire configured bucket. EPSS data not yet available for this recent CVE; CVSS 9.4 reflects critical confidentiality, integrity, and availability impact across both vulnerable and subsequent systems (scope changed). | CRITICAL | 9.4 | 0.1% | 47 |
|