{"cves":[{"cve_id":"CVE-2026-45499","summary":"Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to elevate privileges over a network.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45499"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T23:16:51","euvd":null},{"cve_id":"CVE-2026-54998","summary":"Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54998"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T23:16:51","euvd":null},{"cve_id":"CVE-2026-57100","summary":"Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57100"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T23:16:51","euvd":null},{"cve_id":"CVE-2026-41106","summary":"Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41106"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T23:16:50","euvd":null},{"cve_id":"CVE-2026-26145","summary":"Improper access control in Azure Synapse allows an authorized attacker to elevate privileges over a network.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26145"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T23:16:49","euvd":null},{"cve_id":"CVE-2026-50721","summary":"Libreswan, via the function RSA_authenticate_hash_signature_raw_rsa(), did not correctly verify the length of the authentication hash when the SIG payload of an IKEv1 packet was encoded using PKCS #1 RSA Encryption as per RFC 2313. A remote attacker can use a variation on the Bleichenbacher attack to forge the SIG payload when small public exponents are being used (e.g., e=3), which could lead to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the SIG payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of remote IKE peers are not affected.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://libreswan.org/security/CVE-2026-50721/","https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt","https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt","https://www.rfc-editor.org/rfc/rfc2313"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T22:16:43","euvd":null},{"cve_id":"CVE-2026-50722","summary":"Libreswan, via the function RSA_authenticate_hash_signature_pkcs1_1_5_rsa(), did not correctly verify the DER encoding of the ASN.1 digest when the IKEv2 AUTH payload was encoded using RSASSA-PKCS1-v1_5 (RFC 8017). A remote attacker can use a variation on the Bleichenbacher attack to forge the AUTH payload when small public exponents are used (e.g., e=3), leading to impersonation. Additionally, a remote attacker, by encoding a shorter than expected hash in the AUTH payload, could trigger an assertion leading to denial-of-service. The daemon aborts and restarts; continued exploitation causes sustained denial of service. Remote code execution is not possible. X.509 certificate verifications of the remote IKE peer are not affected.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://libreswan.org/security/CVE-2026-50721/CVE-2026-50721.txt","https://libreswan.org/security/CVE-2026-50722/","https://libreswan.org/security/CVE-2026-50722/CVE-2026-50722.txt","https://www.rfc-editor.org/rfc/rfc8017"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T22:16:43","euvd":null},{"cve_id":"CVE-2026-12413","summary":"An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://libreswan.org/security/CVE-2026-12413/","https://libreswan.org/security/CVE-2026-12413/CVE-2026-12413.txt"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T22:16:42","euvd":null},{"cve_id":"CVE-2026-58460","summary":"react-native-receive-sharing-intent contains a path traversal vulnerability that allows a co-resident malicious application to write files outside the intended cache directory by supplying a crafted _display_name value containing dot-dot path components through a malicious ContentProvider. Attackers can fire an explicit ACTION_SEND intent at the consuming app's exported share-receiver activity to overwrite arbitrary files in the consuming app's private data directory, including databases, shared preferences, and cached configuration, with attacker-controlled content.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":7.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ajith-ab/react-native-receive-sharing-intent/pull/192","https://www.vulncheck.com/advisories/react-native-receive-sharing-intent-path-traversal-via-display-name"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:57","euvd":null},{"cve_id":"CVE-2026-38969","summary":"ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ruby/webrick/issues/198","https://github.com/ruby/webrick/pull/199"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-38970","summary":"pdfcpu through v0.11.1 contains an uncontrolled-recursion denial-of-service issue in pkg/pdfcpu/model/parse.go. The parser descends recursively through nested PDF objects, including arrays, via ParseObjectContext() and parseArray() without enforcing a maximum nesting depth.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pdfcpu/pdfcpu","https://github.com/pdfcpu/pdfcpu/blob/a181c19acb322d6b93a1bbda9385a864a9ad6efe/pkg/pdfcpu/model/parse.go#L325-L366","https://github.com/pdfcpu/pdfcpu/blob/a181c19acb322d6b93a1bbda9385a864a9ad6efe/pkg/pdfcpu/model/parse.go#L942-L970"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-38971","summary":"ardupilot through Plane-4.6.3 was found to contain an out-of-bounds read issue in libraries/GCS_MAVLink/GCS_serial_control.cpp in GCS_MAVLINK::handle_serial_control().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ArduPilot/ardupilot","https://github.com/ArduPilot/ardupilot/issues/32524","https://github.com/ArduPilot/ardupilot/pull/32587"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-38972","summary":"Notepad3 through 6.25.822.1 contains a DLL search-order hijacking vulnerability in the About-dialog code path in src/Notepad3.c. The application calls LoadLibrary(L\"MSFTEDIT.DLL\") with a bare DLL name, which allows a local attacker to place a malicious MSFTEDIT.DLL in the application directory or another preferred DLL search location and achieve arbitrary code execution in the context of the user when the About dialog is opened.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rizonesoft/Notepad3","https://github.com/rizonesoft/Notepad3/issues/5605","https://github.com/rizonesoft/Notepad3/pull/5606"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-52188","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead//sub_497498 component","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00497498","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-52189","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_487330 component","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_00487330/README.md","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-52191","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_444C8C component","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00444c8c","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-52192","summary":"An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_445C5C component","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00445c5c","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-52830","summary":"fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP client can therefore authenticate as the default legacy session with a token such as ../fast-mcp-telegram/telegram when the documented default session file ~/.config/fast-mcp-telegram/telegram.session exists. This bypasses the reserved session name control that is intended to prevent HTTP multi-user sessions from colliding with the default stdio or legacy account. With account-prefixed MCP tools enabled, the attacker still sees and calls the prefixed tools for the default account, so the prefix middleware does not stop the session selection bypass. This vulnerability is fixed in 0.19.1.","cvss":9.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/advisories/GHSA-rxw2-pc8j-vxwm","https://web.archive.org/web/20250926152207/https://github.com/leshchenko1979/fast-mcp-telegram"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:56","euvd":null},{"cve_id":"CVE-2026-38968","summary":"ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ntop/ntopng/commit/14e22497233dc7d31d19dccb74b13bb073d16c2c","https://github.com/ntop/ntopng/commit/179a346ceb6239fd36128ccca3efa8f9ea61eeb5"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T21:16:55","euvd":null},{"cve_id":"CVE-2026-59098","summary":"LobeChat through 2.2.9 contains a broken access control vulnerability in the retrieval-augmented-generation semantic search functionality that allows authenticated attackers to access other users' data by exploiting missing user-identifier predicates in the chunk model semanticSearch method. Attackers can supply arbitrary victim file or knowledge-base identifiers through the chunk retrieval and chat knowledge-base paths to retrieve text content, file names, and metadata belonging to other users.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lobehub/lobehub/commit/4a7931a4e66832947dba11afdffae2918a56b6a0","https://github.com/lobehub/lobehub/issues/16535","https://github.com/lobehub/lobehub/pull/16594","https://www.vulncheck.com/advisories/lobechat-cross-user-document-disclosure-via-unscoped-rag-semantic-search"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:08","euvd":null},{"cve_id":"CVE-2026-59099","summary":"Apereo CAS 7.3.0 before 8.0.0-RC6 contains a cryptographic vulnerability that allows remote unauthenticated attackers to recover plaintext conversation state by exploiting AES-GCM initialization vector reuse across the server lifetime. Attackers can collect multiple client-side webflow execution tokens from the unauthenticated login page and perform known-plaintext analysis to decrypt the webflow conversation state due to keystream reuse caused by a fixed all-zero IV paired with the same encryption key.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://apereo.github.io/2026/06/18/vuln/","https://github.com/apereo/cas/commit/22c6f4adf738852782309b523b4e80371057f2d0","https://github.com/apereo/cas/releases/tag/v8.0.0-RC6","https://github.com/geo-chen/oss/blob/main/cas.md","https://www.vulncheck.com/advisories/apereo-cas-rc6-aes-gcm-nonce-reuse-information-disclosure"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:08","euvd":null},{"cve_id":"CVE-2026-59100","summary":"LobeChat through 2.2.9 contains a broken object level authorization vulnerability that allows authenticated attackers to access and modify other users' chat-group agent data by supplying arbitrary group identifiers. Attackers can invoke the getGroupAgents, updateAgentInGroup, and removeAgentsFromGroup operations without user-scoped predicates to read agent listings, modify agent roles and ordering, and remove agents from chat groups belonging to other users.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":2.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lobehub/lobehub/commit/9ed5a7e20d8a67c431265f5a252e9559d9920907","https://github.com/lobehub/lobehub/issues/16537","https://github.com/lobehub/lobehub/pull/16586","https://www.vulncheck.com/advisories/lobechat-broken-object-level-authorization-via-chat-group-agent-operations"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:08","euvd":null},{"cve_id":"CVE-2026-59101","summary":"AutoBangumi before 3.2.8 contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST /api/v1/setup/test-downloader endpoint during the initial setup window, causing the server to issue HTTP GET requests to internal or reserved addresses and leak information through echoed connection-error messages.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.8,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/EstrellaXD/Auto_Bangumi/commit/487bdfec545e805ae416e6ddf28651bd274d6a73","https://github.com/EstrellaXD/Auto_Bangumi/issues/1041","https://github.com/EstrellaXD/Auto_Bangumi/releases/tag/3.2.8","https://www.vulncheck.com/advisories/autobangumi-ssrf-via-api-v1-setup-test-downloader"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:08","euvd":null},{"cve_id":"CVE-2026-59102","summary":"Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULT_SHOW_FULL_NAME option is enabled, the run description is assembled server-side with the user's display name interpolated into an HTML string via a translation function that does not escape its arguments, and the frontend renders the result using a Vue v-html binding, causing script execution for any user who views the affected Actions run page.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":2.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeberg.org/forgejo/forgejo/pulls/13002","https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/15.0.3.md","https://github.com/geo-chen/oss/blob/main/forgejo.md","https://www.vulncheck.com/advisories/forgejo-stored-xss-via-actions-run-full-name-rendering"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:08","euvd":null},{"cve_id":"CVE-2026-58579","summary":"RAGFlow before 0.26.3 stores an agent pipeline (DSL) node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalize_dsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name into the \"Rerun from current step\" confirmation modal via dangerouslySetInnerHTML, and the i18next configuration sets escapeValue:false, so the value is inserted into the DOM without HTML encoding. An authenticated workspace user who can create or edit an agent can inject arbitrary JavaScript that executes in the session of another workspace member who opens the dataflow result and clicks rerun, enabling session/token theft and account takeover across the user trust boundary.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/infiniflow/ragflow/commit/572f1ea9f4eba6a60e64f7437dee60aa1c0913f1","https://github.com/infiniflow/ragflow/issues/16507","https://github.com/infiniflow/ragflow/pull/16516","https://github.com/infiniflow/ragflow/releases/tag/v0.26.3","https://www.vulncheck.com/advisories/ragflow-stored-cross-site-scripting-via-agent-pipeline-node-name"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-58580","summary":"LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibling methods apply, and findMessagePlugin reads back by id alone. Reachable via the corresponding tRPC message procedures, an authenticated user who knows another user's message identifier can overwrite that victim's plugin tool-call metadata, plugin state/error, text-to-speech and translation records on the same instance, and the tampered content is served back to the victim. Exploitation requires knowledge of the victim's non-enumerable message identifier.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":6.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lobehub/lobehub/issues/16534","https://www.vulncheck.com/advisories/lobechat-broken-object-level-authorization-in-message-sub-resource-writes"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-59092","summary":"JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the /debug/pprof/cmdline endpoint to obtain the process command line containing metadata engine connection strings with database credentials, granting full read/write access to filesystem metadata, while other pprof handlers leak internal state and profiling handlers enable denial of service.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":7.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/juicedata/juicefs/commit/a46979cdd4082217081ee99b931ddc53d038e47a","https://github.com/juicedata/juicefs/issues/7213","https://github.com/juicedata/juicefs/pull/7214","https://www.vulncheck.com/advisories/juicefs-authentication-bypass-via-pprof-and-metrics-endpoints"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-59093","summary":"Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers (POST /authz/users/{id}/assign and /authz/groups/{id}/assign) authorize only that the caller may assign roles to the target user or group, not the permissions contained in the assigned roles, unlike role creation which enforces that a user can only create roles with permissions less than or equal to its own. A user holding only the delegated assign_and_revoke_users or assign_and_revoke_groups permission can assign the built-in admin role, or any high-privilege custom role, to itself or others, escalating to full administrative control of the database.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/weaviate/weaviate/commit/2c75f6fb217631f7751c4b2a7d37a488cef13edb","https://github.com/weaviate/weaviate/pull/11493","https://github.com/weaviate/weaviate/releases/tag/v1.38.0","https://www.vulncheck.com/advisories/weaviate-privilege-escalation-via-unchecked-permissions-in-rbac-role-assignment"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-59094","summary":"Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pathwaycom/pathway/commit/d09722eef03fd94bba701836eb4c7fbfa3d3b88e","https://github.com/pathwaycom/pathway/issues/241","https://github.com/pathwaycom/pathway/pull/250","https://www.vulncheck.com/advisories/pathway-unauthenticated-denial-of-service-via-exponential-glob-pattern-matching-in-document-store"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-59095","summary":"LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints, which use the global fetch without the project's ssrf-safe-fetch wrapper. Attackers can target internal addresses such as cloud instance metadata endpoints through these unprotected code paths to disclose internal service responses and cloud credentials.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":8.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lobehub/lobehub/issues/16536","https://github.com/lobehub/lobehub/pull/16601","https://www.vulncheck.com/advisories/lobechat-canary-18-ssrf-via-importfromurl-and-fetchimagefromurl"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-59096","summary":"Dapr Sentry's OIDC discovery endpoint derives the issuer and jwks_uri of the /.well-known/openid-configuration document from the request Host, honoring an attacker-controlled X-Forwarded-Host header without validation when no allowed-hosts list is configured (the default), and serves the document with a one-hour public cache lifetime. A remote unauthenticated attacker can poison the discovery document so relying parties performing dynamic (unpinned) discovery fetch the JWKS from an attacker-controlled server, causing attacker-signed JWTs to be accepted. Exploitation requires the OIDC server enabled without a configured jwt-issuer or oidc-allowed-hosts.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dapr/dapr/pull/10027","https://github.com/dapr/dapr/pull/10028","https://github.com/dapr/dapr/pull/10029","https://www.vulncheck.com/advisories/dapr-oidc-discovery-issuer-and-jwks-uri-injection-via-unvalidated-x-forwarded-host"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-59097","summary":"Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/taigaio/taiga-back/commit/f925af424623350e04d4abc45bf1dc70e70c48a9","https://github.com/taigaio/taiga-back/issues/244","https://github.com/taigaio/taiga-back/pull/245","https://github.com/taigaio/taiga-back/releases/tag/6.10.2","https://www.vulncheck.com/advisories/taiga-unauthorized-due-date-creation-via-api-viewsets"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:07","euvd":null},{"cve_id":"CVE-2026-58381","summary":"A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-58381","https://bugzilla.redhat.com/show_bug.cgi?id=2496166","https://gitlab.gnome.org/GNOME/gimp/-/commit/b22e147b","https://gitlab.gnome.org/GNOME/gimp/-/issues/16207"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:06","euvd":null},{"cve_id":"CVE-2026-58466","summary":"AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/EstrellaXD/Auto_Bangumi/commit/487bdfec545e805ae416e6ddf28651bd274d6a73","https://github.com/EstrellaXD/Auto_Bangumi/issues/1041","https://github.com/EstrellaXD/Auto_Bangumi/releases/tag/3.2.8","https://www.vulncheck.com/advisories/autobangumi-hard-coded-default-credentials-via-add-default-user"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:06","euvd":null},{"cve_id":"CVE-2026-58467","summary":"Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. Attackers can inject dot-dot sequences into the URL to traverse outside the designated spaces directory, and when the resolved path ends with a .php extension, the application passes it to include(), enabling local file inclusion on deployments using the PHP built-in server or certain non-default Nginx configurations.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cockpit-project/cockpit/releases/tag/364","https://github.com/geo-chen/oss/blob/main/cockpit.md","https://www.vulncheck.com/advisories/cockpit-cms-364-path-traversal-local-file-inclusion-via-index-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:06","euvd":null},{"cve_id":"CVE-2026-58578","summary":"LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lobehub/lobehub/commit/349bbe326eb8635d6d9c6a96d12702681ae3a84a","https://github.com/lobehub/lobehub/issues/16494","https://github.com/lobehub/lobehub/pull/16548","https://github.com/lobehub/lobehub/releases/tag/v2.2.10-canary.15","https://www.vulncheck.com/advisories/lobechat-canary-15-regular-expression-denial-of-service-in-github-skill-import"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:06","euvd":null},{"cve_id":"CVE-2026-52187","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_483ba0 component","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_00483ba0/README.md","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:03","euvd":null},{"cve_id":"CVE-2025-71385","summary":"Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a URL such as /api/v2/ilove.svg?love=<script>...</script>; when a victim navigates to it the injected script executes in the victim browser in the origin of the Netdata instance (reflected cross-site scripting). These endpoints are registered with HTTP_ACL_NOCHECK and anonymous access and, because bearer-token protection is disabled by default, are reachable without authentication on a default Netdata agent. The issue was resolved by removing the ilove endpoint.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/netdata/netdata/commit/f82554fe9b21b5ae51a8663a3f4ddce84cac16af","https://github.com/netdata/netdata/pull/19919","https://github.com/netdata/netdata/releases/tag/v2.3.1","https://www.vulncheck.com/advisories/netdata-reflected-cross-site-scripting-via-love-parameter-in-ilove-svg-endpoint"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T20:17:00","euvd":null},{"cve_id":"CVE-2026-7311","summary":"The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_converted_image_size function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can exploit this by injecting an arbitrary server file path into the 'convert.path' field of the 'tiny_compress_images' post meta on an attachment they own, then triggering attachment deletion to invoke the vulnerable code path.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/tiny-compress-images/tags/3.6.13/src/class-tiny-image-size.php#L245","https://plugins.trac.wordpress.org/browser/tiny-compress-images/tags/3.6.13/src/class-tiny-image.php#L144","https://plugins.trac.wordpress.org/browser/tiny-compress-images/tags/3.6.13/src/class-tiny-plugin.php#L859","https://plugins.trac.wordpress.org/browser/tiny-compress-images/tags/3.6.13/src/config/class-tiny-config.php#L12","https://plugins.trac.wordpress.org/changeset/3532827/tiny-compress-images","https://www.wordfence.com/threat-intel/vulnerabilities/id/eb8a673e-a192-41d4-b53b-7d786887242d?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T19:17:00","euvd":null},{"cve_id":"CVE-2026-13743","summary":"CubeSpace CW0057 Reaction Wheel firmware versions prior to 5.0.20 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. This could allow an attacker with physical access to the product to upload arbitrary malicious firmware to the device without authentication.","cvss":3.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":3.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-02"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T19:16:59","euvd":null},{"cve_id":"CVE-2026-58465","summary":"Eclipse Wakaama before snapshot/2026-05-26 contains an unbounded memory allocation vulnerability in the CoAP Block1 handler within coap/block.c that allows unauthenticated remote attackers to exhaust server memory by sending a sequence of Block1 PUT requests with incrementing block numbers. Attackers can target the registration endpoint over UDP without authentication, causing the server to repeatedly reallocate a growing accumulation buffer by appending each block payload without enforcing any maximum total size limit, resulting in denial of service through memory exhaustion.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eclipse-wakaama/wakaama/commit/a83f1ca28fa090fbc03c3669fef40daf4f89cd03","https://github.com/eclipse-wakaama/wakaama/pull/881","https://github.com/eclipse-wakaama/wakaama/releases/tag/snapshots%2F2026-05-26","https://www.vulncheck.com/advisories/eclipse-wakaama-coap-block1-handler-unbounded-memory-allocation-dos"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T19:16:59","euvd":null},{"cve_id":"CVE-2026-55952","summary":"The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tls_handshake_1_3:handle_pre_shared_key/3, an OfferedPreSharedKeys record with a mismatched number of identities and binders is forwarded directly to tls_server_session_ticket:use/4, which crashes the session ticket handler process.\n\nAn unauthenticated remote attacker can send a single crafted ClientHello to a TLS 1.3 server with session tickets enabled (stateful or stateless mode) and permanently disrupt session ticket handling on that listener. New TLS 1.3 handshakes complete but subsequently crash when the server attempts to issue a session ticket, effectively making TLS 1.3 unusable on the affected listener until the ssl application is restarted. TLS 1.2 connections are not affected.\n\nThis issue affects OTP from 22.2 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 9.5 before 11.7.3, 11.6.0.3 and 11.2.12.10.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-55952.html","https://github.com/erlang/otp/commit/2c3e599797644310e5d4aa39c7193420e59dadff","https://github.com/erlang/otp/commit/9b5437c72fa3403a75c1aba28e5c532bc191c662","https://github.com/erlang/otp/commit/e77823e6d980b2ec0b4fe4ea3f2d098ca239e3ce","https://github.com/erlang/otp/security/advisories/GHSA-8c57-44c9-pc59","https://osv.dev/vulnerability/EEF-CVE-2026-55952","https://www.erlang.org/doc/system/versions.html#order-of-versions"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:03","euvd":null},{"cve_id":"CVE-2026-8699","summary":"A stored Cross-Site Scripting (XSS) vulnerability has been identified in the web-based management interface of Archer C5 v6.8 routers, due to insufficient server-side validation and lack of proper output encoding of user-controlled input in a certain field.  An attacker with administrative privileges can inject crafted HTML or JS payloads into the affected field. The payload is stored and later executed when the affected page is rendered in an administrator's browser.Successful exploitation allows execution of arbitrary JavaScript in an admin's browser, potentially leading to session hijacking and unauthorized access to router configuration, possibly resulting in exposure of sensitive data and modification of device settings.\n\nThe vulnerability affects ISP-managed firmware variants of the product. Remediation is coordinated through service providers.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.tp-link.com/en/support/faq/5165/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:03","euvd":null},{"cve_id":"CVE-2026-54886","summary":"Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to render an SFTP channel permanently unresponsive.\n\nThe handle_data/4 function in ssh_sftpd contains a catch-all clause that accepts channel data of any type. When channel data with a non-zero type code (SSH_MSG_CHANNEL_EXTENDED_DATA) arrives with an empty pending buffer and a payload at or below the SFTP packet size limit, the clause tail-calls itself with identical arguments, creating an infinite loop.\n\nThe SFTP protocol operates exclusively on normal channel data (type 0). Extended data (non-zero type) is meaningless for SFTP and is never sent by conforming clients. However, the SSH protocol permits any channel participant to send extended data on an open channel, so an authenticated SFTP client can trigger the loop by sending SSH_MSG_CHANNEL_EXTENDED_DATA with any data_type_code and any non-empty payload at or below the size limit.\n\nThe targeted ssh_sftpd process enters an infinite tail-recursive loop. It never processes another message, its message queue grows without bound, and it can only be stopped by killing the process. BEAM's reduction-based scheduler preemption continues to function, so other processes on the node are not starved, but each stuck channel process consumes its full CPU time share continuously and accumulates unbounded message queue memory. Opening many channels amplifies the CPU and memory impact.\n\nErlang/OTP SSH configurations using the default max_channels setting (infinity) allow an authenticated user to open unlimited channels per connection, amplifying the attack without requiring multiple TCP connections or authentications.\n\nNo file contents, credentials, or write access are obtainable through this issue. The impact is limited to denial of service on targeted SFTP channels, with secondary CPU degradation and memory growth.\n\nThis vulnerability is associated with program file lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_data/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-54886.html","https://github.com/erlang/otp/commit/eaf9550b8ad4738b81149d3f617102d980c6dd18","https://github.com/erlang/otp/security/advisories/GHSA-7wp4-pc27-2vj9","https://osv.dev/vulnerability/EEF-CVE-2026-54886","https://www.erlang.org/doc/system/versions.html#order-of-versions"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:02","euvd":null},{"cve_id":"CVE-2026-54887","summary":"Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl (DTLS server) allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass.\n\nOn DTLS server startup, dtls_server_connection:initial_hello/3 initializes previous_cookie_secret to the empty binary (<<>>) instead of a random value. Because HMAC with an empty key is deterministic, anyone who observes the plaintext ClientHello can compute dtls_handshake:cookie(<<>>, IP, Port, Hello) and forge a valid DTLS cookie before the first rotation of the cookie secret. The DTLS cookie (RFC 6347 §4.2.1) is a denial-of-service mitigation that prevents spoofed source IPs from forcing the server to allocate state and perform expensive cryptographic operations; it is not an authentication mechanism. During the window from server startup until the first secret rotation (0 to 15 seconds), an attacker who can observe the plaintext ClientHello can bypass the source address verification, enabling DTLS handshake amplification with spoofed source addresses.\n\nThis vulnerability is associated with program file lib/ssl/src/dtls_server_connection.erl and program routine dtls_server_connection:initial_hello/3.\n\nThis issue affects OTP from OTP 20.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 8.2 before 11.7.3, 11.6.0.3 and 11.2.12.10.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-54887.html","https://github.com/erlang/otp/commit/888e3bcd72d5406016b9e0de741026bc2a6f114d","https://github.com/erlang/otp/security/advisories/GHSA-p2m2-3c2w-8jp8","https://osv.dev/vulnerability/EEF-CVE-2026-54887","https://www.erlang.org/doc/system/versions.html#order-of-versions"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:02","euvd":null},{"cve_id":"CVE-2026-54891","summary":"Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in Erlang/OTP ssl (tls_gen_connection module) allows a network-positioned attacker to inject unauthenticated plaintext that the TLS client application later treats as authenticated server data.\n\nThe function tls_gen_connection:handle_protocol_record/3 rejects APPLICATION_DATA records that arrive in pre-handshake states when the TLS endpoint acts as a server, but does not apply the same check when the endpoint acts as a client. A network-positioned attacker can send plaintext APPLICATION_DATA records to the client during the handshake. The records are buffered and, once the handshake completes successfully, delivered to the application as if they were authenticated post-handshake data. The attacker cannot observe the client's response or steer the connection, so the impact is limited to blind injection of unauthenticated bytes. The injection window is wider for TLS versions prior to TLS 1.3 than for TLS 1.3.\n\nThis vulnerability is associated with program file lib/ssl/src/tls_gen_connection.erl.\n\nThis issue affects OTP from OTP 17.0 before 29.0.3, 28.5.0.3 and 27.3.4.14 corresponding to ssl from 5.3.4 before 11.7.3, 11.6.0.3 and 11.2.12.10. TLS 1.3 is affected starting with OTP 22.0, when TLS 1.3 support was added.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-54891.html","https://github.com/erlang/otp/commit/07d2d0e93f6aaf7652a81e8df075fc1728da5e96","https://github.com/erlang/otp/security/advisories/GHSA-gf6r-99xw-6qg6","https://osv.dev/vulnerability/EEF-CVE-2026-54891","https://www.erlang.org/doc/system/versions.html#order-of-versions"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:02","euvd":null},{"cve_id":"CVE-2026-55950","summary":"Time-of-check Time-of-use (TOCTOU) race condition vulnerability in Erlang/OTP ssl (dtls_packet_demux module) allows an unauthenticated remote attacker to crash all active DTLS sessions on a listener.\n\nA DTLS server listener uses a single shared dtls_packet_demux gen_server process to route incoming UDP datagrams to the correct connection handler. When a DTLS client reconnects rapidly from the same source address and port (sending multiple ClientHello messages in quick succession), a race condition in the demux's internal gb_trees key-value store causes a {key_exists, {old, Client}} crash, terminating the demux process. Because the demux is shared across all DTLS associations on that listener, its crash immediately kills every active DTLS session, not just the attacker's.\n\nThe attack is pre-authentication: the attacker only needs to send UDP datagrams containing valid ClientHello messages from the same source IP and port before the intermediate DOWN monitor message is processed by the gen_server. No credentials, no completed handshake, and no special configuration are required, and the crash can be repeated indefinitely to create a persistent denial of service for all clients of that listener.\n\nThis vulnerability is associated with program file lib/ssl/src/dtls_packet_demux.erl.\n\nThis issue affects OTP from OTP 25.3 before 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssl from 10.9 before 11.7.3, 11.6.0.3, and 11.2.12.10.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-55950.html","https://github.com/erlang/otp/commit/e44d2bf01c4473ef2ea7f09e3523cf96de6e4a04","https://github.com/erlang/otp/security/advisories/GHSA-hwfc-5hf4-gvr3","https://osv.dev/vulnerability/EEF-CVE-2026-55950","https://www.erlang.org/doc/system/versions.html#order-of-versions"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:02","euvd":null},{"cve_id":"CVE-2026-50282","summary":"Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\\\\controllers\\\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. This issue has been resolved in versions 5.9.21 and 4.17.14.","cvss":4.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/security/advisories/GHSA-3w32-23wj-rxg3"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:01","euvd":null},{"cve_id":"CVE-2026-53422","summary":"Observable Response Discrepancy vulnerability in Erlang OTP ssh (ssh_sftpd module) allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory.\n\nThe SSH_FXP_REALPATH handler in ssh_sftpd calls relate_file_name/3 with Canonicalize=false, unlike every other SFTP operation handler. This allows .. components in the requested path to bypass the is_within_root/2 check without being resolved. The un-canonicalized path then enters resolve_symlinks/2, which walks up the directory tree above the configured root and issues read_link() syscalls on arbitrary filesystem paths.\n\nAn authenticated SFTP client can exploit this by sending a REALPATH request with a crafted traversal path. The server response differs depending on whether the target path exists on the host filesystem (SSH_FXP_NAME when the path resolves successfully, SSH_FX_NO_SUCH_FILE when it does not). This creates a path-existence oracle that an attacker can use to enumerate the filesystem structure outside the configured root, including the existence of sensitive files, directories, and mount points.\n\nThe vulnerability leaks only the existence of paths. No file contents, credentials, or write access are obtainable through this issue alone. The information gained may assist further attacks when combined with other vulnerabilities.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl and program routine ssh_sftpd:handle_op/4.\n\nThis issue affects OTP from OTP 17.0 until OTP 29.0.3, 28.5.0.3, and 27.3.4.14 corresponding to ssh from 3.0.1 until 6.0.2, 5.5.2.2, and 5.2.11.9.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-53422.html","https://github.com/erlang/otp/commit/059e5785ef8c1d423820ca633fb7b37f47645172","https://github.com/erlang/otp/commit/86622cfaacf57a02c7645d1999f946846b504c94","https://github.com/erlang/otp/commit/c5a8f50ae68888ff243c5c741a06d2b3a4b48b7a","https://github.com/erlang/otp/security/advisories/GHSA-h9pw-h5w4-h976","https://osv.dev/vulnerability/EEF-CVE-2026-53422","https://www.erlang.org/doc/system/versions.html#order-of-versions"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:01","euvd":null},{"cve_id":"CVE-2026-50281","summary":"Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker's attributes into the victim's existing entry row. ElementsController::beforeAction() pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(), which  overwrites the reset id with any numeric value inside $newAttributes. PHP Yii's saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers's title, slug, authorId, postDate, and UID land on the victim's entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/8f6587c25050bbb6e080d59c71f6bb8932fc8600","https://github.com/craftcms/cms/security/advisories/GHSA-x5m4-g2cq-52pq"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:17:00","euvd":null},{"cve_id":"CVE-2026-44935","summary":"Missing validation of \"valuesFrom\" references in Helm Deployer of SUSE Rancher Fleet 0.15 before 0.15.2, 0.14 before 0.14.6, 0.13 before 0.13.11 and 0.12 before 0.12.15 could be used by owners of one tenant to access fleet credentials of other tenants.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rancher/fleet/security/advisories/GHSA-xr65-5cpm-g36x"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:16:59","euvd":null},{"cve_id":"CVE-2024-14037","summary":"Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading malicious files through the PtFjk.mob servlet endpoint. Attackers can submit a multipart POST request with a JSP webshell disguised using a spoofed image/jpeg Content-Type to bypass the absence of extension and MIME type validation, with the uploaded file stored at a predictable path under the uploadfile directory and executed directly by the web server. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-11-03 (UTC).","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cn-sec.com/archives/2734791.html","https://cn-sec.com/archives/3003231.html","https://redseacloud.com/","https://www.vulncheck.com/advisories/redsea-cloud-ehr-unauthenticated-file-upload-rce-via-ptfjk-mob"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:16:57","euvd":null},{"cve_id":"CVE-2024-58352","summary":"Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input sanitization in the string-concatenated filter expression passed to the Hibernate findList() call to extract sensitive data such as administrator password hashes and, with sufficient database privileges, perform file-write operations enabling remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-03-11 (UTC).","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.csdn.net/fushuang333/article/details/136377020","https://blog.csdn.net/qq_39342001/article/details/137354047","https://cn-sec.com/archives/2532828.html","https://www.vulncheck.com/advisories/landray-oa-unauthenticated-hql-injection-via-wechatloginhelper-do"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:16:57","euvd":null},{"cve_id":"CVE-2022-50973","summary":"Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a POST request with attacker-controlled filepath and filename parameters without any authentication, file type, extension, or content validation. Attackers can upload a JSP webshell by specifying a malicious filename and root filepath, with the uploaded file stored under the pictures directory and directly executed by the web server, resulting in unauthenticated remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-11-07 (UTC).","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://buaq.net/go-167023.html","https://cn-sec.com/archives/1329088.html","https://www.cnblogs.com/yang-miemie/p/17714927.html","https://www.vulncheck.com/advisories/yonyou-ksoa-unauthenticated-file-upload-rce-via-imageupload-servlet","https://www.yonyou.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T17:16:56","euvd":null},{"cve_id":"CVE-2026-58455","summary":"Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Notifiarr/dockwatch/pull/135","https://www.vulncheck.com/advisories/dockwatch-unauthenticated-os-command-injection-via-ajax-compose-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T16:16:35","euvd":null},{"cve_id":"CVE-2026-44941","summary":"A relative path traversal in the \"keyhint\" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.suse.com/show_bug.cgi?id=1267426","https://github.com/openSUSE/libzypp/commit/294b1bad442d089ca671c5c03adc8031e3b29e04","https://bugzilla.suse.com/show_bug.cgi?id=1267426"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T16:16:30","euvd":null},{"cve_id":"CVE-2026-8079","summary":"In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized access to sensitive data and unintended modifications to system configuration.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.progress.com/s/article/Flowmon-CVE-2026-8079"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:11","euvd":null},{"cve_id":"CVE-2026-9272","summary":"In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System (ADS) may send specially crafted requests that could result in unauthorized access to application data and its modification.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.progress.com/s/article/Flowmon-CVE-2026-9272"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:11","euvd":null},{"cve_id":"CVE-2026-56841","summary":"A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:07","euvd":null},{"cve_id":"CVE-2026-56842","summary":"A malicious actor with access to the network and under certain conditions could exploit an Incorrect Authorization vulnerability found in UniFi Network Application to persist privileges within UniFi Network Application after such access had been removed.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:07","euvd":null},{"cve_id":"CVE-2026-56004","summary":"A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by attackers able to provide a _service file to execute code as the source service or the local user checking out the malicious services","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openSUSE/obs-service-tar_scm/pull/552/changes/bcf29d318c671c45fe87dd9f995a4a0c78ecedd7"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:06","euvd":null},{"cve_id":"CVE-2026-55112","summary":"A malicious actor with access to the network and low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi OS with UniFi Protect Application to escalate privileges on the host device.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-55113","summary":"A malicious actor with access to the network could exploit a Server-Side Request Forgery (SSRF) vulnerability found in UniFi Talk Application to execute a Denial of Service (DoS) attack and bypass authentication in certain UniFi Talk API endpoints.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-55114","summary":"A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-55115","summary":"A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-55116","summary":"A malicious actor with access to the network and under certain network configurations could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-55117","summary":"A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi Access Application to access files on the host device.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-55118","summary":"A malicious actor with access to the network,low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-55119","summary":"A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Talk Application to escalate privileges within the UniFi Talk Application.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:05","euvd":null},{"cve_id":"CVE-2026-54404","summary":"A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi OS to escalate privileges within such UniFi OS devices or instances.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-54405","summary":"A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi Network Application to execute a Denial of Service (DoS) attack on the application.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":"ui","product":"unifi_network_application","version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-54406","summary":"A malicious actor with access to the network and high privileges could exploit a Path Traversal vulnerability found in self-hosted instances of UniFi Network Application to escalate write permission on the host device.","cvss":8.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-54407","summary":"A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication in certain UniFi Protect Application API endpoints.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-54408","summary":"A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication for data streaming.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-54409","summary":"A malicious actor with access to the network and under certain conditions could exploit an Improper Initialization vulnerability found in UniFi Protect Application to bypass authentication in UniFi Protect Cameras.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-55110","summary":"A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user's session.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-55111","summary":"A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi Protect Floodlight devices to access files on the UniFi Protect Floodlight.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:04","euvd":null},{"cve_id":"CVE-2026-53357","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()\n\nbt_accept_dequeue() unlinks a not-yet-accepted child from the parent\naccept queue and release_sock()s it before returning, so the returned\nsk has no caller reference and is unlocked.\n\nl2cap_sock_cleanup_listen() walks these children on listening-socket\nclose.  A concurrent HCI disconnect drives hci_rx_work ->\nl2cap_conn_del() which runs l2cap_chan_del() + l2cap_sock_kill() and\nfrees the child sk and its l2cap_chan; cleanup_listen() then uses both:\n\n  BUG: KASAN: slab-use-after-free in l2cap_sock_kill\n    l2cap_sock_kill / l2cap_sock_cleanup_listen / __x64_sys_close\n  Freed by: l2cap_conn_del -> l2cap_sock_close_cb -> l2cap_sock_kill\n\nThis is distinct from the two fixes already in this area: commit\ne83f5e24da741 (\"Bluetooth: serialize accept_q access\") serialises the\naccept_q list/poll and takes temporary refs inside bt_accept_dequeue(),\nand CVE-2025-39860 serialises the userspace close()/accept() race by\ncalling cleanup_listen() under lock_sock() in l2cap_sock_release().\nNeither covers l2cap_conn_del() running from hci_rx_work, so this UAF\nstill reproduces on current bluetooth/master.\n\nTake the reference at the source: bt_accept_dequeue() does sock_hold()\nwhile sk is still locked, before release_sock(); callers sock_put().\ncleanup_listen() pins the chan with l2cap_chan_hold_unless_zero() under\na brief child sk lock (serialising vs l2cap_sock_teardown_cb()), drops\nit before l2cap_chan_lock(), and skips a duplicate l2cap_sock_kill() on\nSOCK_DEAD.  conn->lock is not taken here: cleanup_listen() runs under\nthe parent sk lock and that would invert\nconn->lock -> chan->lock -> sk_lock (lockdep).\n\nKASAN/SMP: an unprivileged listen/close vs HCI-disconnect race produced\n12 use-after-free reports per run before this change; 0, and no lockdep\nreport, over 1600+ raced iterations after it on bluetooth/master.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/407217734835d21d4e0105ebf347860dc1806f88","https://git.kernel.org/stable/c/5d86d2f1b4d9a508c441d3e45277ae1a73cfed57","https://git.kernel.org/stable/c/751de6ec671fe75ad9cf65a0638d2a06b6a5984d","https://git.kernel.org/stable/c/7eebd4c2c86f573af87ff165d08a83432eb0b919","https://git.kernel.org/stable/c/87c543e2f78d0871f271df92dab98901bbd5b6f5","https://git.kernel.org/stable/c/a5ca86a6097a8b030ca3226cd300b17ed330f966","https://git.kernel.org/stable/c/ab1513597c6cf17cd1ad2a21e3b045421b48e022","https://git.kernel.org/stable/c/added1213395071470a900cc845a042fb51882a6"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:03","euvd":null},{"cve_id":"CVE-2026-53358","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: use chan timer to close channels in cleanup_listen()\n\nl2cap_chan_close() removes the channel from conn->chan_l, which\nmust be done under conn->lock.  cleanup_listen() runs under the\nparent sk_lock, so acquiring conn->lock would invert the\nestablished conn->lock -> chan->lock -> sk_lock order.\n\nInstead of calling l2cap_chan_close() directly, schedule\nl2cap_chan_timeout with delay 0 to close the channel\nasynchronously.  The timeout handler already acquires conn->lock\nand chan->lock in the correct order.\n\nThe timer is only armed when chan->conn is still set: if it is\nalready NULL, l2cap_conn_del() has already processed this channel\n(l2cap_chan_del + l2cap_sock_teardown_cb + l2cap_sock_close_cb),\nso there is nothing left to do.  If l2cap_conn_del() races in\nafter the timer is armed, __clear_chan_timer() inside\nl2cap_chan_del() cancels it; if the timer has already fired, the\nhandler returns harmlessly because chan->conn was cleared.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3634cbdc2eb414b69ffa752ddbe5e0458518e321","https://git.kernel.org/stable/c/50dfec218808b148ab4247b1858031b7a32015c5","https://git.kernel.org/stable/c/7555fd885a0603f50e49a655850a1f2bd8a25398","https://git.kernel.org/stable/c/859d3ace791ed878ae9ba5522c7844d960da8f88","https://git.kernel.org/stable/c/89dec92041717b027216e110599e4f6d6c921b79","https://git.kernel.org/stable/c/8c8e620467a7b51562dbcefbd1f09f288d7d710d","https://git.kernel.org/stable/c/deb8493a8fa599f6c95e2465b12bfdfb7f94a1d9","https://git.kernel.org/stable/c/e1c100e2d61bd8c718b7d91fe3e050780a9bf72d"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:03","euvd":null},{"cve_id":"CVE-2026-54400","summary":"A malicious actor with access to the network and high privileges could exploit an Improper Access Control vulnerability found in UniFi Access Application to escalate privileges on the host device.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:03","euvd":null},{"cve_id":"CVE-2026-54401","summary":"A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) to escalate privileges within such UniFi OS devices or instances.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:03","euvd":null},{"cve_id":"CVE-2026-54402","summary":"A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi OS to execute a Command Injection on the host device.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:03","euvd":null},{"cve_id":"CVE-2026-54403","summary":"A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to bypass authentication of such UniFi OS devices or instances.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:03","euvd":null},{"cve_id":"CVE-2026-50746","summary":"A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:02","euvd":null},{"cve_id":"CVE-2026-50747","summary":"A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi Talk Application to escalate privileges on the host device.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:02","euvd":null},{"cve_id":"CVE-2026-50748","summary":"A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi Access Application to execute a Command Injection on the host device.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:17:02","euvd":null},{"cve_id":"CVE-2026-12167","summary":"The Minifilter communication port for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to access privileged driver functionality via a communication interface that lacks appropriate access restrictions.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FzRsLLaSheR/CVE-2026-12166_CVE-2026-12167_CVE-2026-12168","https://kb.cert.org/vuls/id/639124","https://www.littleorbit.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:16:57","euvd":null},{"cve_id":"CVE-2026-12168","summary":"An improper validation vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FzRsLLaSheR/CVE-2026-12166_CVE-2026-12167_CVE-2026-12168","https://kb.cert.org/vuls/id/639124","https://www.littleorbit.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:16:57","euvd":null},{"cve_id":"CVE-2026-12166","summary":"A NULL pointer dereference vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to cause a denial of service via crafted requests that trigger a system crash.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FzRsLLaSheR/CVE-2026-12166_CVE-2026-12167_CVE-2026-12168","https://kb.cert.org/vuls/id/639124","https://www.littleorbit.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T15:16:56","euvd":null},{"cve_id":"CVE-2026-4767","summary":"Missing authentication for critical function vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Authentication Abuse.\n\nThis issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0487"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T14:16:25","euvd":null},{"cve_id":"CVE-2026-58652","summary":"luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openwrt/luci/commit/0627b412ee3a760cc4bca9fc8a5b73de8f33ac10","https://github.com/openwrt/luci/commit/491f1df06645c4e0757fed4a9f0622e9ce0d300c","https://github.com/openwrt/luci/commit/71d92bcc9edbc8f95858ce82a8ff5d52500005a2","https://github.com/openwrt/luci/commit/d6e457a1a70a9010195edeafdc0b8eb6e3b0f7f1","https://github.com/openwrt/luci/commit/f85102548ee8325bfd581a0327b210b5f7670829","https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g","https://www.vulncheck.com/advisories/luci-app-travelmate-arbitrary-command-execution-via-uci-script-parameter","https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T13:17:00","euvd":null},{"cve_id":"CVE-2026-58653","summary":"PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2fjj-qqg8-fg7x","https://www.vulncheck.com/advisories/praisonai-authorization-bypass-via-unvalidated-project-id-in-issue-create-update","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2fjj-qqg8-fg7x"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T13:17:00","euvd":null},{"cve_id":"CVE-2026-5524","summary":"The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used to validate uploaded files. Attackers can specify PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass the plugin's .htaccess protection which only blocks .php files specifically. Additionally, on Nginx-based servers, the .htaccess protection is completely ineffective as Nginx does not process .htaccess files. This makes it possible for unauthenticated attackers (who can obtain a nonce from any public page containing a form) to upload executable PHP files to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory and achieve Remote Code Execution by accessing the uploaded file via HTTP. The vulnerability was partially patched in version 5.1.3.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://diviengine.com/divi-form-builder-changelog/","https://www.wordfence.com/threat-intel/vulnerabilities/id/9692deb2-2526-4983-8a13-93a382e230c8?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T13:17:00","euvd":null},{"cve_id":"CVE-2026-4770","summary":"Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Firewall allows DOM-Based XSS.\n\nThis issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0487"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T13:16:55","euvd":null},{"cve_id":"CVE-2026-4772","summary":"Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Stored XSS.\n\nThis issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0487"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T13:16:55","euvd":null},{"cve_id":"CVE-2026-57760","summary":"Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Sendcloud Shipping: from n/a through 1.0.29.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/sendcloud-connected-shipping/vulnerability/wordpress-sendcloud-shipping-plugin-1-0-28-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:42","euvd":null},{"cve_id":"CVE-2026-57761","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/seowp/vulnerability/wordpress-seowp-theme-3-12-2-csrf-to-stored-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:42","euvd":null},{"cve_id":"CVE-2026-57762","summary":"Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/simple-urls/vulnerability/wordpress-simple-urls-plugin-151-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:42","euvd":null},{"cve_id":"CVE-2026-57763","summary":"Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/structured-content/vulnerability/wordpress-structured-content-plugin-1-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:42","euvd":null},{"cve_id":"CVE-2026-57764","summary":"Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/surbma-yoast-breadcrumb-shortcode/vulnerability/wordpress-surbma-yoast-seo-breadcrumb-shortcode-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:42","euvd":null},{"cve_id":"CVE-2026-57765","summary":"Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/wp-easycart/vulnerability/wordpress-wp-easycart-plugin-5-9-0-sql-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:42","euvd":null},{"cve_id":"CVE-2026-57766","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE – File Manager & Code Editor <= 3.5.6 versions.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/wpide/vulnerability/wordpress-wpide-file-manager-code-editor-plugin-3-5-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:42","euvd":null},{"cve_id":"CVE-2026-57752","summary":"Contributor SQL Injection in iNET Webkit 1.2.4 versions.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/inet-webkit/vulnerability/wordpress-inet-webkit-plugin-1-2-4-sql-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57753","summary":"Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/convertkit-for-woocommerce/vulnerability/wordpress-kit-formerly-convertkit-for-woocommerce-plugin-2-1-5-sensitive-data-exposure-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57754","summary":"Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/addons-for-visual-composer/vulnerability/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-9-4-cross-site-scripting-xss-vulnerability-2?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57755","summary":"Contributor Cross Site Scripting (XSS) in Mosaic Gallery &#8211; Advanced Gallery <= 1.2.0 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/mosaic-gallery-advanced-gallery/vulnerability/wordpress-mosaic-gallery-8211-advanced-gallery-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57756","summary":"Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/nicen-localize-image/vulnerability/wordpress-nicen-localize-image-plugin-1-4-9-sql-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57757","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/pcloud-wp-backup/vulnerability/wordpress-pcloud-wp-backup-plugin-2-0-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57758","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in Permalink Manager for WooCommerce <= 1.0.8.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/permalink-manager-for-woocommerce/vulnerability/wordpress-permalink-manager-for-woocommerce-plugin-1-0-8-2-csrf-to-stored-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57759","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid  <= 5.9.9.7 versions.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/profilegrid-user-profiles-groups-and-communities/vulnerability/wordpress-profilegrid-plugin-5-9-9-7-csrf-to-account-takeover-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:41","euvd":null},{"cve_id":"CVE-2026-57730","summary":"Subscriber Broken Access Control in Flatsome <= 3.20.5 versions.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57731","summary":"Contributor Broken Access Control in Flatsome <= 3.20.5 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/flatsome/vulnerability/wordpress-flatsome-theme-3-20-5-broken-access-control-vulnerability-2?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57746","summary":"Subscriber Broken Access Control in Booked <= 3.0.0 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57747","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in Booked <= 3.0.0 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57748","summary":"Contributor Local File Inclusion in Shopify <= 1.0.0 versions.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/shopify-plugin/vulnerability/wordpress-shopify-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57749","summary":"Contributor Local File Inclusion in SportsPress Pro <= 2.7.29 versions.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/sportspress-pro/vulnerability/wordpress-sportspress-pro-plugin-2-7-29-local-file-inclusion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57750","summary":"Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/ez-form-calculator-premium/vulnerability/wordpress-ez-form-calculator-premium-plugin-2-14-1-2-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57751","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/heateor-social-login/vulnerability/wordpress-heateor-social-login-plugin-1-1-39-cross-site-request-forgery-csrf-vulnerability-2?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:40","euvd":null},{"cve_id":"CVE-2026-57683","summary":"Unauthenticated SQL Injection in WP Fast Total Search <= 1.80.280 versions.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/fulltext-search/vulnerability/wordpress-wp-fast-total-search-plugin-1-80-280-sql-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57684","summary":"Contributor Cross Site Scripting (XSS) in TheFox <= 3.9.70 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/thefox/vulnerability/wordpress-thefox-theme-3-9-70-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57685","summary":"Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/martfury/vulnerability/wordpress-martfury-woocommerce-marketplace-wordpress-theme-theme-3-2-8-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57686","summary":"Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/product-addons/vulnerability/wordpress-wowaddons-plugin-1-6-14-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57687","summary":"Contributor SQL Injection in Custom Field Template <= 2.7.8 versions.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/custom-field-template/vulnerability/wordpress-custom-field-template-plugin-2-7-8-sql-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57688","summary":"Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/pos-entegrator/vulnerability/wordpress-pos-entegratoer-plugin-3-7-103-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57689","summary":"Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-7-2-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57690","summary":"Unauthenticated Cross Site Request Forgery (CSRF) in Werkstatt <= 4.7.2 versions.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-7-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:39","euvd":null},{"cve_id":"CVE-2026-57674","summary":"Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-58-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57675","summary":"Unauthenticated Cross Site Scripting (XSS) in WP Photo Album Plus <= 9.2.02.004 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/wp-photo-album-plus/vulnerability/wordpress-wp-photo-album-plus-plugin-9-2-02-004-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57677","summary":"Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce <= 12.10.3 versions.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/woocommerce-novalnet-gateway/vulnerability/wordpress-novalnet-payment-gateway-for-woocommerce-plugin-12-10-3-php-object-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57678","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS.\n\nThis issue affects Slider Revolution: from 7.0.0 through 7.0.16.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/revslider/vulnerability/wordpress-slider-revolution-plugin-7-0-16-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57679","summary":"Unauthenticated SQL Injection in GeekyBot <= 1.2.5 versions.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/geeky-bot/vulnerability/wordpress-geekybot-plugin-1-2-5-sql-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57680","summary":"Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57681","summary":"Subscriber Server Side Request Forgery (SSRF) in GeoDirectory <= 2.8.161 versions.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-161-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57682","summary":"Unauthenticated Cross Site Scripting (XSS) in Simple Link Directory <= 15.0.5 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/qc-simple-link-directory/vulnerability/wordpress-simple-link-directory-plugin-15-0-5-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:38","euvd":null},{"cve_id":"CVE-2026-57621","summary":"Unauthenticated PHP Object Injection in Booktics <= 1.0.21 versions.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/booktics/vulnerability/wordpress-booktics-plugin-1-0-21-php-object-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57623","summary":"Unauthenticated Arbitrary Code Execution in W3 Total Cache <= 2.9.4 versions.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/w3-total-cache/vulnerability/wordpress-w3-total-cache-plugin-2-9-4-arbitrary-code-execution-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57624","summary":"Unauthenticated Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.46 versions.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/blocksy-companion-pro/vulnerability/wordpress-blocksy-companion-pro-plugin-2-1-46-remote-code-execution-rce-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57625","summary":"Unauthenticated Cross Site Scripting (XSS) in Admin and Site Enhancements (ASE) Pro <= 8.8.5 versions.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/admin-site-enhancements-pro/vulnerability/wordpress-admin-and-site-enhancements-ase-pro-plugin-8-8-5-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57669","summary":"Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/advanced-cf7-db/vulnerability/wordpress-advanced-contact-form-7-db-plugin-2-0-9-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57670","summary":"Unauthenticated Cross Site Scripting (XSS) in Google Maps CP <= 1.2.5 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/codepeople-post-map/vulnerability/wordpress-google-maps-cp-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57671","summary":"Unauthenticated Cross Site Scripting (XSS) in perfmatters <= 2.6.4 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/perfmatters/vulnerability/wordpress-perfmatters-plugin-2-6-4-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57672","summary":"Unauthenticated Cross Site Scripting (XSS) in wpDataTables <= 6.5.1.1 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-5-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57673","summary":"Unauthenticated Cross Site Scripting (XSS) in Optimole <= 4.2.7 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/optimole-wp/vulnerability/wordpress-optimole-plugin-4-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:37","euvd":null},{"cve_id":"CVE-2026-57357","summary":"Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/metasync/vulnerability/wordpress-search-atlas-seo-plugin-2-6-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57358","summary":"Unauthenticated Cross Site Scripting (XSS) in Customize My Account for WooCommerce <= 4.3.9 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/customize-my-account-for-woocommerce/vulnerability/wordpress-customize-my-account-for-woocommerce-plugin-4-3-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57359","summary":"Unauthenticated Cross Site Scripting (XSS) in ReviewX <= 2.3.10 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/reviewx/vulnerability/wordpress-reviewx-plugin-2-3-10-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57360","summary":"Unauthenticated Cross Site Scripting (XSS) in eCommerce Product Catalog <= 3.5.4 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/ecommerce-product-catalog/vulnerability/wordpress-ecommerce-product-catalog-plugin-3-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57361","summary":"Unauthenticated Cross Site Scripting (XSS) in Survey Maker <= 5.2.2.5 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/survey-maker/vulnerability/wordpress-survey-maker-plugin-5-2-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57362","summary":"Unauthenticated Cross Site Scripting (XSS) in ChatBot <= 8.3.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/chatbot/vulnerability/wordpress-chatbot-plugin-8-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57366","summary":"Unauthenticated Cross Site Scripting (XSS) in WPAdverts <= 2.3.1 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/wpadverts/vulnerability/wordpress-wpadverts-plugin-2-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57426","summary":"Unauthenticated Cross Site Scripting (XSS) in Modula - PRO <= 2.10.8 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/modula/vulnerability/wordpress-modula-pro-plugin-2-10-8-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:36","euvd":null},{"cve_id":"CVE-2026-57349","summary":"Unauthenticated Cross Site Scripting (XSS) in WPeMatico RSS Feed Fetcher <= 2.8.17 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/wpematico/vulnerability/wordpress-wpematico-rss-feed-fetcher-plugin-2-8-17-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-57350","summary":"Unauthenticated Cross Site Scripting (XSS) in WP Debugging <= 2.12.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/wp-debugging/vulnerability/wordpress-wp-debugging-plugin-2-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-57351","summary":"Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/handl-utm-grabber/vulnerability/wordpress-handl-utm-grabber-plugin-2-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-57352","summary":"Unauthenticated Broken Authentication in ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce <= 2.2.0 versions.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/woo-alidropship/vulnerability/wordpress-ald-dropshipping-and-fulfillment-for-aliexpress-and-woocommerce-plugin-2-2-0-broken-authentication-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-57353","summary":"Subscriber Broken Access Control in Link Whisper Premium <= 2.9.0 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/link-whisper-premium/vulnerability/wordpress-link-whisper-premium-plugin-2-9-0-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-57354","summary":"Subscriber Cross Site Scripting (XSS) in JetReviews <= 3.0.0.1 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/jet-reviews/vulnerability/wordpress-jetreviews-plugin-3-0-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-57355","summary":"Subscriber Broken Access Control in Classified Listing <= 5.4.2 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-4-2-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-57356","summary":"Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/smart-wishlist-for-more-convert/vulnerability/wordpress-mc-woocommerce-wishlist-plugin-1-9-19-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:35","euvd":null},{"cve_id":"CVE-2026-56037","summary":"Deserialization of Untrusted Data vulnerability in Themify Themify Popup allows Object Injection.\n\nThis issue affects Themify Popup: from n/a through 1.4.3.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/themify-popup/vulnerability/wordpress-themify-popup-plugin-1-4-3-php-object-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:34","euvd":null},{"cve_id":"CVE-2026-57342","summary":"Subscriber Cross Site Scripting (XSS) in ShortPixel Adaptive Images <= 3.11.3 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/shortpixel-adaptive-images/vulnerability/wordpress-shortpixel-adaptive-images-plugin-3-11-3-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:34","euvd":null},{"cve_id":"CVE-2026-57343","summary":"Unauthenticated Cross Site Scripting (XSS) in Real Estate 7 <= 3.5.9 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/realestate-7/vulnerability/wordpress-real-estate-7-theme-3-5-9-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:34","euvd":null},{"cve_id":"CVE-2026-57344","summary":"Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.4.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:34","euvd":null},{"cve_id":"CVE-2026-57345","summary":"Unauthenticated Cross Site Scripting (XSS) in Internal Links Manager <= 3.0.3 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/seo-automated-link-building/vulnerability/wordpress-internal-links-manager-plugin-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:34","euvd":null},{"cve_id":"CVE-2026-57347","summary":"Subscriber Sensitive Data Exposure in Hotel Booking Lite <= 6.0.3 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/motopress-hotel-booking-lite/vulnerability/wordpress-hotel-booking-lite-plugin-6-0-3-sensitive-data-exposure-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:34","euvd":null},{"cve_id":"CVE-2026-57348","summary":"Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/paid-member-subscriptions/vulnerability/wordpress-paid-member-subscriptions-plugin-3-0-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:34","euvd":null},{"cve_id":"CVE-2026-49779","summary":"Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/woocommerce-tax-exempt-plugin/vulnerability/wordpress-tax-exempt-for-woocommerce-plugin-1-9-3-path-traversal-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:29","euvd":null},{"cve_id":"CVE-2026-42382","summary":"Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/audrey/vulnerability/wordpress-audrey-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:17","euvd":null},{"cve_id":"CVE-2026-39448","summary":"Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/nowpayments-for-woocommerce/vulnerability/wordpress-nowpayments-for-woocommerce-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:11","euvd":null},{"cve_id":"CVE-2026-27436","summary":"Editor Arbitrary Code Execution in Five Star Business Profile and Schema <= 2.3.19 versions.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/business-profile/vulnerability/wordpress-five-star-business-profile-and-schema-plugin-2-3-19-arbitrary-code-execution-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:01","euvd":null},{"cve_id":"CVE-2026-27408","summary":"Unauthenticated Cross Site Scripting (XSS) in NativeChurch <= 4.8.8.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/nativechurch/vulnerability/wordpress-nativechurch-theme-4-8-8-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27412","summary":"Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/pearl/vulnerability/wordpress-pearl-corporate-business-theme-3-4-10-local-file-inclusion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27414","summary":"Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-8-3-php-object-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27419","summary":"Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/zegen/vulnerability/wordpress-zegen-theme-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27425","summary":"Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/automotive/vulnerability/wordpress-automotive-listings-plugin-18-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27426","summary":"Unauthenticated Cross Site Scripting (XSS) in Automotive Car Dealership Business <= 13.3.3 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/automotive/vulnerability/wordpress-automotive-car-dealership-business-theme-13-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27430","summary":"Unauthenticated Cross Site Scripting (XSS) in TheFox <= 3.9.76 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/thefox/vulnerability/wordpress-thefox-theme-3-9-76-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27433","summary":"Unauthenticated Broken Access Control in Motors <= 5.6.80 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/motors/vulnerability/wordpress-motors-theme-5-6-80-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:17:00","euvd":null},{"cve_id":"CVE-2026-27402","summary":"Unauthenticated Cross Site Scripting (XSS) in Kids Life | Children School WordPress <= 5.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/kidslife/vulnerability/wordpress-kids-life-children-school-wordpress-theme-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:59","euvd":null},{"cve_id":"CVE-2026-27404","summary":"Unauthenticated Cross Site Scripting (XSS) in LMS <= 9.7 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/lms/vulnerability/wordpress-lms-theme-9-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:59","euvd":null},{"cve_id":"CVE-2026-27060","summary":"Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/armember/vulnerability/wordpress-armember-premium-plugin-7-0-php-object-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:58","euvd":null},{"cve_id":"CVE-2026-14449","summary":"u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components","cvss":6.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/u5cms/u5cms/releases/tag/v12.8.9"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:55","euvd":null},{"cve_id":"CVE-2025-69156","summary":"Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/kidszone/vulnerability/wordpress-kids-zone-children-wordpress-theme-theme-5-4-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:54","euvd":null},{"cve_id":"CVE-2026-11946","summary":"An unauthenticated remote attacker can exhaust\nserver memory via the GetEndpoints Discovery Service in open62541. The\nendpointUrl field of GetEndpointsRequest is not validated for length. An\nattacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32\nlength field) delivered across intermediate chunks without ever sending the\nfinal chunk. The server buffers all chunks in RAM indefinitely until the\nSecureChannel times out. The attack is\npre-session and bypasses all encryption configurations.\n\n\n\nThe issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open62541/open62541","https://github.com/open62541/open62541/pull/8142","https://github.com/open62541/open62541/pull/8142/changes/d253818d6c5e870e1db0e360b18138c8bdc809ae"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:54","euvd":null},{"cve_id":"CVE-2025-69094","summary":"Subscriber SQL Injection in Unicamp <= 2.2.2 versions.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/unicamp/vulnerability/wordpress-unicamp-theme-2-2-2-sql-injection-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-69132","summary":"Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/corpkit/vulnerability/wordpress-corpkit-theme-1-0-5-sensitive-data-exposure-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-69133","summary":"Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/tourmaster/vulnerability/wordpress-tourmaster-plugin-5-4-5-local-file-inclusion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-69134","summary":"Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/helper/vulnerability/wordpress-openai-chatbot-for-wordpress-helper-plugin-1-1-4-arbitrary-content-deletion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-69152","summary":"Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/artale/vulnerability/wordpress-artale-wedding-photography-wordpress-theme-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-69153","summary":"Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/trendytravel/vulnerability/wordpress-trendy-travel-theme-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-69154","summary":"Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/spalab/vulnerability/wordpress-spalab-beauty-salon-wordpress-theme-theme-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-69155","summary":"Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/fitnesszone/vulnerability/wordpress-fitness-zone-wordpress-theme-theme-5-7-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:53","euvd":null},{"cve_id":"CVE-2025-66076","summary":"Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/woostify-sites-library/vulnerability/wordpress-woostify-sites-library-plugin-1-6-2-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:52","euvd":null},{"cve_id":"CVE-2025-58902","summary":"Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/lighthouseschool/vulnerability/wordpress-lighthouse-theme-1-2-12-local-file-inclusion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T12:16:51","euvd":null},{"cve_id":"CVE-2026-54431","summary":"In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2_token_verify() function returns success for a malformed DPoP proof that embeds the private Elliptic Curve (EC) key in the header.\n\nThis issue was fixed in version 2.3.0","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-54430","https://github.com/OpenIDC/liboauth2","https://github.com/OpenIDC/liboauth2/commit/c0b57152ed6a0af33aeb04a60bd7f5bff5ab8800"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T11:16:17","euvd":null},{"cve_id":"CVE-2026-54430","summary":"liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT\nheader. If signer matches the configured ARN, kid is appended to\nalb_base_url without URL encoding or path sanitization, and the HTTP GET\nis issued before signature verification. This allows an attacker to force\nthe server to send a GET request to an attacker-chosen internal path.\n\nThis issue was fixed in version 2.3.0","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-54430","https://github.com/OpenIDC/liboauth2","https://github.com/OpenIDC/liboauth2/commit/347507ac5b51f48c2933bbe49b2ee07c2af4712b"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T11:16:16","euvd":null},{"cve_id":"CVE-2026-9834","summary":"The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the `wp_db_exclude_table` parameter. This is due to the direct concatenation of user-supplied `$_POST['wp_db_exclude_table']` values into the `mysqldump` shell command string in the `mysqldump()` function of `includes/admin/class-wpdb-admin.php` without wrapping them in `escapeshellarg()`—every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, `sanitize_text_field()` via `recursive_sanitize_text_field()`, strips HTML tags but leaves shell metacharacters such as `;`, `|`, `` ` ``, and `$()` intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via `update_option('wp_db_exclude_table')` and later retrieved with `get_option()` and passed unsanitized to `shell_exec()` whenever a backup operation runs.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.02651,"ranking_epss":0.83774,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L216","https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2644","https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2654","https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L216","https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2644","https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2654","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574273%40wp-database-backup&new=3574273%40wp-database-backup&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/0a97a217-b00b-4268-a472-8d62ae1d18e3?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:29","euvd":null},{"cve_id":"CVE-2026-13252","summary":"The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00274,"ranking_epss":0.19202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L1453","https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L1700","https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L423","https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L624","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3586919%40feedzy-rss-feeds&new=3586919%40feedzy-rss-feeds&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/d402b7d1-3c12-4bdd-8ff3-e58d5501f0c0?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-13369","summary":"The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_attachment() function accepting a raw attacker-controlled 'files' array when the process() method returns early due to a client-supplied saveProgress flag, bypassing all upload validation, path normalization, and database record creation steps, and allowing an attacker-supplied file_path value to reach wp_mail() as an email attachment with only a file_exists() check. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00522,"ranking_epss":0.40423,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/ninja-forms-uploads/trunk/includes/fields/upload.php#L71","https://plugins.trac.wordpress.org/browser/ninja-forms-uploads/trunk/includes/integrations/ninjaforms/attachments.php#L107","https://plugins.trac.wordpress.org/browser/ninja-forms-uploads/trunk/includes/integrations/ninjaforms/attachments.php#L196","https://www.wordfence.com/threat-intel/vulnerabilities/id/87d4dd4a-b1e2-4d08-aef1-77e58aa7531d?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-13459","summary":"The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve every distinct value stored under any arbitrary wp_postmeta key on the site — including WooCommerce billing PII such as _billing_email, _billing_phone, and _billing_address fields, order totals, attachment paths, and any third-party plugin credentials or tokens stored in post meta — provided at least one published JetFormBuilder form with a get_from_db generator field exists on the site. Exploitation requires that the target site has at least one published jet-form-builder post containing a field whose generator_function is set to get_from_db; an attacker must supply a matching form ID, field name, and generator ID in the request, but all of these can be discovered by browsing the site's public forms.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00579,"ranking_epss":0.43398,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.0/includes/generators/get-from-db.php#L118","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.0/includes/generators/get-from-db.php#L160","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.0/modules/option-field/rest-api/generator-update-endpoint.php#L140","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.0/modules/option-field/rest-api/generator-update-endpoint.php#L52","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.0/modules/option-field/rest-api/generator-update-endpoint.php#L80","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.3/includes/generators/get-from-db.php#L118","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.3/includes/generators/get-from-db.php#L160","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.3/modules/option-field/rest-api/generator-update-endpoint.php#L140","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.3/modules/option-field/rest-api/generator-update-endpoint.php#L52","https://plugins.trac.wordpress.org/browser/jetformbuilder/tags/3.6.3/modules/option-field/rest-api/generator-update-endpoint.php#L80","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591404%40jetformbuilder&new=3591404%40jetformbuilder&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/26c19bd3-32ea-4e28-9cde-1a6653acf6f1?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-14029","summary":"The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up to, and including, 4.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the attacker to hold a Groundhogg custom role with the view_contacts capability, which is granted by default to several built-in Groundhogg roles above the base subscriber level.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00441,"ranking_epss":0.35368,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.7/api/v4/base-object-api.php#L505","https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.7/db/db.php#L1366","https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.7/db/query/query.php#L228","https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.7/db/query/query.php#L427","https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.8/api/v4/base-object-api.php#L505","https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.8/db/db.php#L1366","https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.8/db/query/query.php#L228","https://plugins.trac.wordpress.org/browser/groundhogg/tags/4.5.8/db/query/query.php#L427","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591885%40groundhogg&new=3591885%40groundhogg&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/fb7fd98d-de1d-4b06-b769-92df40bc1873?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-14336","summary":"PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as  https://ci.eclipse.org@evil.host  (userinfo trick) or  https://ci.eclipse.org.evil.host  (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":0.00321,"ranking_epss":0.2396,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.eclipse.org/security/cve-assignment/-/work_items/154"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-8441","summary":"The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $_POST['notinstring'] and passed through sanitize_text_field() — which strips HTML and whitespace but does not provide SQL safety. The value is then concatenated directly into a numeric/unquoted `AND id NOT IN (...)` clause and executed via $wpdb->get_results() without $wpdb->prepare() or intval() casting. Because the value sits in an unquoted numeric context, WordPress's wp_magic_quotes protection (which only escapes embedded quotes) is ineffective. The AJAX hook is registered via wp_ajax_nopriv_wprp_load_more_revs, and the required check_ajax_referer nonce is publicly available via wp_localize_script on any frontend page that renders the plugin shortcode, so an unauthenticated attacker who can reach a public page hosting the plugin can extract arbitrary data from the database via blind/time-based injection.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00374,"ranking_epss":0.29428,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpreviewslider.userecho.com/knowledge-bases/2/articles/88-change-log","https://www.wordfence.com/threat-intel/vulnerabilities/id/396ba24f-e0f7-4374-a9ce-d9abddb87b39?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-8482","summary":"A vulnerability was discovered on StormShield Network Security 4.3.0 to 4.3.41 (included), 4.8.0 to 4.8.15 (included) , 5.0.0 to 5.0.5 (included)\n\nThere is a possible leak of secret information if administration commands have been passed with the CLI command line tool.\n\nSomeone with SSH access to the firewall (if SSH multiuser mode is enabled) could possibly get the proxy CA passphrase or TPM password.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00212,"ranking_epss":0.11546,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://advisories.stormshield.eu/2025-007/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-9145","summary":"The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file — when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00372,"ranking_epss":0.29189,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/contact-form-entries.php#L1380","https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/contact-form-entries.php#L640","https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/contact-form-entries.php#L641","https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/contact-form-entries.php#L651","https://www.wordfence.com/threat-intel/vulnerabilities/id/2ccadf7c-b628-43b6-a6b0-828ca31ff9cc?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-9188","summary":"The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the `appointmentkey` parameter due to the appointment `edit_key` — the sole authorization token consumed by `tryCancel()` — being generated as a predictable, unsalted MD5 hash of only `client_id` (a sequential integer), `start_at` (a publicly observable appointment timestamp), and `staff_id` (a small enumerable integer), with no secret salt or random component, and the unauthenticated cancellation and rescheduling REST endpoints performing no ownership or identity verification beyond matching this reconstructible key. This makes it possible for unauthenticated attackers to compute valid `edit_key` values for appointments belonging to other users and cancel or reschedule those appointments arbitrarily. Exploitation requires the `allow_cancellation` or `allow_rescheduling` setting to be enabled on the site, both of which are common configurations for active booking deployments; an attacker can obtain the inputs needed to reconstruct a victim's key by booking their own appointment to observe their sequential `client_id` and correlating publicly visible appointment times and enumerable staff identifiers.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00516,"ranking_epss":0.40079,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Models/Client.php#L39","https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Services/AppointmentNew.php#L190","https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Services/AppointmentNew.php#L347","https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.5/app/Services/AppointmentNew.php#L40","https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Models/Client.php#L39","https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Services/AppointmentNew.php#L190","https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Services/AppointmentNew.php#L347","https://plugins.trac.wordpress.org/browser/wappointment/tags/2.7.6/app/Services/AppointmentNew.php#L40","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3546313%40wappointment&new=3546313%40wappointment&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/07069f39-f892-4c19-8e0b-e5e17b1ffb21?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:28","euvd":null},{"cve_id":"CVE-2026-11896","summary":"The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to enumerate occurrence IDs and access the full iCalendar export of non-public, draft, trashed, and personal calendar events, disclosing sensitive event metadata including titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00544,"ranking_epss":0.41625,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/includes/date-utilities.php#L417","https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/includes/ical.php#L26","https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar-api.php#L212","https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar-api.php#L246","https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar-events.php#L748","https://plugins.trac.wordpress.org/browser/my-calendar/tags/3.7.14/my-calendar.php#L209","https://plugins.trac.wordpress.org/browser/my-calendar/trunk/includes/date-utilities.php#L417","https://plugins.trac.wordpress.org/browser/my-calendar/trunk/includes/ical.php#L26","https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-api.php#L212","https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-api.php#L246","https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar-events.php#L748","https://plugins.trac.wordpress.org/browser/my-calendar/trunk/my-calendar.php#L209","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3572191%40my-calendar&new=3572191%40my-calendar&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/a72639df-fa05-414c-b30c-eb285f59d945?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:27","euvd":null},{"cve_id":"CVE-2026-12122","summary":"The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00495,"ranking_epss":0.3883,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.5/includes/Ajax.php#L73","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.5/includes/Ajax/Symbol.php#L145","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.5/includes/Ajax/Symbol.php#L245","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/includes/Ajax.php#L73","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/includes/Ajax/Symbol.php#L145","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/includes/Ajax/Symbol.php#L245","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584702%40kirki&new=3584702%40kirki&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/8b5db7fa-2e72-4719-b85e-cc31778c2274?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:27","euvd":null},{"cve_id":"CVE-2026-12134","summary":"The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00403,"ranking_epss":0.32289,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/joomsport-shortcodes.php#L473","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L22","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L230","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/joomsport-shortcodes.php#L473","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L22","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L230","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581673%40joomsport-sports-league-results-management&new=3581673%40joomsport-sports-league-results-management&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/a00997d4-f242-4d49-8542-0738efa66222?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:27","euvd":null},{"cve_id":"CVE-2026-12472","summary":"The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to send arbitrary HTML-injected emails — including phishing messages embedding a real, valid WordPress password-reset URL for the targeted user — to any registered user via the site's own mail server, abusing its SPF/DKIM reputation. The attacker-controlled emailSubject parameter is passed to wp_mail() with only sanitize_text_field() applied, while emailBody 'text' items are concatenated raw into the HTML email body with no escaping, and 'chip' items can include the genuine WordPress password-reset link for the targeted account.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00492,"ranking_epss":0.38666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/CompLibFormHandler.php#L342","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/CompLibFormHandler.php#L441","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/CompLibFormHandler.php#L49","https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.9/ComponentLibrary/controller/ElementGenerator.php#L219","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584702%40kirki&new=3584702%40kirki&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/af01964f-018d-4d19-8627-8889877db105?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:27","euvd":null},{"cve_id":"CVE-2026-12657","summary":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00671,"ranking_epss":0.47485,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L244","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L341","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1202","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1618","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1710","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L244","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L341","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1202","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1618","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1710","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584059%40latepoint&new=3584059%40latepoint&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/09588c2a-1631-4924-8277-d47f096493c5?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:27","euvd":null},{"cve_id":"CVE-2026-13251","summary":"The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the Local Google Fonts feature to be enabled (disabled by default), pretty permalinks to be active, and RSS feed links to remain enabled in the plugin settings.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0082,"ranking_epss":0.5272,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://perfmatters.io/docs/changelog/","https://plugins.trac.wordpress.org/browser/perfmatters/trunk/inc/classes/Fonts.php#L131","https://www.wordfence.com/threat-intel/vulnerabilities/id/2c0082ff-2a33-44e9-b0d0-8b9a404ab648?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:27","euvd":null},{"cve_id":"CVE-2026-10104","summary":"The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00263,"ranking_epss":0.17664,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.6/admin/class-video-field.php#L310","https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.6/public/class-rendering.php#L365","https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.6/public/class-rendering.php#L379","https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.7/admin/class-video-field.php#L310","https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.7/public/class-rendering.php#L365","https://plugins.trac.wordpress.org/browser/product-video-gallery-slider-for-woocommerce/tags/1.5.1.7/public/class-rendering.php#L379","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591727%40product-video-gallery-slider-for-woocommerce&new=3591727%40product-video-gallery-slider-for-woocommerce&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/f61885bc-b7da-42b8-a0d3-ba5d7d19b536?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T10:16:26","euvd":null},{"cve_id":"CVE-2026-8147","summary":"In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00337,"ranking_epss":0.25593,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/mlflow/mlflow/commit/f9b1eb510478570609ef451984a255775aa4b937","https://huntr.com/bounties/b00c3ddd-373e-492f-9bf0-41a28bb21ed5","https://huntr.com/bounties/b00c3ddd-373e-492f-9bf0-41a28bb21ed5"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T09:16:19","euvd":null},{"cve_id":"CVE-2026-9563","summary":"In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00366,"ranking_epss":0.2857,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eclipse-ee4j/parsson/commit/134e8d101aa74c8b9302d0cb62f6ccb4912a9d0c","https://github.com/eclipse-ee4j/parsson/pull/169","https://github.com/eclipse-ee4j/parsson/tree/1.1.8","https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444","https://repo.maven.apache.org/maven2/org/eclipse/parsson/parsson/1.1.8/","https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/444"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T09:16:19","euvd":null},{"cve_id":"CVE-2026-33592","summary":"An unauthenticated remote attacker can exhaust\nserver memory via the FindServers Discovery Service in open62541. The\nserverUris field of FindServersRequest is not validated for length or array\nsize. An attacker can declare an arbitrarily large string (up to ~3.9 GB)\ndelivered across intermediate chunks without ever sending the final chunk. The\nserver buffers all chunks in RAM indefinitely until the SecureChannel times\nout. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00388,"ranking_epss":0.30758,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open62541/open62541","https://github.com/open62541/open62541/pull/8142","https://github.com/open62541/open62541/pull/8142/changes/d253818d6c5e870e1db0e360b18138c8bdc809ae"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T08:16:39","euvd":null},{"cve_id":"CVE-2026-5348","summary":"The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00262,"ranking_epss":0.17556,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50","https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77","https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514","https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50","https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77","https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3592849%40academy&new=3592849%40academy&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:14","euvd":null},{"cve_id":"CVE-2026-5821","summary":"The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the Image_Backup::remove() function where backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. The plugin stores backup file paths in the image_optimizer_metadata post meta field and trusts these paths completely when deleting backups on the delete_attachment hook. An authenticated attacker with Author-level access can edit the image_optimizer_metadata post meta on their own attachments via WordPress's Custom Fields interface, injecting arbitrary absolute file paths into the backups array. When the attacker subsequently deletes the attachment, the plugin calls File_System::delete() on each path without validation. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server within the web server's filesystem permissions, potentially leading to denial of service, data loss, or security degradation.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00354,"ranking_epss":0.27403,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/image-optimization/tags/1.7.3/classes/image/image-backup.php#L117","https://plugins.trac.wordpress.org/browser/image-optimization/tags/1.7.3/classes/image/image-meta.php#L97","https://plugins.trac.wordpress.org/browser/image-optimization/tags/1.7.3/modules/backups/components/handle-backups-removing.php#L19","https://plugins.trac.wordpress.org/browser/image-optimization/trunk/classes/image/image-backup.php#L117","https://plugins.trac.wordpress.org/browser/image-optimization/trunk/classes/image/image-meta.php#L97","https://plugins.trac.wordpress.org/browser/image-optimization/trunk/modules/backups/components/handle-backups-removing.php#L19","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3557772%40image-optimization&new=3557772%40image-optimization&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/a1a00374-e9d6-46f9-a28c-cb7768505787?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:14","euvd":null},{"cve_id":"CVE-2026-11592","summary":"The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to overwrite plugin mail settings (from name and from email address), create audience lists, insert arbitrary contacts into those lists, create and overwrite newsletter broadcasts and post notifications, add workflows, and queue and dispatch mass email to arbitrary recipients.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00272,"ranking_epss":0.18981,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/admin/class-email-subscribers-admin.php#L216","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/admin/class-ig-es-onboarding.php#L171","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/class-email-subscribers-activator.php#L66","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/classes/class-es-newsletters.php#L717","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/workflows/admin/class-es-workflow-admin-edit.php#L74","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/admin/class-email-subscribers-admin.php#L216","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/admin/class-ig-es-onboarding.php#L171","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/class-email-subscribers-activator.php#L66","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/classes/class-es-newsletters.php#L717","https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/workflows/admin/class-es-workflow-admin-edit.php#L74","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584584%40email-subscribers&new=3584584%40email-subscribers&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e70691-4de9-4b12-babf-bebe267a780b?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:13","euvd":null},{"cve_id":"CVE-2026-11600","summary":"The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00223,"ranking_epss":0.12841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/off-canvas/widgets/off-canvas.php#L631","https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L103","https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.25/modules/tabs/widgets/tabs.php#L1268","https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/off-canvas/widgets/off-canvas.php#L631","https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L103","https://plugins.trac.wordpress.org/browser/envo-elementor-for-woocommerce/tags/1.4.26/modules/tabs/widgets/tabs.php#L1268","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578489%40envo-elementor-for-woocommerce&new=3578489%40envo-elementor-for-woocommerce&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/26100f1f-3224-486c-b4f9-7086d405a883?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:13","euvd":null},{"cve_id":"CVE-2026-11781","summary":"The Adminify  WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's Adminify  WordPress plugin before 4.2.10 inventory, and user account names.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00139,"ranking_epss":0.03658,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/0aa18fe0-2d64-45dc-9eab-9587d63853be/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:13","euvd":null},{"cve_id":"CVE-2026-11965","summary":"The User Registration & Membership  WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00136,"ranking_epss":0.03424,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/49f4c59e-5931-405d-8518-244531bbc889/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:13","euvd":null},{"cve_id":"CVE-2026-13357","summary":"The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the prepare_items() method of the Houzez_Property_Feed_Admin_Logs_Export_Table (and Houzez_Property_Feed_Admin_Logs_Import_Table) class. The user-controlled $_GET['orderby'] and $_GET['order'] values are filtered only with sanitize_text_field() and then concatenated into the SQL format string before $wpdb->prepare() is called — prepare() only parameterizes the appended LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00288,"ranking_epss":0.20559,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/houzez-property-feed/tags/2.5.46/includes/class-houzez-property-feed-admin-logs-export-table.php#L205","https://plugins.trac.wordpress.org/browser/houzez-property-feed/tags/2.5.46/includes/class-houzez-property-feed-admin-logs-export-table.php#L219","https://plugins.trac.wordpress.org/browser/houzez-property-feed/tags/2.5.46/includes/class-houzez-property-feed-admin.php#L138","https://plugins.trac.wordpress.org/browser/houzez-property-feed/tags/2.5.46/includes/class-houzez-property-feed-admin.php#L587","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3592406%40houzez-property-feed&new=3592406%40houzez-property-feed&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/7669f1d3-450c-4c17-aa1e-44ddda194727?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:13","euvd":null},{"cve_id":"CVE-2026-13704","summary":"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00235,"ranking_epss":0.14308,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/includes/admin/forms/class-metabox-form-data.php#L1180","https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/includes/formatting.php#L758","https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/src/Views/Form/Templates/Sequoia/Sequoia.php#L459","https://plugins.trac.wordpress.org/browser/give/tags/4.14.6/src/Views/Form/Templates/Sequoia/sections/introduction.php#L33","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/includes/admin/forms/class-metabox-form-data.php#L1180","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/includes/formatting.php#L758","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Views/Form/Templates/Sequoia/Sequoia.php#L459","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Views/Form/Templates/Sequoia/sections/introduction.php#L33","https://www.wordfence.com/threat-intel/vulnerabilities/id/ee18552b-2814-4598-9b7b-7c919d6d644e?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:13","euvd":null},{"cve_id":"CVE-2026-14249","summary":"The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This is due to the emd_delete_file() handler deriving a PHP function name from the attacker-controlled $_POST['path'] parameter and invoking it dynamically via the variable-function call $sess_name(), and the handler being registered for wp_ajax_nopriv with its only protection being a nonce that the plugin prints into the public quote-form page via wp_localize_script. This makes it possible for unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, such as phpinfo(), potentially exposing sensitive server configuration and credentials, or executing other destructive built-in PHP functions.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00333,"ranking_epss":0.25195,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/request-a-quote/tags/2.5.5/includes/class-install-deactivate.php#L60","https://plugins.trac.wordpress.org/browser/request-a-quote/tags/2.5.5/includes/common-functions.php#L1035","https://plugins.trac.wordpress.org/browser/request-a-quote/tags/2.5.5/includes/common-functions.php#L1038","https://plugins.trac.wordpress.org/browser/request-a-quote/tags/2.5.5/includes/emd-form-builder-lite/emd-form-frontend.php#L1187","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3592676%40request-a-quote&new=3592676%40request-a-quote&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/5a349c4f-d2e7-47af-9013-3cfa496b3b8c?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:13","euvd":null},{"cve_id":"CVE-2026-10077","summary":"The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":0.00152,"ranking_epss":0.04764,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/89877758-50f1-4a4b-a622-e417571a5b14/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:12","euvd":null},{"cve_id":"CVE-2026-10089","summary":"The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00217,"ranking_epss":0.12154,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L1771","https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L1789","https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.3/insert-pages.php#L768","https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L1771","https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L1789","https://plugins.trac.wordpress.org/browser/insert-pages/tags/3.11.4/insert-pages.php#L768","https://plugins.trac.wordpress.org/changeset/3579298","https://www.wordfence.com/threat-intel/vulnerabilities/id/a4246181-d331-46b0-ad48-e2ece11b2f5f?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:12","euvd":null},{"cve_id":"CVE-2026-11578","summary":"The Fluent Forms  WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00132,"ranking_epss":0.03105,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/3937e20f-dd46-4c2e-b170-d5e5c254b8d2/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T06:16:12","euvd":null},{"cve_id":"CVE-2026-57277","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. One of them, `connectionInfo` is meant to provide the necessary details to connect to a camera. The handler associated with this command that we call`handle_connection_info` contains multiple instances of string copy that can overflow. The function `handle_connect_info` copies attacker-controlled JSON strings into fixed-size buffers using manual byte-by-byte loops that do not enforce length limits.\n\n\n\n\n#### Buffer Overflow in key field","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.0028,"ranking_epss":0.19837,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2375","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:15","euvd":null},{"cve_id":"CVE-2026-57278","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. One of them, `connectionInfo` is meant to provide the necessary details to connect to a camera. The handler associated with this command that we call`handle_connection_info` contains multiple instances of string copy that can overflow. The function `handle_connect_info` copies attacker-controlled JSON strings into fixed-size buffers using manual byte-by-byte loops that do not enforce length limits.\n\n\n\n\n#### Buffer Overflow in ip field","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.0028,"ranking_epss":0.19837,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2375","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:15","euvd":null},{"cve_id":"CVE-2026-57274","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. One of them, `connectionInfo` is meant to provide the necessary details to connect to a camera. The handler associated with this command that we call`handle_connection_info` contains multiple instances of string copy that can overflow. The function `handle_connect_info` copies attacker-controlled JSON strings into fixed-size buffers using manual byte-by-byte loops that do not enforce length limits.\n\n\n\n\n\n#### Buffer Overflow in password field (no key present)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00286,"ranking_epss":0.20414,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2375","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:14","euvd":null},{"cve_id":"CVE-2026-57275","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. One of them, `connectionInfo` is meant to provide the necessary details to connect to a camera. The handler associated with this command that we call`handle_connection_info` contains multiple instances of string copy that can overflow. The function `handle_connect_info` copies attacker-controlled JSON strings into fixed-size buffers using manual byte-by-byte loops that do not enforce length limits.\n\n\n\n\n#### Buffer Overflow in username field (key present)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00286,"ranking_epss":0.20413,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2375","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:14","euvd":null},{"cve_id":"CVE-2026-57276","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. One of them, `connectionInfo` is meant to provide the necessary details to connect to a camera. The handler associated with this command that we call`handle_connection_info` contains multiple instances of string copy that can overflow. The function `handle_connect_info` copies attacker-controlled JSON strings into fixed-size buffers using manual byte-by-byte loops that do not enforce length limits. \n\n\n\n\n#### Buffer Overflow in password field (key present)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00286,"ranking_epss":0.20413,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2375","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:14","euvd":null},{"cve_id":"CVE-2026-57270","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n\n#### play command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12408,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:13","euvd":null},{"cve_id":"CVE-2026-57271","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\n#### pause command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00235,"ranking_epss":0.14305,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:13","euvd":null},{"cve_id":"CVE-2026-57272","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n\n#### byPass command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00247,"ranking_epss":0.15867,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:13","euvd":null},{"cve_id":"CVE-2026-57273","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. One of them, `connectionInfo` is meant to provide the necessary details to connect to a camera. The handler associated with this command that we call`handle_connection_info` contains multiple instances of string copy that can overflow. The function `handle_connect_info` copies attacker-controlled JSON strings into fixed-size buffers using manual byte-by-byte loops that do not enforce length limits.\n\n\n\n\n\n#### Buffer Overflow in username field (no key present)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00286,"ranking_epss":0.20413,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2375","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:13","euvd":null},{"cve_id":"CVE-2026-57266","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n\n#### 2wayAudio command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11893,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:12","euvd":null},{"cve_id":"CVE-2026-57267","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n\n#### snapshot command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12408,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:12","euvd":null},{"cve_id":"CVE-2026-57268","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n### saveVideo command index-out-of-bound\n\nWhen sending the `saveVideo` command, the `index` field is extracted from the websocket message [1]. Then without checking the range of the index, it is used to trigger a CriticalSection ([2]) and releases it [3]. The release function call ([3]) is executed using a function pointer which will be read out of bounds potentially leading to code execution:\n\n\n\n\n\n     v6 = get_entry(a2, \"index\");\n\n      result = json_is_value_int(v6);\n\n      if ( (_BYTE)result )\n\n      {\n\n        v8 = get_entry(a2, \"index\");\n\n        index = json_value_to_int(&v8->value);  // [1]\n\n        result = CCriticalSection::EnterCritSection(&this->crit_sections[index]);  //[2]\n\n        if ( result )\n\n        {\n\n          if ( this->array_of_IPCams[index] )\n\n          {\n\n            if ( this->array_of_IPCams[index]->field_20 )\n\n              do_PostMessageA((CViewer *)this->array_of_IPCams[index], 0x111u, 0x139Fu, v11);\n\n          }\n\n          return (*(int (__thiscall **)(CCriticalSection *))(this->crit_sections[index].vtbl + 20))(&this->crit_sections[index]); //[3]\n\n        }\n\n      }","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00286,"ranking_epss":0.20398,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:12","euvd":null},{"cve_id":"CVE-2026-57269","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n\n#### disconnect command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.0024,"ranking_epss":0.14972,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:12","euvd":null},{"cve_id":"CVE-2026-13131","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n#### connectInfo command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11894,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:11","euvd":null},{"cve_id":"CVE-2026-13132","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n\n#### setStream command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11894,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:11","euvd":null},{"cve_id":"CVE-2026-57264","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n\n#### setPIP command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11895,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:11","euvd":null},{"cve_id":"CVE-2026-57265","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nThe Websocket server can accept various commands coming from localhost. Many of the commands will take an `index` value that is then used to access various arrays to enter critical sections, perform various actions via function calls, etc. However the `index` value is usually not checked for valid range, and as such it can be used to access multiple arrays out-of-bound.\n\n\n#### audio command index-out-of-bound","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11894,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://talosintelligence.com/vulnerability_reports/TALOS-2026-2373","https://www.geovision.com.tw/cyber_security.php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:11","euvd":null},{"cve_id":"CVE-2026-13125","summary":"GeoWebPlayer (also called \"Web Plugin\" in the GV-VMS documentation and \"WS Player\" for VMS-Cloud) is an addon that can be installed with various GeoVision software (GV-VMS, GV-Cloud, ...). It creates a websocket server that expands the capabilities of the various web-interfaces provided by the GeoVision software and may be necessary for them to function properly.\n\nIn order to access the websocket server, no authentication is required. As such, any malicious website can attempt to open a connection to the server and potentially access sensitive APIs. In particular, it's possible to call a combination of the `create` method and  `getScreenCapture`  to retrieve the content of the user's screen.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00227,"ranking_epss":0.13375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.geovision.com.tw/cyber_security.php","https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2370"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T04:17:09","euvd":null},{"cve_id":"CVE-2026-55794","summary":"Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00293,"ranking_epss":0.21076,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/pull/18680","https://github.com/craftcms/cms/security/advisories/GHSA-f74w-488g-8x5r"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T00:16:45","euvd":null},{"cve_id":"CVE-2026-50279","summary":"Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":0.00245,"ranking_epss":0.1566,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/9cc493be8b414d7116c7f2bc2a6d0926e73f1248","https://github.com/craftcms/cms/security/advisories/GHSA-qq2c-2q8j-jh27","https://github.com/craftcms/cms/security/advisories/GHSA-qq2c-2q8j-jh27"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T00:16:44","euvd":{"id":"EUVD-2026-41214","description":"Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap","published_time":"2026-07-02T18:45:28","cvss":7.6,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/craftcms/cms/security/advisories/GHSA-qq2c-2q8j-jh27","https://github.com/craftcms/cms/commit/9cc493be8b414d7116c7f2bc2a6d0926e73f1248","https://nvd.nist.gov/vuln/detail/CVE-2026-50279"],"products":["CMS"],"vendors":["craftcms"]}},{"cve_id":"CVE-2026-50280","summary":"Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.0,"epss":0.00273,"ranking_epss":0.19022,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/0a6b916f6367b0162b2eaf2366add67b45fa98ea","https://github.com/craftcms/cms/security/advisories/GHSA-43cq-c2gq-pfpw"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T00:16:44","euvd":{"id":"EUVD-2026-41215","description":"Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check","published_time":"2026-07-02T18:47:37","cvss":6.0,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/craftcms/cms/security/advisories/GHSA-43cq-c2gq-pfpw","https://github.com/craftcms/cms/commit/0a6b916f6367b0162b2eaf2366add67b45fa98ea","https://nvd.nist.gov/vuln/detail/CVE-2026-50280"],"products":["CMS"],"vendors":["craftcms"]}},{"cve_id":"CVE-2026-55791","summary":"Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.0033,"ranking_epss":0.24914,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/pull/18559","https://github.com/craftcms/cms/security/advisories/GHSA-c55v-343g-5xff"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T00:16:44","euvd":null},{"cve_id":"CVE-2026-55792","summary":"Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.0,"epss":0.00268,"ranking_epss":0.18373,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/pull/18559","https://github.com/craftcms/cms/security/advisories/GHSA-287w-mxq6-x2cp","https://github.com/craftcms/cms/pull/18559"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-02T00:16:44","euvd":null},{"cve_id":"CVE-2026-14440","summary":"Description:\n\n\n\n\nTo issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue \"letsencrypt.org\"' without parameters). On Universal SSL zones, Cloudflare's authoritative DNS serves this auto-managed RRset at query time, superseding any customer-configured CAA records on the zone. When a customer publishes a stricter CAA record using the RFC 8657 accounturi or validationmethods parameters, the Certificate Authority does not observe those parameters when evaluating the served RRset under RFC 8659. As a result, the RFC 8657 account-binding and validation-method-binding protections are not enforced end-to-end on Universal SSL zones. Successful exploitation could result in issuance of a browser-trusted TLS certificate to an attacker, enabling MITM against the affected domain.\n\n\n\n\nExploitation is non-trivial in practice: an attacker would need to hold an ACME account at one of the Certificate Authorities in the served CAA RRset and to simultaneously satisfy domain control validation across the multiple geographically distinct Network Perspectives the CA relies on for Multi-Perspective Issuance Corroboration. Cloudflare prefixes are anycast-announced from hundreds of locations globally, raising the bar against single-vantage-point BGP hijacks. Any resulting misissuance of a browser-trusted certificate is subject to Certificate Transparency logging required by major browsers, and would be visible to CT monitoring.\n\n\n\n\n\n\n\n\nMitigation: \n\n\n\nCustomers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone.\n\n\n\nUniversal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both. \n\n\n\nCertificate Transparency monitoring is recommended for all customers as a general detection control.\n\n\n\n\n\n\n\n\nCredits:\n\n\n\nDavid Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://developers.cloudflare.com/ssl/edge-certificates/caa-records/","https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/limitations/","https://www.rfc-editor.org/rfc/rfc8657","https://www.rfc-editor.org/rfc/rfc8659"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:52","euvd":null},{"cve_id":"CVE-2026-50283","summary":"Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. AssetsController::actionReplaceFile() supports replacing a target asset file using another existing asset as the source. The action loads: assetId -> $assetToReplace and sourceAssetId -> $sourceAsset, then enforces replace permissions using ($assetToReplace ?: $sourceAsset). When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume. When both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no deletion check for for the source asset. An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a sourceAssetId, leading to broken content references and data loss. This issue has been fixed in versions 4.17.14 and 5.9.21.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/2c2579c7f1030872423f268d0c8b48377101961d","https://github.com/craftcms/cms/security/advisories/GHSA-qh45-9g5p-m2v4"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:52","euvd":{"id":"EUVD-2026-41154","description":"Craft CMS: Unauthorized Deletion of Source Assets During File Replacement","published_time":"2026-07-02T18:48:27","cvss":5.3,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/craftcms/cms/security/advisories/GHSA-qh45-9g5p-m2v4","https://github.com/craftcms/cms/commit/2c2579c7f1030872423f268d0c8b48377101961d","https://nvd.nist.gov/vuln/detail/CVE-2026-50283"],"products":["CMS","CMS"],"vendors":["craftcms"]}},{"cve_id":"CVE-2026-50284","summary":"Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of the uploader's assigned privileges. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This issue has been fixed in versions 4.17.15 and 5.9.22.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/b4e08977f0c9bdf002a77f9f6d1346cd55ac0598","https://github.com/craftcms/cms/security/advisories/GHSA-7h62-6v23-v8fm"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:52","euvd":{"id":"EUVD-2026-41208","description":"Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets","published_time":"2026-07-02T18:49:04","cvss":7.1,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/craftcms/cms/security/advisories/GHSA-7h62-6v23-v8fm","https://github.com/craftcms/cms/commit/b4e08977f0c9bdf002a77f9f6d1346cd55ac0598","https://nvd.nist.gov/vuln/detail/CVE-2026-50284"],"products":["CMS","CMS"],"vendors":["craftcms"]}},{"cve_id":"CVE-2026-55790","summary":"Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s \"Give feedback\" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session. No control panel account or elevated privileges are required on the attacker’s side. This issue has been fixed in versions 4.17.16 and 5.9.23.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/6bbb66038a268552180ca5c8eed9f46ea25a4417","https://github.com/craftcms/cms/security/advisories/GHSA-24x4-j6x9-rfw5"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:52","euvd":null},{"cve_id":"CVE-2026-14425","summary":"Use after free in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517935753"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41198","description":"Use after free in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:22:03","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517935753"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14426","summary":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517981277"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41206","description":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:22:07","cvss":7.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517981277"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14427","summary":"Heap buffer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/520113415"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41156","description":"Heap buffer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","published_time":"2026-07-01T22:21:38","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/520113415"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14428","summary":"Insufficient validation of untrusted input in Dawn in Google Chrome on Android prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/520180257"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41168","description":"Insufficient validation of untrusted input in Dawn in Google Chrome on Android prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:45","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/520180257"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14429","summary":"Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/520571816"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41170","description":"Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:46","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/520571816"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14430","summary":"Integer overflow in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/522126182"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41174","description":"Integer overflow in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:49","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/522126182"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14431","summary":"Type Confusion in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/523884658"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41188","description":"Type Confusion in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:57","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/523884658"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14432","summary":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/524290062"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41204","description":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:22:06","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/524290062"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14439","summary":"A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area.\n\n\n\n\nThis file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 (commercial and government cloud) at the service level.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.altium.com/platform/security-compliance/security-advisories"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:51","euvd":{"id":"EUVD-2026-41210","description":"A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area.\n\n\n\n\nThis file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1. The issue has been remediated across Altium 365 shared multi-tenant deployments at the service level; remediation is in progress on remaining Altium 365 deployments.","published_time":"2026-07-01T23:05:30","cvss":9.4,"cvss_version":"4.0","epss":0.0,"assigner":"Altium","references":["https://www.altium.com/platform/security-compliance/security-advisories"],"products":["Altium Enterprise Server","Altium 365"],"vendors":["Altium"]}},{"cve_id":"CVE-2026-14416","summary":"Out of bounds read in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515428315"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":{"id":"EUVD-2026-41181","description":"Out of bounds read in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-07-01T22:21:53","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515428315"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14417","summary":"Use after free in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516649133"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":{"id":"EUVD-2026-41200","description":"Use after free in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","published_time":"2026-07-01T22:22:04","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516649133"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14418","summary":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516865345"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":{"id":"EUVD-2026-41190","description":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:58","cvss":4.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516865345"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14419","summary":"Use after free in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516981393"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":{"id":"EUVD-2026-41201","description":"Use after free in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","published_time":"2026-07-01T22:22:04","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516981393"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14420","summary":"Out of bounds read and write in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517031505"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":null},{"cve_id":"CVE-2026-14421","summary":"Uninitialized Use in Dawn in Google Chrome on ChromeOS prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517033235"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":{"id":"EUVD-2026-41192","description":"Uninitialized Use in Dawn in Google Chrome on ChromeOS prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:59","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517033235"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14422","summary":"Out of bounds read and write in Tint in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517225032"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":null},{"cve_id":"CVE-2026-14423","summary":"Type Confusion in Tint in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517522769"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":{"id":"EUVD-2026-41187","description":"Type Confusion in Tint in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:56","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517522769"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14424","summary":"Use after free in Dawn in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517692772"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:50","euvd":{"id":"EUVD-2026-41199","description":"Use after free in Dawn in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:22:03","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517692772"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14406","summary":"Out of bounds read in V8 in Google Chrome prior to 150.0.7871.46 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513435594"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41182","description":"Out of bounds read in V8 in Google Chrome prior to 150.0.7871.46 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:53","cvss":5.9,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513435594"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14407","summary":"Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513586956"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41160","description":"Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:41","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513586956"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14408","summary":"Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513631768"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41193","description":"Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:22:00","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513631768"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14409","summary":"Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513810921"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41161","description":"Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-07-01T22:21:41","cvss":7.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513810921"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14410","summary":"Inappropriate implementation in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513836996"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":null},{"cve_id":"CVE-2026-14411","summary":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513919827"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41166","description":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:44","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513919827"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14412","summary":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513920834"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41167","description":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:45","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513920834"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14413","summary":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513922055"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41191","description":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:59","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513922055"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14414","summary":"Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513948227"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":{"id":"EUVD-2026-41169","description":"Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:46","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513948227"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14415","summary":"Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515086856"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:49","euvd":null},{"cve_id":"CVE-2026-14396","summary":"Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511737097"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":null},{"cve_id":"CVE-2026-14397","summary":"Out of bounds write in ANGLE in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511772608"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":{"id":"EUVD-2026-41183","description":"Out of bounds write in ANGLE in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:54","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511772608"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14398","summary":"Use after free in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/512995785"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":null},{"cve_id":"CVE-2026-14399","summary":"Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513006745"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":{"id":"EUVD-2026-41194","description":"Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:22:00","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513006745"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14400","summary":"Out of bounds write in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513010645"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":{"id":"EUVD-2026-41184","description":"Out of bounds write in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:55","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513010645"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14401","summary":"Insufficient validation of untrusted input in ANGLE in Google Chrome on Android prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513048822"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":{"id":"EUVD-2026-41164","description":"Insufficient validation of untrusted input in ANGLE in Google Chrome on Android prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:43","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513048822"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14402","summary":"Uninitialized Use in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513051340"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":{"id":"EUVD-2026-41189","description":"Uninitialized Use in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:57","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513051340"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14403","summary":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513298483"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":{"id":"EUVD-2026-41202","description":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-07-01T22:22:05","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513298483"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14404","summary":"Inappropriate implementation in PDFium in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted PDF file. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513337989"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":null},{"cve_id":"CVE-2026-14405","summary":"Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513376037"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:48","euvd":{"id":"EUVD-2026-41195","description":"Uninitialized Use in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-07-01T22:22:01","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513376037"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14386","summary":"Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499047960"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41179","description":"Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:52","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499047960"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14387","summary":"Integer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/500305404"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41172","description":"Integer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:48","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/500305404"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14388","summary":"Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/500476886"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41180","description":"Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:52","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/500476886"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14389","summary":"Integer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/500505046"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41173","description":"Integer overflow in Skia in Google Chrome prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:48","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/500505046"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14390","summary":"Use after free in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503054174"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41197","description":"Use after free in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:22:02","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503054174"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14391","summary":"Integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506212452"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41171","description":"Integer overflow in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:47","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506212452"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14392","summary":"Out of bounds write in Tint in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/508265321"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41185","description":"Out of bounds write in Tint in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:55","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/508265321"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14393","summary":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511255112"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41203","description":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:22:05","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511255112"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14394","summary":"Use after free in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511263221"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":null},{"cve_id":"CVE-2026-14395","summary":"Out of bounds write in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511290389"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:47","euvd":{"id":"EUVD-2026-41186","description":"Out of bounds write in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-07-01T22:21:56","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511290389"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14381","summary":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/407283320"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:46","euvd":null},{"cve_id":"CVE-2026-14382","summary":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/492218546"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:46","euvd":{"id":"EUVD-2026-41165","description":"Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)","published_time":"2026-07-01T22:21:44","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/492218546"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14383","summary":"Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/492410546"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:46","euvd":{"id":"EUVD-2026-41159","description":"Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-07-01T22:21:40","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/492410546"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14384","summary":"Out of bounds read in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497543485"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:46","euvd":null},{"cve_id":"CVE-2026-14385","summary":"Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499006005"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:46","euvd":null},{"cve_id":"CVE-2026-11950","summary":"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T23:16:45","euvd":null},{"cve_id":"CVE-2026-54704","summary":"OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text database passwords can be added to trace span attributes and exported to observability backends. This issue has been fixed in version 2.28.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-rwqx-fvqh-6wm4"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:50","euvd":null},{"cve_id":"CVE-2026-54712","summary":"OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/advisories/GHSA-fq3f-m5qm-99f5"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:50","euvd":null},{"cve_id":"CVE-2026-55793","summary":"Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victim’s session. The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping. To exploit, an attacker must have an existing control panel account (Author role minimum), the victim must perform a drag operation (not just visit the page), and the victim’s session needs to be elevated at trigger time. This issue has been fixed in version 5.9.23.","cvss":5.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/cms/commit/162321e899cc97517fb6f5a02b5528f549d0c6cc","https://github.com/craftcms/cms/security/advisories/GHSA-xrqc-p465-2xvg"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:50","euvd":null},{"cve_id":"CVE-2026-52186","summary":"SQL Injection vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to execute arbitrary code via the gohead/sub_463bbc component","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_00463bbc/README.md","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:49","euvd":{"id":"EUVD-2026-41224","description":"SQL Injection vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to execute arbitrary code via the gohead/sub_463bbc component","published_time":"2026-07-02T00:31:40","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_00463bbc/README.md","https://nvd.nist.gov/vuln/detail/CVE-2026-52186"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-52190","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_448384 component","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00448384","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:49","euvd":{"id":"EUVD-2026-41225","description":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_448384 component","published_time":"2026-07-02T00:31:40","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00448384","https://nvd.nist.gov/vuln/detail/CVE-2026-52190"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-54259","summary":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wagtail/wagtail/security/advisories/GHSA-h54r-xq46-qwqm"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:49","euvd":null},{"cve_id":"CVE-2026-54260","summary":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wagtail/wagtail/security/advisories/GHSA-f2p5-j6fg-5cxf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:49","euvd":null},{"cve_id":"CVE-2026-54261","summary":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wagtail/wagtail/security/advisories/GHSA-r6p4-grq7-xm4m"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:49","euvd":null},{"cve_id":"CVE-2026-54262","summary":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the \"Can submit translation\" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wagtail/wagtail/security/advisories/GHSA-8634-mr4j-r72c"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:49","euvd":null},{"cve_id":"CVE-2026-54263","summary":"Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could craft a URL that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is present for all sites, even if they do not enable the dynamic image serve view. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wagtail/wagtail/security/advisories/GHSA-23m2-mghx-vqmf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:49","euvd":null},{"cve_id":"CVE-2026-36909","summary":"A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Aleksoid1978/MPC-BE/issues/1062","https://github.com/axiomatic-systems/Bento4/issues/965"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:48","euvd":{"id":"EUVD-2026-41216","description":"A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","published_time":"2026-07-02T00:31:40","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://github.com/Aleksoid1978/MPC-BE/issues/1062","https://github.com/axiomatic-systems/Bento4/issues/965","https://nvd.nist.gov/vuln/detail/CVE-2026-36909"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-36910","summary":"An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Aleksoid1978/MPC-BE/issues/1062","https://github.com/axiomatic-systems/Bento4/issues/873"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:48","euvd":{"id":"EUVD-2026-41217","description":"An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","published_time":"2026-07-02T00:31:40","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://github.com/axiomatic-systems/Bento4/issues/873","https://github.com/Aleksoid1978/MPC-BE/issues/1062","https://nvd.nist.gov/vuln/detail/CVE-2026-36910"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-36911","summary":"A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Aleksoid1978/MPC-BE/issues/1062"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:48","euvd":{"id":"EUVD-2026-41218","description":"A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","published_time":"2026-07-02T00:31:40","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://github.com/Aleksoid1978/MPC-BE/issues/1062","https://nvd.nist.gov/vuln/detail/CVE-2026-36911"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-36912","summary":"A NULL pointer dereference in the AP4_AtomSampleTable::GetSample() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Aleksoid1978/MPC-BE/issues/1062","https://github.com/axiomatic-systems/Bento4/issues/511"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:48","euvd":{"id":"EUVD-2026-41219","description":"A NULL pointer dereference in the AP4_AtomSampleTable::GetSample() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.","published_time":"2026-07-02T00:31:40","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://github.com/axiomatic-systems/Bento4/issues/511","https://github.com/Aleksoid1978/MPC-BE/issues/1062","https://nvd.nist.gov/vuln/detail/CVE-2026-36912"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-38891","summary":"An improper input validation in the gazebo_ros_diff_drive.cpp component of gazebo_plugins v3.9.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted geometry_msgs::Twist message.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/REYu6/ROS-vul/blob/main/Gazebo%20CVE/260328211736.mp4","https://github.com/REYu6/ROS-vul/blob/main/Gazebo%20CVE/gazebo_ros_diff_drive.md"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T22:16:48","euvd":{"id":"EUVD-2026-41221","description":"An improper input validation in the gazebo_ros_diff_drive.cpp component of gazebo_plugins v3.9.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted geometry_msgs::Twist message.","published_time":"2026-07-02T00:31:40","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://github.com/REYu6/ROS-vul/blob/main/Gazebo%20CVE/gazebo_ros_diff_drive.md","https://github.com/REYu6/ROS-vul/blob/main/Gazebo%20CVE/260328211736.mp4","https://nvd.nist.gov/vuln/detail/CVE-2026-38891"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-55661","summary":"Tina is a headless content management system. In versions prior to @tinacms/mdx 2.1.7 and  tinacms 3.9.3,  rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is rendered into href/src and executes when the content is viewed. Any actor able to author rich-text content (for example a lower-privileged editor, or imported/external content) can achieve stored XSS against editors and site viewers. This issue is fixed in versions @tinacms/mdx 2.1.7 and  tinacms 3.9.3.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tinacms/tinacms/pull/7056","https://github.com/tinacms/tinacms/security/advisories/GHSA-2vcc-5v34-9jc8"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:04","euvd":null},{"cve_id":"CVE-2026-55886","summary":"Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.set(chain, value, obj), which walks the dot-separated chain, creating and following each path segment without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype. Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable, causing unexpected property injection, logic bypass, denial of service, or secondary security issues. This issue has been fixed in version 4.12.26.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xdan/jodit/security/advisories/GHSA-vpmm-x3fm-qr5c"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:04","euvd":null},{"cve_id":"CVE-2026-58263","summary":"Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xdan/jodit/security/advisories/GHSA-rxcw-mc6f-6hr3"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:04","euvd":null},{"cve_id":"CVE-2026-50521","summary":"Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50521"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:03","euvd":null},{"cve_id":"CVE-2026-54074","summary":"Tina is a headless content management system. @tinacms/cli versions prior to 2.4.3 contain a Remote Code Execution vulnerability in the Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker \"__TINA_INTERNAL__:::(.*?):::\" inside the stringified collection JSON. User-supplied label and name fields from .forestry/**/*.yml are placed into that JSON without any sanitisation. An attacker who controls a Forestry-style project can therefore inject arbitrary JavaScript into the generated tina/templates.{ts,js} file. The injected code is written at module top level, so it executes the moment the developer runs tinacms dev or tinacms build, with the developer's privileges. This issue has been fixed in version 2.4.3.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tinacms/tinacms/security/advisories/GHSA-4936-9hrh-qqpw"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:03","euvd":null},{"cve_id":"CVE-2026-54720","summary":"Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In versions prior to 6.2.2, the \"Insert media from web\" functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2/","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-gvrw-qqp5-jgc5","https://www.silverstripe.org/download/security-releases/cve-2026-54720"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:03","euvd":null},{"cve_id":"CVE-2026-54756","summary":"Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) — and the internal ConfigMerge / ConfigProto helpers — merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xdan/jodit/security/advisories/GHSA-5957-5c94-3v7w"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:03","euvd":null},{"cve_id":"CVE-2026-54786","summary":"Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before  36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fd_renumber function where the file descriptor being renumbered to is not properly closed. Wasmtime's implementation erroneously only updated the table of descriptors for WASIp1 and didn't update the underlying table of descriptors used by the host. This behavior means that while fd_renumber works correctly from a guest's perspective it ends up leaking resources in the host that aren't cleaned up until the corresponding Store is destroyed. In a loop, guests can use fd_renumber to cause hosts to exhaust both resources and file descriptors. This bug only affects the native implementation of WASIp1, meaning that only runtimes which load core wasm modules and expose fd_renumber are affected. Runtimes are additionally only affected if they expose the ability to acquire a file descriptor, such as opening a file. For runtimes that deny access to files they are unaffected. This issue has been fixed in versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:03","euvd":null},{"cve_id":"CVE-2026-55153","summary":"mchange-commons-java is a Java library of shared utility classes used by mchange projects like the c3p0 connection pool. Prior to version 0.6.0, its JNDI ObjectFactory implementation (com.mchange.v2.naming.JavaBeanObjectFactory) will construct objects of arbitrary classes and initialize \"JavaBean\"-style properties, which for certain classes enables JNDI injection and \"deserialization gadgets.\" Such initialization is unsafe for some classes: for example, setting the contentType property of a Swing JEditorPane to text/html and its text property to HTML containing a stylesheet <link> will provoke an HTTP GET on an arbitrary URL, potentially from within a trusted security domain. The problem is aggravated by the library's ReferenceIndirector, through which malicious JNDI Reference objects can be smuggled in for dereferencing wherever an application reads a Java-serialized object. This has been resolved in version 0.6.0.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-h84g-69h7-mw6v"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:03","euvd":null},{"cve_id":"CVE-2026-55660","summary":"Tina is a headless content management system. In versions prior to @tinacms/app 2.5.6 and tinacms 3.9.3, cross-origin postMessage handlers and a rich-text URL-sanitization bypass enable stored XSS and session takeover. The library registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source and post messages using non-specific target origins, while insufficient URL sanitization in rich-text content allows malicious URLs to persist and execute. A page the victim visits (or a window in an opener/iframe relationship with a Tina admin) can forge messages to drive the editor, inject preview content, or observe/forge the OAuth popup channel to take over an authenticated editing session. This issue has been fixed in versions @tinacms/app 2.5.6 and tinacms 3.9.3.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/tinacms/tinacms/pull/7056","https://github.com/tinacms/tinacms/security/advisories/GHSA-g5qx-h5f3-mp2f"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:17:03","euvd":null},{"cve_id":"CVE-2026-14340","summary":"An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization check only verified that the installation had read permissions on the target repository rather than verifying that the token's installation was explicitly granted access to that repository. An attacker who obtained a victim's user-to-server token could create issues, issue comments, commit comments, and private vulnerability reports on any public repository, appearing as the victim user with no indication of the app involvement. This vulnerability was fixed by adding a repository scope check for user-to-server tokens issued by global apps. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20","https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17","https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11","https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8","https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4","https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.2"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T21:16:43","euvd":null},{"cve_id":"CVE-2026-55688","summary":"The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. In versions from 2.0.0 prior to 2.16.0 and from 3.0.0.Beta1 prior to 3.0.11, ThreadSafeCookieStore stored a cookie under the value of its Domain attribute without verifying that the responding host is allowed to set a cookie for that domain, leading to a cookie tossing / cookie injection issue. A host the client connects to can therefore plant a cookie scoped to an unrelated domain, and the client will then send that cookie on later requests to that domain. Applications that use a single AsyncHttpClient instance - and thus the default, shared CookieStore - to reach both an attacker-influenced host and a trusted host are impacted. This issue has been fixed in versions 2.16.0 and 3.0.11.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AsyncHttpClient/async-http-client/pull/2196","https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-m452-q8c9-rg2f"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:11","euvd":null},{"cve_id":"CVE-2026-58457","summary":"Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) contains an unauthenticated OS command injection vulnerability that allows network-adjacent attackers to execute arbitrary shell commands by injecting unsanitized input through the smacfilter_conf handler in the commuos web backend. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are passed without sanitization into sprintf() to build uci shell commands executed via doSystemCmdComlib(), granting full root-level control of the device.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/IEATASICS/m300-repeater-bugs#","https://www.aliexpress.us/item/3256806767641280.html","https://www.vulncheck.com/advisories/shenzhen-aitemi-m300-mt02-unauthenticated-os-command-injection-via-protocol-csp"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:11","euvd":null},{"cve_id":"CVE-2026-58592","summary":"Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":8.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/LadybirdBrowser/ladybird/blob/master/Libraries/LibWeb/WebAssembly/WebAssemblyModule.cpp","https://github.com/bikini/exploitarium/tree/main/ladybird-wasm-esm-host-function-rce-poc","https://www.vulncheck.com/advisories/ladybird-web-reachable-code-execution-via-dangling-functiontype-reference-in-webassembly-esm-integration"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:11","euvd":null},{"cve_id":"CVE-2026-58593","summary":"NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedTo is used directly as a uid, and actors.assert silently ignores numeric identifiers (filtering them out without re-deriving the uid), so a federated remote actor can set attributedTo to a bare numeric value such as 1 and have the resulting post or private message created with that local uid as author, including the administrator account. This lets a remote attacker forge posts and direct messages attributed to arbitrary local users. Requires the ActivityPub/federation feature to be enabled.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NodeBB/NodeBB/blob/v4.13.2/src/activitypub/mocks.js","https://github.com/bikini/exploitarium/tree/main/nodebb-activitypub-attributedto-local-uid-spoof-poc","https://www.vulncheck.com/advisories/nodebb-activitypub-author-spoofing-via-unvalidated-attributedto-mapped-to-local-user"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:11","euvd":null},{"cve_id":"CVE-2026-49858","summary":"API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak.  #[ApiProperty(security: ...)] is evaluated per request to decide whether a property is exposed. The componentsCache arrays in ApiPlatform\\JsonApi\\Serializer\\ItemNormalizer and ApiPlatform\\Hal\\Serializer\\ItemNormalizer are keyed on $context['cache_key'], which is set unconditionally before delegating to the parent normalizer. The component structure (attributes, relationships, links) computed for one request can therefore be reused for a subsequent request whose user has a different set of accessible properties. A user with lower privileges may end up seeing the structure of properties that the security predicate would otherwise have hidden for them. This issue has been fixed in versions 4.1.29, 4.2.26, and 4.3.12.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/api-platform/core/security/advisories/GHSA-pjhx-3c3w-9v23"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:10","euvd":null},{"cve_id":"CVE-2026-54164","summary":"API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/api-platform/core/security/advisories/GHSA-9rjg-x2p2-h68h"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:10","euvd":null},{"cve_id":"CVE-2026-54908","summary":"Pion DTLS is a Go implementation of Datagram Transport Layer Security. Versions prior to 3.1.4 are vulnerable to Remote Denial of Service via panic while parsing a crafted ECDHE_PSK ServerKeyExchange message. This issue has been fixed in version 3.1.4.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/pion/dtls/pull/839","https://github.com/pion/dtls/security/advisories/GHSA-wg4g-wm44-ch5j"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:10","euvd":null},{"cve_id":"CVE-2026-14265","summary":"Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned.\n\n\n\nWe recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-051-aws/","https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/4.0.1","https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-c5q4-97jw-jggh"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:08","euvd":null},{"cve_id":"CVE-2026-14363","summary":"Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.\n\nThis issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1269701","https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1279498","https://phabricator.wikimedia.org/T422774"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T20:17:08","euvd":null},{"cve_id":"CVE-2026-58517","summary":"Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.\n\nThis issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.wikimedia.org/r/c/1305376","https://phabricator.wikimedia.org/T428833"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:57","euvd":null},{"cve_id":"CVE-2026-58451","summary":"Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos() prefix validation by appending sequences such as traversal segments after the matching prefix, causing file_get_contents() to read sensitive files whose contents are then exfiltrated as MIME parts in outgoing email; unauthenticated exploitation is also achievable via CSRF against an active authenticated session.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/horde/imp/commit/fba972fab72ee6871e5d56e6390bee38593085de","https://github.com/horde/imp/pull/85","https://github.com/horde/imp/releases/tag/v7.0.1","https://www.horde.org/apps/imp","https://www.vulncheck.com/advisories/horde-imp-path-traversal-via-compose-php-img-src"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:56","euvd":null},{"cve_id":"CVE-2026-55594","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, a missing depth check in the MVG decoder will result in a stack overflow when a crafted image is provided. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mx48-2qq3-23hf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:55","euvd":null},{"cve_id":"CVE-2026-55595","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when providing invalid arguments to the connected-components option an infinite loop will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qhmf-7fc4-8q3h"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:55","euvd":null},{"cve_id":"CVE-2026-55597","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-26, an incorrect handling of arguments can cause a heap buffer over-write in the JP2 encoder. This issue has been fixed in version7.1.2-26.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-c4v7-w88g-m6c4"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:55","euvd":null},{"cve_id":"CVE-2026-55628","summary":"In versions prior to 7.1.2-26he, the `-concatenate` operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-82mp-vp5c-9pf7"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:55","euvd":null},{"cve_id":"CVE-2026-53466","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, an integer overflow in the XCF decoder can result in an out of bounds read when a crafted image is read, potentially resulting in a crash. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pjxj-pchx-4c3m"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:54","euvd":null},{"cve_id":"CVE-2026-53467","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, the MNG decoder contains a possible heap information disclosure vulnerability because part of the pixels are left unchanged. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8g53-9m3c-69xg"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:54","euvd":null},{"cve_id":"CVE-2026-53489","summary":"containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:54","euvd":null},{"cve_id":"CVE-2026-53492","summary":"containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement, injecting arbitrary CDI edits (such as device nodes and host mounts) into the restored container. Successful exploitation requires that the node has CDI enabled and contains a matching host CDI specification for the requested device; environments where CDI is disabled or lacking sensitive device specifications are not affected. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:54","euvd":null},{"cve_id":"CVE-2026-55510","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when identifying an image with a crafted 8BIM profile with a specific format string a use-after-free will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-ff5c-8x9r-8qcw"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:54","euvd":null},{"cve_id":"CVE-2026-55577","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-wx47-rm3x-jx6p"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:54","euvd":null},{"cve_id":"CVE-2026-50160","summary":"Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extra properties on the request body that are not declared in SaveOnboardingConfigRequest are not stripped and are iterated in the service layer as if they were legitimate InfraConfig entries. Because keys such as JWT_SECRET and SESSION_SECRET are valid InfraConfigEnum values and are not explicitly rejected during validation, an unauthenticated attacker who can reach a fresh instance before onboarding completes (or when no users exist) can overwrite these values in the database. Overwriting JWT_SECRET gives the attacker control of the JWT signing key, allowing them to forge tokens for any user, including administrators, and results in full server compromise. The issue is fixed in hoppscotch 2026.5.0.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/hoppscotch/hoppscotch/pull/6171","https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-j542-4rch-8hwf","http://www.openwall.com/lists/oss-security/2026/06/23/7","https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-j542-4rch-8hwf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:53","euvd":null},{"cve_id":"CVE-2026-50195","summary":"containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a vulnerability in the CRI checkpoint import process where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious image and assign it an arbitrary local tag, thereby poisoning the node's local image cache. Subsequently, if other pods on the same node attempt to use the poisoned tag with an IfNotPresent (or Never) pull policy, they will unknowingly execute the attacker's malicious image instead of the legitimate one. This can lead to a compromise of the affected pods, allowing the attacker to execute arbitrary code under the victim pod's identity. This issue has been fixed in versions 2.3.2, 2.2.5 and 2.1.9.","cvss":5.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:53","euvd":null},{"cve_id":"CVE-2026-51947","summary":"An issue in Pivotal CRM 6.6.4.08 and systems using patch-ghi-15381-cwe-502-20251225.zip (fixed in Pivotal CRM 6.6.5.10 and Patch_CWE502_20260316.zip) allows a remote attacker to execute arbitrary code via the Pivotal.Engine.Client.Services.Conversion.dll component. NOTE: this issue exists because of an incomplete fix for CVE-2026-39253.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.pivotal.aurea.com/article/129552-remediating-insecure-deserialization-cwe-502-in-pivotal-6-6-04-08-smart-client-pbs","https://timtimxs.github.io/CVE-2026-39253-Advisory/","https://timtimxs.github.io/CVE-2026-51947-Advisory/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:53","euvd":null},{"cve_id":"CVE-2026-47262","summary":"containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:52","euvd":null},{"cve_id":"CVE-2026-49119","summary":"Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide crafted path segments that cause os.path.join to discard the root_dir prefix entirely, resulting in arbitrary file read or exposure of sensitive files outside the intended directory.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/gradio-app/gradio/commit/97d541f3d5fd05b2587a69ecc94b68fe5d2d7004","https://github.com/gradio-app/gradio/pull/13437","https://github.com/gradio-app/gradio/releases/tag/gradio%406.16.0","https://www.vulncheck.com/advisories/gradio-path-traversal-via-fileexplorer-preprocess"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:52","euvd":null},{"cve_id":"CVE-2026-38142","summary":"An unauthenticated command injection vulnerability in the /goform/fast_setting_internet_set endpoint of Tenda AC18 v15.03.05.05 allows attackers to execute arbitrary commands via a crafted payload injected into the mac parameter.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf","https://github.com/longqx223/Tenda-ac-18-V15.03.05.05-/blob/main/Tenda%20AC18%20Unauthenticated%20Second-Order%20OS%20Command%20Injection%20in%20goformfast_setting_internet_set.pdf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:51","euvd":null},{"cve_id":"CVE-2026-41121","summary":"Dell Device Management Agent, versions prior to DDMA 26.05, contain an Improper Link Resolution Before File Access ('Link Following’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.dell.com/support/kbdoc/en-us/000473690/dsa-2026-258"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:51","euvd":null},{"cve_id":"CVE-2026-14358","summary":"Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting (XSS).\n\nThis issue affects Mediawiki - Charts Extension: from * before 1.43.9,1.44.6,1.45.4.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.wikimedia.org/r/q/Ibdaa7c852ae83f562e84dddc9c96ad64e2152210","https://phabricator.wikimedia.org/T430548"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:50","euvd":null},{"cve_id":"CVE-2026-13760","summary":"OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified.\n\n\n\nTo remediate this issue, users should upgrade to v2.260.0.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":7.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-050-aws/","https://github.com/aws/aws-cdk/releases/tag/v2.260.0","https://github.com/aws/aws-cdk/security/advisories/GHSA-vcrf-j523-4mrf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:36","euvd":null},{"cve_id":"CVE-2026-13769","summary":"Overly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most systems) may allow other local users on the same host to read credentials written by certain CLI subcommands (aws codeartifact login, aws iam create-virtual-mfa-device, aws deploy register).\n\nTo remediate this issue, users should upgrade to AWS CLI 1.44.78 (v1) or 2.34.29 (v2) or later.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":6.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://aws.amazon.com/security/security-bulletins/2026-049-aws/","https://github.com/aws/aws-cli/releases/tag/1.44.78","https://github.com/aws/aws-cli/releases/tag/2.34.29","https://github.com/aws/aws-cli/security/advisories/GHSA-wfp6-f47h-hxc3"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T19:16:36","euvd":null},{"cve_id":"CVE-2026-58521","summary":"Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows SQL Injection.\n\nThis issue affects Mediawiki - Cargo Extension: from * before 1.43.9,1.44.6,1.45.4.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.wikimedia.org/r/c/1298854","https://phabricator.wikimedia.org/T428274","https://phabricator.wikimedia.org/T428274"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:36","euvd":null},{"cve_id":"CVE-2026-5051","summary":"HashiCorp Vault and Vault Enterprise prior to 2.0.1 audit device validation logic did not consistently apply plugin directory protections when the legacy file audit path option was used. \n\nThis vulnerability (CVE-2026-5051) is fixed in 2.0.1, 1.21.6, 1.20.11, and 1.19.17.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.hashicorp.com/t/hcsec-2026-16-vault-audit-device-plugin-directory-guard-bypass-via-legacy-path-option/77536"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:36","euvd":null},{"cve_id":"CVE-2026-57722","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace allows Stored XSS.\n\nThis issue affects Enable Media Replace: from n/a through 4.2.1.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/enable-media-replace/vulnerability/wordpress-enable-media-replace-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:35","euvd":null},{"cve_id":"CVE-2026-57723","summary":"Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows Path Traversal.\n\nThis issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.12.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/vikbooking/vulnerability/wordpress-vikbooking-hotel-booking-engine-pms-plugin-1-8-12-csrf-to-arbitrary-file-deletion-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:35","euvd":null},{"cve_id":"CVE-2026-57736","summary":"Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data.\n\nThis issue affects HubSpot: from n/a through 11.3.51.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/leadin/vulnerability/wordpress-hubspot-plugin-11-3-51-sensitive-data-exposure-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:35","euvd":null},{"cve_id":"CVE-2026-57737","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS.\n\nThis issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/auxin-elements/vulnerability/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-17-16-cross-site-scripting-xss-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:35","euvd":null},{"cve_id":"CVE-2026-58520","summary":"URL redirection to untrusted site ('open redirect') vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing.\n\nThis issue affects Mediawiki - UrlShortener Extension: from * before 1.43.9, 1.44.6, 1.45.4.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.wikimedia.org/r/q/I7a59cc4c351b5aa47ed46f7a14a1105fd1ecc5b5","https://phabricator.wikimedia.org/T418431"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:35","euvd":null},{"cve_id":"CVE-2026-49091","summary":"Improper Output Neutralization for Logs (CWE-117) in Kibana can lead to log injection via Log Injection-Tampering-Forging (CAPEC-93). An attacker can supply specially crafted input that is written to log files without proper neutralization. When the log files are subsequently viewed in a terminal that interprets control sequences, the injected content may alter the displayed log data.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/kibana-7-17-15-8-11-1-security-update-esa-2026-53"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:34","euvd":null},{"cve_id":"CVE-2026-51946","summary":"SQL Injection vulnerability in GoAdminGroup GoAdmin (last release v1.2.26) allows a remote attacker to execute arbitrary code and obtain sensitive information via the the __sort_type URL parameter on all /admin/info/{table} endpoints","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.silentgrid.com/ai-assisted-penetration-testing-in-practice/","https://github.com/GoAdminGroup/go-admin/tree/main"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:34","euvd":null},{"cve_id":"CVE-2026-54428","summary":"Allocation of resources without limits or throttling in the HTTP/2 HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement causes the configured header list size limit to be applied.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/5zjp8vczvxq19pw2rvhs21q446bhl0sd","http://www.openwall.com/lists/oss-security/2026/07/01/3"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:34","euvd":null},{"cve_id":"CVE-2026-49090","summary":"Uncontrolled Resource Consumption (CWE-400) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk request that causes sustained high CPU consumption, which can render the affected node unable to process requests.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/elasticsearch-7-17-24-8-15-0-security-update-esa-2026-52"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:33","euvd":null},{"cve_id":"CVE-2026-46680","summary":"containerd is an open-source container runtime. In versions prior to 1.7.32, 2.0.9, 2.2.4 and 2.3.1, containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username, leading to runAsNonRoot evasion. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as root (UID 0). This allows the Kubernetes runAsNonRoot restriction to be bypassed, causing unexpected behavior for environments that require containers to run as a non-root user. This issue has been fixed in versions 1.7.32, 2.0.9, 2.2.4 and 2.3.1.","cvss":7.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containerd/containerd/security/advisories/GHSA-fqw6-gf59-qr4w"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T18:16:32","euvd":null},{"cve_id":"CVE-2026-58452","summary":"JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain an OS command injection vulnerability that allows authenticated attackers to achieve remote code execution by supplying a malicious Wireless parameter to the HTTP PUT NetSDK/Factory SetMAC endpoint. Attackers can craft a string beginning with a valid MAC-like prefix followed by a semicolon and a shell payload, which bypasses partial sscanf() validation and is passed unsanitized into an echo shell command executed through a system() wrapper.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rwprimitives/jaiotlink-c492a-wifi-camera/blob/main/writeups/01-setmac-command-injection.md","https://www.amazon.com/stores/JAIOTlink/page/3B00DC41-70C3-4BAA-925C-3D222C2633D5?lp_asin=B0GX1BNZ78&ref_=ast_bln&store_ref=bl_ast_dp_brandlogo_sto","https://www.vulncheck.com/advisories/jaiotlink-c492a-w6-os-command-injection-via-setmac-endpoint"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:40","euvd":null},{"cve_id":"CVE-2026-58453","summary":"JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rwprimitives/jaiotlink-c492a-wifi-camera/blob/main/writeups/02-default-http-credentials.md","https://www.amazon.com/stores/JAIOTlink/page/3B00DC41-70C3-4BAA-925C-3D222C2633D5?lp_asin=B0GX1BNZ78&ref_=ast_bln&store_ref=bl_ast_dp_brandlogo_sto","https://www.vulncheck.com/advisories/jaiotlink-c492a-w6-hard-coded-credentials-via-anyka-ipc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:40","euvd":null},{"cve_id":"CVE-2026-58454","summary":"JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a remote code execution vulnerability that allows authenticated attackers to execute arbitrary shell scripts by writing to the writable persistent JFFS2 storage path and triggering execution through the authenticated HTTP endpoint. Attackers can stage a malicious script in the writable persistent storage and request the config endpoint to invoke it via popen(), achieving persistent remote code execution that survives device reboots.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/rwprimitives/jaiotlink-c492a-wifi-camera/blob/main/writeups/03-anyka-config-execution-trigger.md","https://www.amazon.com/stores/JAIOTlink/page/3B00DC41-70C3-4BAA-925C-3D222C2633D5?lp_asin=B0GX1BNZ78&ref_=ast_bln&store_ref=bl_ast_dp_brandlogo_sto","https://www.vulncheck.com/advisories/jaiotlink-c492a-w6-rce-via-anyka-config-endpoint"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:40","euvd":null},{"cve_id":"CVE-2026-56150","summary":"Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/fleet-server-8-19-11-9-2-5-9-3-0-security-update-esa-2026-44"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:37","euvd":null},{"cve_id":"CVE-2026-56151","summary":"Improper Input Validation (CWE-20) in Kibana can lead to a denial of service via Input Data Manipulation (CAPEC-153). An authenticated user can submit a specially crafted Fleet policy input that is not correctly validated, which can render Fleet agent, server, and policy management functionality unavailable.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/kibana-8-19-17-9-3-6-9-4-3-security-update-esa-2026-45"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:37","euvd":null},{"cve_id":"CVE-2026-56152","summary":"Incorrect Authorization (CWE-863) in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs (CAPEC-1). Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to view.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/elastic-defend-8-19-13-9-2-7-9-3-2-security-update-esa-2026-46"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:37","euvd":null},{"cve_id":"CVE-2026-57516","summary":"Ray prior to 2.56.0 contains an unsafe deserialization vulnerability in the WebDataset reader that allows attackers to achieve remote code execution by supplying a malicious tar archive to the read_webdataset() function. The _default_decoder() function in webdataset_datasource.py unconditionally calls pickle.loads() on tar entries with .pkl/.pickle extensions and torch.load() with weights_only=False on .pt/.pth entries, executing arbitrary code inside Ray remote workers on every worker that processes the malicious archive.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ray-project/ray/pull/63469","https://github.com/ray-project/ray/pull/63470","https://github.com/ray-project/ray/releases/tag/ray-2.56.0","https://github.com/ray-project/ray/security/advisories/GHSA-hhrp-gw25-jr43","https://www.vulncheck.com/advisories/ray-unsafe-deserialization-rce-via-webdataset-reader","https://github.com/ray-project/ray/security/advisories/GHSA-hhrp-gw25-jr43"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:37","euvd":null},{"cve_id":"CVE-2026-57720","summary":"Missing Authorization vulnerability in Codexpert Inc ThumbPress allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects ThumbPress: from n/a through 6.3.2.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/image-sizes/vulnerability/wordpress-thumbpress-plugin-6-3-2-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:37","euvd":null},{"cve_id":"CVE-2026-57721","summary":"Missing Authorization vulnerability in WP Reloaded ApplyOnline allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects ApplyOnline: from n/a through 2.6.7.6.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/apply-online/vulnerability/wordpress-applyonline-plugin-2-6-7-6-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:37","euvd":null},{"cve_id":"CVE-2026-54399","summary":"Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 message parser in Apache HttpComponents Core (5.4.2 and earlier, 5.5-beta1 and earlier) allows an remote attacker to cause a denial of service through memory exhaustion by sending messages with excessive number of headers / excessive header length","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/zmxh1pl2zohov5ntdh4lt85gfrlchgpy","http://www.openwall.com/lists/oss-security/2026/07/01/4"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:36","euvd":null},{"cve_id":"CVE-2026-56148","summary":"Uncontrolled Recursion (CWE-674) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted query that causes excessive resource consumption while the request is processed, which may render the affected node unavailable.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/elasticsearch-8-19-17-9-3-6-9-4-3-security-update-esa-2026-42"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:36","euvd":null},{"cve_id":"CVE-2026-56149","summary":"Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can lead to a denial of service via Excessive Allocation (CAPEC-130). A user with elevated privileges can submit a specially crafted machine learning request that causes excessive memory consumption, which may render the affected node unavailable.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/elasticsearch-8-19-17-9-3-6-9-4-3-security-update-esa-2026-43"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:36","euvd":null},{"cve_id":"CVE-2026-34116","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe.php (line 15) without sanitization: exec(\\\"php jobs/transcribe.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-transcribe-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:35","euvd":null},{"cve_id":"CVE-2026-34117","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec(\\\"php jobs/text_to_subtitles.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-text-to-subtitles-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:35","euvd":null},{"cve_id":"CVE-2026-49087","summary":"Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user can submit a specially crafted bulk deletion request that causes excessive resource consumption, which may render Kibana unavailable.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/kibana-8-19-15-9-3-4-security-update-esa-2026-49"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:35","euvd":null},{"cve_id":"CVE-2026-49088","summary":"Insertion of Sensitive Information into Log File (CWE-532) in Kibana can lead to information disclosure. When the optional application performance monitoring (APM) instrumentation is enabled, sensitive request header values could be recorded in application logs, where they may be accessible to operators with log access.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://discuss.elastic.co/t/kibana-8-18-9-8-19-6-9-0-8-9-1-6-security-update-esa-2026-50"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:35","euvd":null},{"cve_id":"CVE-2026-34109","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech.php (line 18) without sanitization: exec(\\\"php jobs/speech_audio.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-speech-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:34","euvd":null},{"cve_id":"CVE-2026-34110","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in complex_start.php (line 14) without sanitization: exec(\\\"php jobs/complex.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-complex-start-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:34","euvd":null},{"cve_id":"CVE-2026-34111","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac_text.php (line 18) without sanitization: exec(\\\"php jobs/speech_audio_mac_text.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-speechmac-text-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:34","euvd":null},{"cve_id":"CVE-2026-34112","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\\\"php jobs/speech_audio_mac.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-speechmac-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:34","euvd":null},{"cve_id":"CVE-2026-34113","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech_text.php (line 18) without sanitization: exec(\\\"php jobs/speech_audio_text.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-speech-text-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:34","euvd":null},{"cve_id":"CVE-2026-34114","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\\\"php jobs/translate_text.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-translate-text-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:34","euvd":null},{"cve_id":"CVE-2026-34115","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in transcribe_amazon.php (line 15) without sanitization: exec(\\\"php jobs/transcribe_amazon.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-transcribe-amazon-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:34","euvd":null},{"cve_id":"CVE-2026-34101","summary":"Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in text_file.php (line 17): SELECT id, filename, extension, type, duration, owner, private FROM files where id = '\\\".$_GET['id'].\\\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-text-file-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-34102","summary":"Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info_get.php (line 16): SELECT * FROM jobs where input1 = '\\\".$_GET['id'].\\\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-job-info-get-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-34103","summary":"Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in subtitles.php (line 16): SELECT id, filename, extension, type FROM files where id = '\\\".$_GET['id'].\\\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-subtitles-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-34104","summary":"Guardian language-system passes the name GET parameter directly into an unsanitized SQL query in designer.php (line 124): SELECT * FROM complex WHERE name='\\\".$_GET['name'].\\\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-name-parameter-in-designer-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-34105","summary":"Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in translate_text.php (line 15): SELECT id, filename, extension, type FROM files where id = '\\\".$_GET['id'].\\\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-translate-text-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-34106","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in subtitles.php (line 19) without sanitization: exec(\\\"php jobs/subtitle_rendering.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to the id parameter to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-subtitles-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-34107","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate.php (line 14) without sanitization: exec(\\\"php jobs/translate.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-translate-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-34108","summary":"Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\\\"php jobs/text.php \\\".$login_session.\\\" \\\".$_GET['id'].\\\" ...\\\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-os-command-injection-via-id-parameter-in-text-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:33","euvd":null},{"cve_id":"CVE-2026-27409","summary":"Missing Authorization vulnerability in Webba Plugins Webba Booking allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Webba Booking: from n/a through 6.4.13.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/webba-booking-lite/vulnerability/wordpress-webba-booking-plugin-6-4-13-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:32","euvd":null},{"cve_id":"CVE-2026-34096","summary":"Guardian language-system fails to sanitize the name GET parameter before outputting it into an HTML input value attribute in designer.php (line 57). An authenticated attacker can craft a URL containing script tags that execute in the victim's browser session.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":4.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-xss-via-designer-php-name-parameter"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:32","euvd":null},{"cve_id":"CVE-2026-34097","summary":"Guardian language-system fails to sanitize the id GET parameter before inserting it into multiple HTML form action attributes in text_file.php (lines 94, 101, 323, 403, 826, 852). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":4.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-xss-via-text-file-php-id-parameter"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:32","euvd":null},{"cve_id":"CVE-2026-34098","summary":"Guardian language-system fails to sanitize the id GET parameter before inserting it into HTML source and form action attributes in media.php (lines 119, 129). An authenticated attacker can craft a URL that injects script tags executing in the victim's browser session.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":4.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-xss-via-id-parameter-in-media-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:32","euvd":null},{"cve_id":"CVE-2026-34099","summary":"Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info.php (line 16): SELECT * FROM jobs where id = '\\\".$_GET['id'].\\\"'. No authentication is required. An unauthenticated attacker can perform error-based SQL injection to extract the database version, current user, schema names, and table contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-job-info-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:32","euvd":null},{"cve_id":"CVE-2026-34100","summary":"Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in media.php (line 17): SELECT id, filename, extension, type, duration, owner, private FROM files where id = '\\\".$_GET['id'].\\\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/cyberinforepo/d5b2771d82e1b31b8fc1c33052e08dad","https://www.vulncheck.com/advisories/guardian-language-system-unauthenticated-sql-injection-via-id-parameter-in-media-php"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:32","euvd":null},{"cve_id":"CVE-2026-20217","summary":"A vulnerability in the PESpin file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.\r\n\r\nThis vulnerability is due to improper boundary checks for content in PESpin files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PESpin content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:30","euvd":null},{"cve_id":"CVE-2026-20243","summary":"A vulnerability in the ALZ file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.\r\n\r\nThis vulnerability is due to improper boundary checks for content in ALZ files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains ALZ content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:30","euvd":null},{"cve_id":"CVE-2026-20244","summary":"A vulnerability in the DMG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.\r\n\r\nThis vulnerability is due to improper boundary checks for content in DMG files during scanning, which may result in an integer overflow on 32-bit platforms only. An attacker could exploit this vulnerability by submitting a crafted file that contains DMG content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:30","euvd":null},{"cve_id":"CVE-2026-20191","summary":"A vulnerability in Cisco Catalyst Center could allow an unauthenticated, remote attacker to read arbitrary files from a restricted container.&nbsp;\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read arbitrary files from a restricted container of the affected device.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-file-read-wLH2vf8X"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:29","euvd":null},{"cve_id":"CVE-2026-20213","summary":"A vulnerability in the PE file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.\r\n\r\nThis vulnerability is due to improper boundary checks for content in PE files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains PE content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:29","euvd":null},{"cve_id":"CVE-2026-20214","summary":"A vulnerability in the FSG file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.\r\n\r\nThis vulnerability is due to improper boundary checks for content in FSG files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains portable executable content compressed with FSG to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:29","euvd":null},{"cve_id":"CVE-2026-20215","summary":"A vulnerability in the 7z file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition, or possibly other expanded impacts, resulting from memory corruption on an affected device.\r\n\r\nThis vulnerability is due to improper boundary checks for content in 7z files during scanning, which may result in an out-of-bounds buffer write. An attacker could exploit this vulnerability by submitting a crafted file that contains 7z&nbsp;content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:29","euvd":null},{"cve_id":"CVE-2026-20216","summary":"A vulnerability in the InstallShield file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device.\r\n\r\nThis vulnerability is due to improper handling of temporary resources during file scanning. An attacker could exploit this vulnerability by submitting a crafted InstallShield file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process and temporarily consume available system resources, resulting in a DoS condition on the affected software.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-88cFYyxR"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:29","euvd":null},{"cve_id":"CVE-2026-12480","summary":"Keras versions up to and including 3.13.2 are vulnerable to an arbitrary HDF5 file read due to an incomplete fix for CVE-2026-1669. The vulnerability resides in the `H5IOStore._verify_dataset()` and `file_editor.py` methods, which fail to check the `dataset.is_virtual` property of HDF5 datasets. This allows an attacker to craft a malicious `.keras` model archive or `.h5` weights file containing a Virtual Dataset (VDS) that references external HDF5 files on the victim's filesystem. When the victim loads the model using `keras.models.load_model()` or `keras.saving.load_model()`, the external file is transparently read, leading to potential information disclosure. Fixed in versions 3.12.2 and 3.14.1.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/keras-team/keras/commit/d5a88bdb137c0d3039b8f4bbbe8c7099925cc10c","https://huntr.com/bounties/1875d257-5b03-4a69-ac70-e98653fa12c7","https://huntr.com/bounties/1875d257-5b03-4a69-ac70-e98653fa12c7"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:19","euvd":null},{"cve_id":"CVE-2026-13211","summary":"The genucenter web interface before version 8.0p11 unnecessarily exposes sensitive SNMP authentication and encryption keys in its HTTP responses to users with the “Service” or “Admin” role.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sbaresearch/advisories/tree/public/2026/SBA-ADV-20260424-01_Genucenter_Disclosure_of_SNMP_Credentials","https://github.com/sbaresearch/advisories/tree/public/2026/SBA-ADV-20260424-01_Genucenter_Disclosure_of_SNMP_Credentials"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T17:16:19","euvd":null},{"cve_id":"CVE-2026-8480","summary":"A vulnerability was discovered on Stormshield Network Security 4.3.0  to 4.3.41 (included), 4.4.0 to 4.8.15 (included) , 5.0.2 EA to 5.0.5 (included)\n\n\n\nA revoked client certificate can still be used to authenticate to the captive‑admin portal, allowing an attacker who possesses the revoked certificate to gain administrative access.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://advisories.stormshield.eu/2026-002/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:53","euvd":null},{"cve_id":"CVE-2026-8857","summary":"A vulnerability in Wikimedia Foundation timeline.\n\n This vulnerability is associated with program files scripts/EasyTimeline.Pl, includes/Timeline.Php.\n\n\n\nThis issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T426631"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:53","euvd":null},{"cve_id":"CVE-2026-58037","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Language/Language.Php, includes/Logging/BlockLogFormatter.Php, includes/Logging/LogFormatter.Php, includes/Logging/PatrolLogFormatter.Php, includes/Logging/RenameuserLogFormatter.Php, includes/Logging/TagLogFormatter.Php, includes/Specials/SpecialVersion.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T422995"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:51","euvd":null},{"cve_id":"CVE-2026-58038","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation timeline.\n\n This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl.\n\n\n\nThis issue affects timeline: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T427611"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:51","euvd":null},{"cve_id":"CVE-2026-58126","summary":"PACSgear PACS Scan 5.2.1 contains an unauthenticated remote code execution vulnerability that allows remote attackers to read and write arbitrary files by exploiting an exposed .NET Remoting TCP service on port 22222 via PGImageExchQueue.exe without any authentication requirement. Attackers can chain the arbitrary file write primitive with DLL hijacking in PGImageExchangeQueueSvc.exe, which loads missing DLLs such as CRYPTSP.DLL from the application directory, to achieve remote code execution as NT Authority\\SYSTEM upon service restart.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/VAMorales/6dc232729cdd517fa30d581fbcd98d8f","https://www.hyland.com/en/solutions/products/pacsgear","https://www.vulncheck.com/advisories/pacsgear-pacs-scan-unauthenticated-rce-via-net-remoting-tcp-service"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:51","euvd":null},{"cve_id":"CVE-2026-58127","summary":"PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/VAMorales/dc679ecab30b7045fa07bf3249a034d8","https://www.hyland.com/en/solutions/products/pacsgear","https://www.vulncheck.com/advisories/pacsgear-mediawriter-unauthenticated-rce-via-net-remoting-tcp-service"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:51","euvd":null},{"cve_id":"CVE-2026-58028","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation CentralAuth.\n\n This vulnerability is associated with program files includes/Api/ApiFormatBase.Php, includes/Api/ApiHelp.Php, includes/ResourceLoader/Module.Php, includes/Hooks/Handlers/PageDisplayHookHandler.Php, includes/LogFormatter/PermissionChangeLogFormatter.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9; CentralAuth: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T422306"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:50","euvd":null},{"cve_id":"CVE-2026-58029","summary":"Vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Api/ApiChangeAuthenticationData.Php, includes/Api/ApiLinkAccount.Php, includes/Api/ApiRemoveAuthenticationData.Php, includes/Specials/SpecialLinkAccounts.Php, includes/Specials/SpecialUnlinkAccounts.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T422676"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:50","euvd":null},{"cve_id":"CVE-2026-58030","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation SyntaxHighlight_GeSHi.\n\n This vulnerability is associated with program files includes/SyntaxHighlight.Php.\n\n\n\nThis issue affects SyntaxHighlight_GeSHi: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T427167"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:50","euvd":null},{"cve_id":"CVE-2026-58032","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files resources/src/mediawiki.Api/index.Js.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T426867"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:50","euvd":null},{"cve_id":"CVE-2026-58033","summary":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Actions/InfoAction.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T427235"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:50","euvd":null},{"cve_id":"CVE-2026-58036","summary":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Api/ApiQueryAllUsers.Php, includes/Api/ApiQueryUsers.Php, includes/Permissions/PermissionManager.Php, includes/User/UserGroupManager.Php.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T425406"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:50","euvd":null},{"cve_id":"CVE-2026-57517","summary":"Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://control-webpanel.com/changelog#1773753427572-9bf81bf4-f2d2","https://karmainsecurity.com/KIS-2026-12","https://www.vulncheck.com/advisories/control-web-panel-blind-sql-injection-via-userres-parameter"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:49","euvd":null},{"cve_id":"CVE-2026-58024","summary":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Api/ApiUserrights.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T422085"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:49","euvd":null},{"cve_id":"CVE-2026-58025","summary":"Deserialization of untrusted data vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Import/WikiImporter.Php, includes/Import/WikiRevision.Php, includes/Logging/LogEntryBase.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":5.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T422244"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:49","euvd":null},{"cve_id":"CVE-2026-58026","summary":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files includes/Parser/Parser.Php.\n\n\n\nThis issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T299359"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:49","euvd":null},{"cve_id":"CVE-2026-58027","summary":"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.\n\n This vulnerability is associated with program files includes/Api/QueryAbuseFilters.Php.\n\n\n\nThis issue affects AbuseFilter: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T406954"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:49","euvd":null},{"cve_id":"CVE-2026-24270","summary":"NVIDIA AIStore framework contains a vulnerability where an attacker could bypass authentication. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5849","https://nvd.nist.gov/vuln/detail/CVE-2026-24270","https://www.cve.org/CVERecord?id=CVE-2026-24270"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:46","euvd":null},{"cve_id":"CVE-2026-24246","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code resources. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24246","https://www.cve.org/CVERecord?id=CVE-2026-24246"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24247","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24247","https://www.cve.org/CVERecord?id=CVE-2026-24247"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24248","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of code generation. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24248","https://www.cve.org/CVERecord?id=CVE-2026-24248"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24249","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24249","https://www.cve.org/CVERecord?id=CVE-2026-24249"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24250","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper validation of allowed inputs. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24250","https://www.cve.org/CVERecord?id=CVE-2026-24250"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24251","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause improper control of dynamically managed code resources. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24251","https://www.cve.org/CVERecord?id=CVE-2026-24251"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24260","summary":"NVIDIA Container Toolkit for Linux contains a vulnerability where an attacker could cause a time-of-check time-of-use race condition. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, and data tampering.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5850","https://nvd.nist.gov/vuln/detail/CVE-2026-24260","https://www.cve.org/CVERecord?id=CVE-2026-24260"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24264","summary":"NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handling of highly compressed data. A successful exploit of this vulnerability might lead to denial of service.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5848","https://nvd.nist.gov/vuln/detail/CVE-2026-24264","https://www.cve.org/CVERecord?id=CVE-2026-24264"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24266","summary":"NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause a use-after-free issue. A successful exploit of this vulnerability might lead to denial of service.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5848","https://nvd.nist.gov/vuln/detail/CVE-2026-24266","https://www.cve.org/CVERecord?id=CVE-2026-24266"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:45","euvd":null},{"cve_id":"CVE-2026-24240","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24240","https://www.cve.org/CVERecord?id=CVE-2026-24240"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:44","euvd":null},{"cve_id":"CVE-2026-24242","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause server-side request forgery. A successful exploit of this vulnerability might lead to information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24242","https://www.cve.org/CVERecord?id=CVE-2026-24242"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:44","euvd":null},{"cve_id":"CVE-2026-24243","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24243","https://www.cve.org/CVERecord?id=CVE-2026-24243"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:44","euvd":null},{"cve_id":"CVE-2026-24244","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24244","https://www.cve.org/CVERecord?id=CVE-2026-24244"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:44","euvd":null},{"cve_id":"CVE-2026-24245","summary":"NVIDIA Megatron Bridge for Linux contains a vulnerability where an attacker could cause deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5841","https://nvd.nist.gov/vuln/detail/CVE-2026-24245","https://www.cve.org/CVERecord?id=CVE-2026-24245"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:44","euvd":null},{"cve_id":"CVE-2026-13706","summary":"Improper input validation vulnerability in Wikimedia Foundation UrlShortener.\n\n This vulnerability is associated with program files includes/UrlShortenerUtils.Php.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T418533"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:31","euvd":null},{"cve_id":"CVE-2026-13707","summary":"Session fixation vulnerability in Wikimedia Foundation OAuth.\n\n This vulnerability is associated with program files src/Backend/MWOAuthServer.Php.\n\n\n\nThis issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T428324"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:31","euvd":null},{"cve_id":"CVE-2025-15646","summary":"HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion.\n\nSupport for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses.\n\nAny caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.debian.org/1104789","https://github.com/bestpractical/HTML-Gumbo/commit/15c0598909d4a64f47ef0a1abc5051f4e113c186.patch","https://metacpan.org/release/BPS/HTML-Gumbo-0.19/changes","http://www.openwall.com/lists/oss-security/2026/07/01/7"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:29","euvd":null},{"cve_id":"CVE-2025-23350","summary":"NVIDIA ConnectX and BlueField contain a vulnerability in the command interface where a local user with virtual function (VF) access may cause a write out of bounds by crafted input. A successful exploit of this vulnerability may lead to arbitrary code execution on the device.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5699","https://nvd.nist.gov/vuln/detail/CVE-2025-23350","https://www.cve.org/CVERecord?id=CVE-2025-23350"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:29","euvd":null},{"cve_id":"CVE-2025-23351","summary":"NVIDIA ConnectX and BlueField contain a vulnerability in the command interface where a local user with virtual function (VF) access may cause a write out of bounds by crafted input. A successful exploit of this vulnerability may lead to arbitrary code execution on the device.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NVIDIA/product-security/tree/main/2026/5699","https://nvd.nist.gov/vuln/detail/CVE-2025-23351","https://www.cve.org/CVERecord?id=CVE-2025-23351"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T16:16:29","euvd":null},{"cve_id":"CVE-2026-6688","summary":"FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://elm-chan.org/fsw/ff/","https://github.com/runZeroInc/vulns-2026-fatfs-chance","https://www.runzero.com/advisories/fatfs-long-fn-of-downstream-cve-2026-6688/","https://www.runzero.com/blog/fatfs-bugs/","https://github.com/runZeroInc/vulns-2026-fatfs-chance"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:13","euvd":null},{"cve_id":"CVE-2026-5220","summary":"Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.\n\nThis issue affects DivvyDrive: from 4.8.2.23 before v.4.8.3.1.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0475"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-6283","summary":"Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.\n\nThis issue affects DivvyDrive: from v.4.8.2.23 before v.4.8.3.1.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0475"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-6682","summary":"In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://elm-chan.org/fsw/ff/","https://github.com/runZeroInc/vulns-2026-fatfs-chance","https://www.runzero.com/advisories/fatfs-fat32-int-of-mnt-cve-2026-6682/","https://www.runzero.com/blog/fatfs-bugs/","https://github.com/runZeroInc/vulns-2026-fatfs-chance"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-6683","summary":"FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://elm-chan.org/fsw/ff/","https://github.com/runZeroInc/vulns-2026-fatfs-chance","https://www.runzero.com/advisories/fatfs-exfat-divide-by-zero-cve-2026-6683","https://www.runzero.com/blog/fatfs-bugs/","https://github.com/runZeroInc/vulns-2026-fatfs-chance"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-6684","summary":"FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://elm-chan.org/fsw/ff/","https://github.com/runZeroInc/vulns-2026-fatfs-chance","https://www.runzero.com/advisories/fatfs-gpt-scan-loop-dos-cve-2026-6684/","https://www.runzero.com/blog/fatfs-bugs/","https://github.com/runZeroInc/vulns-2026-fatfs-chance"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-6685","summary":"FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://elm-chan.org/fsw/ff/","https://github.com/runZeroInc/vulns-2026-fatfs-chance","https://www.runzero.com/advisories/fatfs-unsigned-sub-wrap-cve-2026-6685/","https://www.runzero.com/blog/fatfs-bugs/","https://github.com/runZeroInc/vulns-2026-fatfs-chance"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-6686","summary":"FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://elm-chan.org/fsw/ff/","https://github.com/runZeroInc/vulns-2026-fatfs-chance","https://www.runzero.com/advisories/fatfs-uninit-cluster-exposure-cve-2026-6686/","https://www.runzero.com/blog/fatfs-bugs/","https://github.com/runZeroInc/vulns-2026-fatfs-chance"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-6687","summary":"FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://elm-chan.org/fsw/ff/","https://github.com/runZeroInc/vulns-2026-fatfs-chance","https://www.runzero.com/advisories/fatfs-exfat-label-len-of-cve-2026-6687/","https://www.runzero.com/blog/fatfs-bugs/","https://github.com/runZeroInc/vulns-2026-fatfs-chance"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:12","euvd":null},{"cve_id":"CVE-2026-58031","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js.\n\n\n\nThis issue affects MediaWiki: from 1.46.0-rc.0 before 1.46.0.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T426889"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:11","euvd":null},{"cve_id":"CVE-2026-58034","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation CheckUser.\n\n This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue.\n\n\n\nThis issue affects CheckUser: from 1.46.0-rc.0 before 1.46.0.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T428820"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:11","euvd":null},{"cve_id":"CVE-2026-58035","summary":"Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki.\n\n This vulnerability is associated with program files resources/src/mediawiki.Special.Block/SpecialBlock.Vue.","cvss":0.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":0.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phabricator.wikimedia.org/T428809"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:11","euvd":null},{"cve_id":"CVE-2026-58399","summary":"@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs. A fix has been implemented in v2.3.0.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/antonio-castellon/module-auth/issues/6","https://github.com/antonio-castellon/module-auth/security/advisories/GHSA-gfj5-979r-92pw","https://www.npmjs.com/package/@acastellon/auth/v/2.3.0"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:11","euvd":null},{"cve_id":"CVE-2026-5135","summary":"A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing authorisation checks. The consequence is the potential for unauthorised modification of managed host configurations across different organisational and location boundaries.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:34367","https://access.redhat.com/errata/RHSA-2026:34368","https://access.redhat.com/security/cve/CVE-2026-5135","https://bugzilla.redhat.com/show_bug.cgi?id=2452230"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:11","euvd":null},{"cve_id":"CVE-2026-5138","summary":"A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomy_scope controller method does not properly validate organization and location IDs from nested request parameters, bypassing existing authorization checks. This allows the user to leak sensitive infrastructure metadata, including subnet topology, IP ranges, gateways, DNS servers, and VLAN IDs, from organizations and locations they are not authorized to access.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:34367","https://access.redhat.com/errata/RHSA-2026:34368","https://access.redhat.com/security/cve/CVE-2026-5138","https://bugzilla.redhat.com/show_bug.cgi?id=2452971"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:11","euvd":null},{"cve_id":"CVE-2026-5142","summary":"A flaw was found in foreman. Authenticated users with 'view_keypairs' permission can bypass taxonomy scoping, allowing them to download private SSH (Secure Shell) keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant deployments, potentially compromising sensitive information.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:34367","https://access.redhat.com/errata/RHSA-2026:34368","https://access.redhat.com/security/cve/CVE-2026-5142","https://bugzilla.redhat.com/show_bug.cgi?id=2452999"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:11","euvd":null},{"cve_id":"CVE-2026-14324","summary":"RAOP module accepts unbounded Content-Length values and does not check the pw_array_add() return.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-14324","https://bugzilla.redhat.com/show_bug.cgi?id=2495903"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:06","euvd":null},{"cve_id":"CVE-2026-14330","summary":"Multiple unbounded alloca() calls in the PulseAudio protocol server.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-14330","https://bugzilla.redhat.com/show_bug.cgi?id=2495907"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:06","euvd":null},{"cve_id":"CVE-2026-23537","summary":"A vulnerability has been identified in the Feast Feature Server’s `/save-document` endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-23537","https://bugzilla.redhat.com/show_bug.cgi?id=2429304","https://github.com/red-hat-data-services/feast/pull/192"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:06","euvd":null},{"cve_id":"CVE-2026-2891","summary":"The following Poly Voice IP devices, CCX, Trio, and Edge E, might be inoperable if they connect to a malicious SIP server and receive malformed data. HP is releasing updates to mitigate these potential vulnerabilities.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.hp.com/us-en/document/ish_15222895-15222917-16/hpsbpy04096"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:17:06","euvd":null},{"cve_id":"CVE-2026-13602","summary":"We found a chain of combining multiple weaknesses in the product that could allow an attacker to become any user in the backend and access any data:\n\n\n\n\n\n\n\n  *  \n\n\nThe payment integration plugins Stripe (included in the core system), pretix-mollie, pretix-oppwa, pretix-bitpay, pretix-payone, pretix-secuconnect, pretix-sofort, and pretix-saferpay\n contain a code path that is intended for the transport of session \nparameters from a tab with isolated cookies (e.g. in the pretix widget) \nto a new tab. For this purpose, a set of session parameters is \ncryptographically signed and then passed to the new tab as a URL \nparameter. The plugins perform no further validation of the session \nparameters, other than the cryptographic signature being valid. This is \nfixed with the releases issued today by strictly validating that no \nsession parameters outside of the scope of the respective plugin may be \nset.\n\n\n\n\n  *  \n\n\nAn unrelated feature in the core system is used to generate redirect links that obfuscate any Referer\n headers for outgoing links to prevent leakage of secrets in URLs. This \nredirect page also requires cryptographically signed parameters. \nUnfortunately, it uses the same key and salt for the signature as the \npreviously mentioned feature in the payment integration plugins. A \nmotivated attacker with access to at least one event in the backend can \ntrick the system into cryptographically signing arbitrary content using \nspecially crafted links. In combination with the previous issue, the \nattacker could use this to set and modify arbitrary parameters on their \nuser session by injecting the signed parameters into the feature of the \npayment providers. This is fixed with the releases issued today by using\n different salts for the signature for each plugin and feature.\n\n\n\n\n  *  \n\n\nA third, unrelated feature in the core system is used for admin users\n to act on behalf of another user, mostly for debugging purposes. With \nbeing able to insert arbitrary parameters into a session, an attacker \ncan abuse this feature to change their session from their actual user to\n any user in the system by guessing a valid user ID. This is fixed with\n the release today by requiring unguessable information to be contained \nin the session of the user to switch to.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:16:29","euvd":null},{"cve_id":"CVE-2026-12374","summary":"Improper certificate validation and a time-of-check time-of-use (TOCTOU) race condition in the PrivilegedHelperTool XPC service in Cato Client before v.5.13.1 on macOS allows a local authenticated attacker to escalate privileges to root via a self-signed certificate that bypasses the XPC caller verification and a symlink swap during package installation.","cvss":6.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.catonetworks.com/hc/en-us/articles/37284626576413-Security-Vulnerability-CVE-2026-12374-that-Impacts-macOS-Client-Versions-Lower-than-5-13-1"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T15:16:27","euvd":null},{"cve_id":"CVE-2026-5136","summary":"A flaw was found in Foreman. The Usergroup model in Foreman does not properly validate role assignments against the calling user's permissions. This allows an authenticated user with usergroup management permissions to attach arbitrary roles, including administrative roles, to a user group and then add themselves as a member. Successful exploitation of this vulnerability leads to full privilege escalation, granting the attacker administrator-level access.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:34367","https://access.redhat.com/errata/RHSA-2026:34368","https://access.redhat.com/security/cve/CVE-2026-5136","https://bugzilla.redhat.com/show_bug.cgi?id=2452970"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:47","euvd":null},{"cve_id":"CVE-2026-57692","summary":"Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation.\n\nThis issue affects PrivateContent: from n/a through 9.9.2.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-9-9-2-privilege-escalation-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:46","euvd":null},{"cve_id":"CVE-2026-53356","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: Fix phys BO pread/pwrite with offset\n\nsg_page() returns struct page pointer not (void *) so the scaling\nof pread/pwrite is wrong for phys BO and wrong parts of BO would be\naccessed if non-zero offset is used.\n\nLast impacted platform with overlay or cursor planes using phys\nmapping was Gen3/945G/Lakeport.\n\n(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/07c33be968d9e0cab6cba38c81850a09942fcb2e","https://git.kernel.org/stable/c/14469860e2e39b7095dcd658d2bad38a11110a68","https://git.kernel.org/stable/c/1ec8fc63e9cdb22da54e48e536c9204020416fc6","https://git.kernel.org/stable/c/32d4c5d328a3ff995420f4f85163e1e403f43628","https://git.kernel.org/stable/c/3bd168dd835b93a3862cd05b0d13c432b115f9d6","https://git.kernel.org/stable/c/40f738991058eb3e3530c3006a5bd6fd5e29f035","https://git.kernel.org/stable/c/d21ad938398bca695a511307de38a65889e3b354","https://git.kernel.org/stable/c/dd51a2eeb93bc6faa892ff9083911dd23f82c187"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:44","euvd":null},{"cve_id":"CVE-2026-53349","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack: destroy stale expectfn expectations on unregister\n\nNAT helpers such as nf_nat_h323 store a raw pointer to module text in\nexp->expectfn (e.g. ip_nat_q931_expect). nf_ct_helper_expectfn_unregister()\nonly unlinks the callback descriptor and never walks the expectation table,\nso an expectation pending at module removal survives with a dangling\nexp->expectfn into freed module text.\n\nWhen the expected connection arrives, init_conntrack() invokes\nexp->expectfn(), now a stale pointer into the unloaded module. Reproduced\non a KASAN build by loading the H.323 helpers, creating a Q.931\nexpectation, unloading nf_nat_h323, then connecting to the expected port:\n\n Oops: int3: 0000 [#1] SMP KASAN NOPTI\n RIP: 0010:0xffffffffa06102d1\n  init_conntrack.isra.0 (net/netfilter/nf_conntrack_core.c:1862)\n  nf_conntrack_in (net/netfilter/nf_conntrack_core.c:2049)\n  ipv4_conntrack_local (net/netfilter/nf_conntrack_proto.c:223)\n  nf_hook_slow (net/netfilter/core.c:619)\n  __ip_local_out (net/ipv4/ip_output.c:120)\n  __tcp_transmit_skb (net/ipv4/tcp_output.c:1715)\n  tcp_connect (net/ipv4/tcp_output.c:4374)\n  tcp_v4_connect (net/ipv4/tcp_ipv4.c:345)\n  __sys_connect (net/socket.c:2167)\n Modules linked in: nf_conntrack_h323 [last unloaded: nf_nat_h323]\n\nReaching the dangling state requires CAP_SYS_MODULE in the initial user\nnamespace to remove a NAT helper that still has live expectations, so this\nis a robustness fix; leaving an expectation pointing at freed text is wrong\nregardless.\n\nAdd nf_ct_helper_expectfn_destroy(), which walks the expectation table and\ndrops every expectation whose ->expectfn matches the descriptor being torn\ndown. Call it from each NAT helper's exit path after the existing RCU grace\nperiod, so no expectation outlives the code it points at and no extra\nsynchronize_rcu() is introduced. With the fix, the same reproducer runs to\ncompletion without the Oops.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/29d8cc44bbdf7b83a1929912214afe6643c1b4f1","https://git.kernel.org/stable/c/9d017671dcfcec23321fb7962dea624f9e71ddb1","https://git.kernel.org/stable/c/bf8c0b5dd203be94c2ad50e264cec19267c6bd39","https://git.kernel.org/stable/c/c3009418f9fa1dcb3eb86f4d8c92583537b5faa3","https://git.kernel.org/stable/c/f92c90a2a3e6ff6f9f7fe88fde9004b4ca8f956d","https://git.kernel.org/stable/c/fbfde85308b99938a6092c48753214d190ece48d"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:43","euvd":null},{"cve_id":"CVE-2026-53350","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: wm_adsp: Fix NULL dereference when removing firmware controls\n\nIn wm_adsp_control_remove() check that the priv pointer is not NULL\nbefore attempting to cleanup what it points to.\n\nWhen cs_dsp creates a control it calls wm_adsp_control_add_cb() so that\nwm_adsp can create its own private control data. There are two cases\nwhere private data is not created:\n\n1. The control is a SYSTEM control, so an ALSA control is not created.\n\n2. The codec driver has registered a control_add() callback that\n   hides the control, so wm_adsp_control_add() is not called.\n\nWhen cs_dsp_remove destroys its control list it calls\nwm_adsp_control_remove() for each control. But wm_adsp_control_remove()\nwas attempting to cleanup the private data pointed to by cs_ctl->priv\nwithout checking the pointer for NULL.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/10def23b67b42679d5b1a356e1a6f3498bd188c3","https://git.kernel.org/stable/c/12e579b889624ec54a201d98fdff975de556c731","https://git.kernel.org/stable/c/2f1be283aa777d655525d000d16474b7e7d015ea","https://git.kernel.org/stable/c/5ee9bbe2af2f373e08d3017f9aef2f2eaf29fbc3","https://git.kernel.org/stable/c/6effd6f7b0ba1f5d1df702b2ef7460bcc215e9b7","https://git.kernel.org/stable/c/7d3fb78b550301e43fdc60312aed733069694426"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:43","euvd":null},{"cve_id":"CVE-2026-53351","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/ptrace: Use USER_REGSET_NOTE_TYPE for REGSET_CFI\n\nFixes a warning while dumping core:\n\n[54983.546369][    C7] WARNING: [!note_name] fs/binfmt_elf.c:1771 at elf_core_dump+0x910/0xf68, CPU#7: abort01/31982","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08200bef0983ffed039ab399df0cba8d900ce5fc","https://git.kernel.org/stable/c/e3573f739e3dadab57ec80488d07e05c8f6e82d3"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:43","euvd":null},{"cve_id":"CVE-2026-53352","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsignal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()\n\nWhen a multi-threaded process receives a stop signal (e.g., SIGSTOP),\ndo_signal_stop() sets JOBCTL_STOP_PENDING and JOBCTL_STOP_CONSUME on all\nthreads and sets signal->group_stop_count to the number of threads. If\none of the threads concurrently calls execve(), de_thread() invokes\nzap_other_threads() to kill all other threads. zap_other_threads()\naborts the pending group stop by resetting signal->group_stop_count to 0\nand clears the JOBCTL_PENDING_MASK for all other threads. However, it\nfails to clear the job control flags for the calling thread.\n\nWhen execve() completes, the calling thread returns to user mode and\nchecks for pending signals. Seeing the stale JOBCTL_STOP_PENDING flag,\nit calls do_signal_stop(), which invokes task_participate_group_stop().\nSince JOBCTL_STOP_CONSUME is still set, it attempts to decrement the\nalready-zero signal->group_stop_count, triggering a warning:\n\nsig->group_stop_count == 0\nWARNING: CPU: 1 PID: 6475 at kernel/signal.c:373\ntask_participate_group_stop+0x215/0x2d0\nCall Trace:\n <TASK>\n do_signal_stop+0x3be/0x5c0 kernel/signal.c:2619\n get_signal+0xa8c/0x1330 kernel/signal.c:2884\n arch_do_signal_or_restart+0xbc/0x840 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x8c/0x4d0 kernel/entry/common.c:98\n do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nFix this race condition by clearing the JOBCTL_PENDING_MASK for the\ncalling thread in zap_other_threads(), ensuring it does not retain any\nstale job control state after the thread group is destroyed. This aligns\nwith other functions that tear down a thread group and abort group\nstops, such as zap_process() and complete_signal(), which correctly\nclear these flags for all threads including the current one.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2b32b2fb241435145ea199efac024540759d2495","https://git.kernel.org/stable/c/391ebe74456a0f1d60b3ba4a8a64d9f44c1728fe","https://git.kernel.org/stable/c/76aebd9ef20078719dfd6282d3b06c27e900a65a","https://git.kernel.org/stable/c/8c046f36222c6ce1e0daef2c45c891c72602f8a1","https://git.kernel.org/stable/c/90918794a4e2c3b440f8fcf3847765a8b1d81b25","https://git.kernel.org/stable/c/dfcd0ba14769d94d76ac9d9814b85e7fcacd4e29","https://git.kernel.org/stable/c/f4aae11abb449dc536269705d0419ec69480faa9","https://git.kernel.org/stable/c/f8d720bc2e35d568c18be0644e92a468de428370"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:43","euvd":null},{"cve_id":"CVE-2026-53353","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Remove WARN_ONCE() in hsr_addr_is_self().\n\nsyzbot reported the warning [0] in hsr_addr_is_self(),\nwhose assumption is simply wrong.\n\nhsr->self_node is cleared in hsr_del_self_node(), which\nis called from hsr_dellink().\n\nSince dev->rtnl_link_ops->dellink() is called before\nunregister_netdevice_many(), there is a window when\nuser can find the device but without hsr->self_node.\n\nLet's remove WARN_ONCE() in hsr_addr_is_self().\n\n[0]:\nHSR: No self node\nWARNING: net/hsr/hsr_framereg.c:39 at hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39, CPU#0: syz.4.16848/17220\nModules linked in:\nCPU: 0 UID: 0 PID: 17220 Comm: syz.4.16848 Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)}\nTainted: [L]=SOFTLOCKUP\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026\nRIP: 0010:hsr_addr_is_self+0x211/0x3f0 net/hsr/hsr_framereg.c:39\nCode: 33 2f 41 0f b7 dd 89 ee 09 de 31 ff e8 c8 b4 c6 f6 09 dd 74 54 e8 0f b0 c6 f6 31 ed eb 53 e8 06 b0 c6 f6 48 8d 3d 2f 50 9c 04 <67> 48 0f b9 3a 31 ed eb 42 e8 c1 13 1f 00 89 c5 31 ff 89 c6 e8 96\nRSP: 0018:ffffc900041c70e0 EFLAGS: 00010283\nRAX: ffffffff8afdc6ca RBX: ffffffff8afdc4e6 RCX: 0000000000080000\nRDX: ffffc90010493000 RSI: 0000000000000948 RDI: ffffffff8f9a1700\nRBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000\nR10: ffffc900041c71e8 R11: fffff52000838e3f R12: dffffc0000000000\nR13: ffff888041f9e3c0 R14: ffff888086ee3802 R15: 0000000000000000\nFS:  00007f6fe985d6c0(0000) GS:ffff888126176000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f80bd437dac CR3: 0000000025096000 CR4: 00000000003526f0\nDR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000002\nDR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n check_local_dest net/hsr/hsr_forward.c:592 [inline]\n fill_frame_info net/hsr/hsr_forward.c:728 [inline]\n hsr_forward_skb+0xa11/0x2a80 net/hsr/hsr_forward.c:739\n hsr_dev_xmit+0x253/0x370 net/hsr/hsr_device.c:236\n __netdev_start_xmit include/linux/netdevice.h:5368 [inline]\n netdev_start_xmit include/linux/netdevice.h:5377 [inline]\n xmit_one net/core/dev.c:3888 [inline]\n dev_hard_start_xmit+0x2df/0x860 net/core/dev.c:3904\n __dev_queue_xmit+0x1428/0x3900 net/core/dev.c:4870\n neigh_output include/net/neighbour.h:556 [inline]\n ip_finish_output2+0xcec/0x10b0 net/ipv4/ip_output.c:237\n ip_send_skb net/ipv4/ip_output.c:1510 [inline]\n ip_push_pending_frames+0x8b/0x110 net/ipv4/ip_output.c:1530\n raw_sendmsg+0x1547/0x1a50 net/ipv4/raw.c:659\n sock_sendmsg_nosec net/socket.c:787 [inline]\n __sock_sendmsg net/socket.c:802 [inline]\n ____sys_sendmsg+0x7da/0x9c0 net/socket.c:2698\n ___sys_sendmsg+0x2a5/0x360 net/socket.c:2752\n __sys_sendmsg net/socket.c:2784 [inline]\n __do_sys_sendmsg net/socket.c:2789 [inline]\n __se_sys_sendmsg net/socket.c:2787 [inline]\n __x64_sys_sendmsg+0x1c3/0x2a0 net/socket.c:2787\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f6feb62ce59\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f6fe985d028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f6feb8a6090 RCX: 00007f6feb62ce59\nRDX: 0000000000000000 RSI: 0000200000000000 RDI: 0000000000000004\nRBP: 00007f6feb6c2d6f R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007f6feb8a6128 R14: 00007f6feb8a6090 R15: 00007ffcf01cc488\n </TASK>","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0232b6fcb7615fb7fecfe0727a23065a53e228b8","https://git.kernel.org/stable/c/271355c2ef6171dbc815e7ae653eed63444bbd58","https://git.kernel.org/stable/c/66a46e22396fd5d09606f37f73643eb20e99aa42","https://git.kernel.org/stable/c/afd0f17ca46258cec3a5cc48b8df9327fe772490","https://git.kernel.org/stable/c/d71bb171661ec0225bf4babdd4d296d744982fb3"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:43","euvd":null},{"cve_id":"CVE-2026-53354","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: errata: Mitigate TLBI errata on various Arm CPUs\n\nA number of CPUs developed by Arm suffer from errata whereby a broadcast\nTLBI;DSB sequence may complete before the global observation of writes\nwhich are translated by an affected TLB entry.\n\nThese errata ONLY affect the completion of memory accesses which have\nbeen translated by an invalidated TLB entry, and these errata DO NOT\naffect the actual invalidation of TLB entries. TLB entries are removed\ncorrectly.\n\nThis issue has been assigned CVE ID CVE-2025-10263.\n\nTo mitigate this issue, Arm recommends that software follows any\naffected TLBI;DSB sequence with an additional TLBI;DSB, which will\nensure that all memory write effects affected by the first TLBI have\nbeen globally observed. The additional TLBI can use any operation that\nis broadcast to affected CPUs, and the additional DSB can use any option\nthat is sufficient to complete the additional TLBI.\n\nThe ARM64_WORKAROUND_REPEAT_TLBI workaround is sufficient to mitigate\nthe issue. Enable this workaround for affected CPUs, and update the\nsilicon errata documentation accordingly.\n\nNote that due to the manner in which Arm develops IP and tracks errata,\nsome CPUs share a common erratum number.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1268c64e2bcb6e968152990e87bd10c440fcc9c0","https://git.kernel.org/stable/c/1b47b1e1d8675fdf5f6e11e7fa19c704d8c6f5cd","https://git.kernel.org/stable/c/4e7c80742e6dada9f8b9ad63f3a49c03af07ecb8","https://git.kernel.org/stable/c/7c3ad9365079e716b57d2363d3081ee7680cc18e","https://git.kernel.org/stable/c/8364384ae82fbffdf8968abaac3455ed854da18d","https://git.kernel.org/stable/c/925058203229403008d77a52b1e63e2ae5f4a3cf","https://git.kernel.org/stable/c/cfd391e74134db664feb499d43af286380b10ba8","https://git.kernel.org/stable/c/d4fd4282204044fdedd1e42abbe70a9206f74ec0","https://git.kernel.org/stable/c/e717a4d08779f1a28d6e0275e75040b12c33c753"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:43","euvd":null},{"cve_id":"CVE-2026-53355","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rds: clear i_sends on setup unwind\n\nThe RDS IB connection teardown path is written so it can run during\npartial startup and on repeated shutdown attempts. It uses NULL\npointers to distinguish resources that are still owned from resources\nthat have already been released.\n\nWhen rds_ib_setup_qp() fails after allocating i_sends but before\nallocating i_recvs, the sends_out path frees i_sends without clearing\nthe pointer. A later shutdown pass can still treat that stale pointer\nas a live send ring allocation.\n\nClear i_sends after vfree() in the error unwind path so the existing\nshutdown logic continues to use the correct ownership state.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1d4ec754ee3871f7e3670c67bb0298c9c5760926","https://git.kernel.org/stable/c/20cf0fb715c41111469577e85e35d15f099473e0","https://git.kernel.org/stable/c/27040bbca289a704eafcacca167d310c6ce2b1bc","https://git.kernel.org/stable/c/29d940026dce39e3018dab6f67c9427249321270","https://git.kernel.org/stable/c/2c5e5e4a5970c41f16e3ad801a78719ed5d5c71b","https://git.kernel.org/stable/c/66cccec111421a10efdc2c74499d15b93e7acae5","https://git.kernel.org/stable/c/e7cf30aa5f1fc6c2a86df65df8b731df20e44d79","https://git.kernel.org/stable/c/f16ad421a4e3e7db2d14bdf3b16f583bc4f3b30a"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:43","euvd":null},{"cve_id":"CVE-2026-53340","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: imx: fix clock and pinctrl state inconsistency in runtime PM\n\nIn i2c_imx_runtime_suspend(), the clock is disabled before switching\nthe pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails,\nthe runtime suspend is aborted but the clock remains disabled, causing\na system crash when the hardware is subsequently accessed.\n\nFix this by switching the pinctrl state before disabling the clock so\nthat a pinctrl failure leaves the clock enabled and the hardware\naccessible.\n\nIn i2c_imx_runtime_resume(), restore the pinctrl state back to sleep\nif clk_enable() fails to keep the consistent.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/8783fb8031799f1230997c16df8c8dce9fcd1841","https://git.kernel.org/stable/c/9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d","https://git.kernel.org/stable/c/c8f5269c1bf505847bc7dbb92054594790114de6"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53341","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nfhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()\n\nmay_decode_fh() accesses mount::mnt_ns without holding any locks; that\nmeans the mount can concurrently be unmounted, and the mnt_namespace can\nconcurrently be freed after an RCU grace period.\n\nThis race can happens as follows, assuming that the mount point was\ncreated by open_tree(..., OPEN_TREE_CLONE):\n\nthread 1            thread 2            RCU\n                    __do_sys_open_by_handle_at\n                      do_handle_open\n                        handle_to_path\n                          may_decode_fh\n                            is_mounted\n                              [mount::mnt_ns access]\n                            [mount::mnt_ns access]\n__do_sys_close\n  fput_close_sync\n    __fput\n      dissolve_on_fput\n        umount_tree\n        class_namespace_excl_destructor\n          namespace_unlock\n            free_mnt_ns\n              mnt_ns_tree_remove\n                call_rcu(mnt_ns_release_rcu)\n                                        mnt_ns_release_rcu\n                                          mnt_ns_release\n                                            kfree\n                            [mnt_namespace::user_ns access] **UAF**\n\nFix it by taking rcu_read_lock() around the mount::mnt_ns access, like\nin __prepend_path().\nAdditionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE()\nfor writers that can race with lockless readers.\n\nThis bug is unreachable unless one of the following is set:\n\n - CONFIG_PREEMPTION\n - CONFIG_RCU_STRICT_GRACE_PERIOD\n\nbecause it requires an RCU grace period to happen during a syscall without\nan explicit preemption.\n\nThis doesn't seem to have interesting security impact; worst-case, it could\nleak the result of an integer comparison to userspace (from the level\ncheck in cap_capable()), cause an endless loop, or crash the kernel by\ndereferencing an invalid address.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/32138633e51e6db59e474765cf93268c92b42888","https://git.kernel.org/stable/c/40ab6644b99685755f740b872c00ef40d9aa870e","https://git.kernel.org/stable/c/a8ed2c29fcfdac78db96c9da4e659c8a513f2a94"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53342","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mm: call pagetable dtor when freeing hot-removed page tables\n\nSince 5e8eb9aeeda3 (\"arm64: mm: always call PTE/PMD ctor in\n__create_pgd_mapping()\") page-table allocation on ARM64 always calls\npagetable_{pte,pmd,pud,p4d}_ctor().  This sets the page_type to\nPGTY_table, increments NR_PAGETABLE and possible allocates a PTL.  However\nthe matching pagetable_dtor() calls were never added.\n\nWith DEBUG_VM enabled on kernel versions prior to v6.17 without\n2dfcd1608f3a9 (\"mm/page_alloc: let page freeing clear any set page type\")\nthis leads to the following warning when freeing these pages due to\npage->page_type sharing page->_mapcount:\n\n  BUG: Bad page state in process ... pfn:284fbb\n  page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb\n  flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff)\n  page_type: f2(table)\n  page dumped because: nonzero mapcount\n  Call trace:\n   bad_page+0x13c/0x160\n   __free_frozen_pages+0x6cc/0x860\n   ___free_pages+0xf4/0x180\n   free_pages+0x54/0x80\n   free_hotplug_page_range.part.0+0x58/0x90\n   free_empty_tables+0x438/0x500\n   __remove_pgd_mapping.constprop.0+0x60/0xa8\n   arch_remove_memory+0x48/0x80\n   try_remove_memory+0x158/0x1d8\n   offline_and_remove_memory+0x138/0x180\n\nIt can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is\ndefined and incorrect NR_PAGETABLE stats.  Fix this by calling\npagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page\nto undo the effects of calling pagetable_*_ctor().","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/95f27fcda681021ed3906d3cae7e68b6a57a1d8e","https://git.kernel.org/stable/c/aaa688ac9f18207f7452c6472e647c1febaea6a3","https://git.kernel.org/stable/c/c594b83457ccdee76d458416fb3bc9348a37592f"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53343","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow\n\nCommit 44e9a3bb76e5 (\"ARM: 9430/1: entry: Do a dummy read from\nVMAP shadow\") added a dummy read from the KASAN VMAP stack shadow in\n__switch_to(). The read uses ldr, but the KASAN shadow address is\nbyte-granular and is not guaranteed to be word aligned.\n\nARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and\nCONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to()\nwith an alignment exception before reaching init.\n\nUse ldrb for the dummy shadow access. The code only needs to fault in the\nshadow mapping if the stack shadow is missing, so a byte load is sufficient\nand matches the granularity of KASAN shadow memory.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2a4dc9a0ac3326e79fb58fdaae724b92127709a9","https://git.kernel.org/stable/c/517720913bd3c17a52cd55a740064f68455ab88e","https://git.kernel.org/stable/c/77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6","https://git.kernel.org/stable/c/c0b8c148a7754826156993ed6442d31536ec86b4","https://git.kernel.org/stable/c/c2e3aadc8fef7da068490597fc5582f8f362aeb2","https://git.kernel.org/stable/c/c74990828d3c486ee44aaa68240eb3abff289d1c"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53344","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init\n\nRegmap initialization triggers regcache_maple_populate() which attempts\nSPI read to populate cache. SPI read requires mcp->dev and mcp->addr to\nbe set, without them, NULL pointer dereference occurs during probe.\n\nMove initialization before mcp23s08_spi_regmap_init() call.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3a13bb9540dfd7014c5601608afcbbadbbcfd673","https://git.kernel.org/stable/c/8473c3a197b57ff01396f7a2ec6ddf65383820d4"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53345","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying\n\nWhen marking a page dirty, complain about not having a running/loaded vCPU\nif and only if the VM is still alive, i.e. its refcount is non-zero.  This\nwill allow fixing a memory leak for x86 SEV-ES guests without hitting what\nis effectively a false positive on the WARN.\n\nFor some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page\nacross an exit to userspace, and typically unmaps the page on the next\nKVM_RUN.  But if userspace never calls KVM_RUN after such an exit, then KVM\nneeds to unmap the page when the vCPU is destroyed, which in turn triggers\nthe WARN about not having a running vCPU.\n\nAlternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,\nas is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;\nsuppressing WARN from nested_put_vmcs12_pages() is pure happenstance).  But\nloading a vCPU during destruction is gross (ideally nVMX code would be\ncleaned up), risks complicating the SEV-ES code (KVM would need to ensure\nthe temporarily load()+put() only runs when the vCPU isn't already loaded),\nand is ultimately pointless.\n\nThe motivation for the WARN is to guard against KVM dirtying guest memory\nwithout pushing the corresponding GFN to the active vCPU's dirty ring, e.g.\nto ensure userspace doesn't miss a dirty page.  But for the VM's refcount\nto reach zero, there can't be _any_ userspace mappings to the dirty ring,\nas mapping the dirty ring requires doing mmap() on the vCPU FD.  I.e. if\nuserspace had a valid mapping for the dirty ring, then the vCPU file and\nthus the owning VM would still be alive.  And so since userspace can't\npossibly reach the dirty ring, whether or not KVM technically \"misses\" a\npush to the dirty ring is irrelevant.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/033d39e41fc30f484f4e4f37fb4cd76b12cbb18e","https://git.kernel.org/stable/c/343e95c8ecc40e0738975ef4ee24c0c35e800e6b","https://git.kernel.org/stable/c/66a8e7ddd901023c89a2733494d827eca3f9c1b0","https://git.kernel.org/stable/c/8618004d3e897c0f1b71d9a9ab860461289bb89a","https://git.kernel.org/stable/c/99d7d43784ae3235026581e9bf892c036e04c8e6"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53346","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES\n\nDue to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the\nuwtable annotation for functions, but not for the module. This means\nthat compiler-generated functions such as 'asan.module_ctor' do not\nreceive the uwtable annotation.\n\nWhen CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot\nfailures because the dwarf information emitted for the kasan\nconstructors is wrong, which causes the SCS boot patching code to\npatch the constructor in an illegal manner. Specifically, the paciasp\ninstruction is patched, but the autiasp instruction is not. This\nmismatch leads to a crash when the constructor is called during boot.\n\n\t==================================================================\n\tBUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90\n\tRead of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1\n\nSpecifically the faulting instruction is the (*fn)() to invoke the\nconstructor in do_ctors() of the init/main.c file.\n\nOnce the fix lands in rustc, this flag can be made conditional on the\nrustc version. Note that passing the flag on a rustc with the fix\npresent has no effect.\n\n[ The fix [1] has landed for Rust 1.98.0 (expected release on\n  2026-08-20).\n\n  Thus add a version check as discussed.\n\n    - Miguel ]\n\n[ Adjusted link and comment. - Miguel ]","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/7de13410f59e59b21d3c268a6e22d40f5d9d8a54","https://git.kernel.org/stable/c/ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c","https://git.kernel.org/stable/c/bde772ee239720af216fb0b14753971059e132dc","https://git.kernel.org/stable/c/d0f25a1755f2c15b1746379c8d9d7dfde85f58f5"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53347","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/virtio: Fix driver removal with disabled KMS\n\nDRM atomic and modesetting aren't initialized if virtio-gpu driver built\nwith disabled KMS, leading to access of uninitialized data on driver\nremoval/unbinding and crashing kernel. Fix it by skipping shutting down\natomic core with unavailable KMS.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/15e561869a8b4e4db69733be1d6f33770664f989","https://git.kernel.org/stable/c/19a6a00ff50c284f3a9818882ad2be58b33b790a","https://git.kernel.org/stable/c/38a5f891cda6d121c149c94cda89c31ec7024ee3","https://git.kernel.org/stable/c/ed3e134700a2e07caa99b9bc0683ebbe0327c562","https://git.kernel.org/stable/c/f329e8325e054bd6d84d10904f8dd51137281b92"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53348","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SDCA: fix NULL pointer dereference in sdca_dev_unregister_functions\n\nsdca_dev_unregister_functions() iterates over all SDCA function\ndescriptors and calls sdca_dev_unregister() on each func_dev without\nchecking for NULL. When a function registration has failed partway\nthrough, or the device cleanup races with probe deferral, func_dev\nentries may be NULL, leading to a kernel oops:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000040\n  RIP: 0010:device_del+0x1e/0x3e0\n  Call Trace:\n   sdca_dev_unregister_functions+0x37/0x60 [snd_soc_sdca]\n   release_nodes+0x35/0xb0\n   devres_release_all+0x90/0x100\n   device_unbind_cleanup+0xe/0x80\n   device_release_driver_internal+0x1c1/0x200\n   bus_remove_device+0xc6/0x130\n   device_del+0x161/0x3e0\n   device_unregister+0x17/0x60\n   sdw_delete_slave+0xb6/0xd0 [soundwire_bus]\n   sdw_bus_master_delete+0x1e/0x50 [soundwire_bus]\n   ...\n   sof_probe_work+0x19/0x30 [snd_sof]\n\nThis was observed on a Lenovo ThinkPad X1 Carbon G14 (Panther Lake)\nwith the SOF audio driver probe failing due to missing Panther Lake\nfirmware, causing the subsequent cleanup of SoundWire devices to\ntrigger the crash.\n\nFix this with three changes:\n\n1) Add a NULL guard in sdca_dev_unregister() so that callers do not\n   need to pre-validate the pointer (defense in depth).\n\n2) In sdca_dev_unregister_functions(), skip NULL func_dev entries\n   and clear func_dev to NULL after unregistration, making the\n   function idempotent and safe against double-invocation.\n\n3) In sdca_dev_register_functions(), roll back all previously\n   registered functions when a later one fails, so the function\n   array is never left in a partially-populated state.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/9a4895059bb6a8505098a9f75de187fd15631fc8","https://git.kernel.org/stable/c/e4c60a1d4b6ccc66aefb3789cd908d4f9482eefd"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:42","euvd":null},{"cve_id":"CVE-2026-53332","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd\n\nWhen the remoteproc starts in parallel with the NGD driver being probed,\nor the remoteproc is already up when the PDR lookup is being registered,\nor in the theoretical event that we get an interrupt from the hardware,\nthese callbacks will operate on uninitialized data. This result in\nissues to boot the affected boards.\n\nOne such example can be seen in the following fault, where\nqcom_slim_ngd_ssr_pdr_notify() schedules work on the NULL ngd_up_work.\n\n[   21.858578] ------------[ cut here ]------------\n[   21.858745] WARNING: kernel/workqueue.c:2338 at __queue_work+0x5e0/0x790, CPU#2: kworker/2:2/116\n...\n[   21.859251] Call trace:\n[   21.859255]  __queue_work+0x5e0/0x790 (P)\n[   21.859265]  queue_work_on+0x6c/0xf0\n[   21.859273]  qcom_slim_ngd_ssr_pdr_notify+0x110/0x150 [slim_qcom_ngd_ctrl]\n[   21.859304]  qcom_slim_ngd_ssr_notify+0x24/0x40 [slim_qcom_ngd_ctrl]\n[   21.859318]  notifier_call_chain+0xa4/0x230\n[   21.859329]  srcu_notifier_call_chain+0x64/0xb8\n[   21.859338]  ssr_notify_start+0x40/0x78 [qcom_common]\n[   21.859355]  rproc_start+0x130/0x230\n[   21.859367]  rproc_boot+0x3d4/0x518\n...\n\nMove the enablement of interrupts, and the registration of SSR and PDR\nuntil after the NGD device has been registered.\n\nThis could be further refined by moving initialization to the control\ndriver probe and by removing the platform driver model from the picture.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/08564e15c47a5fb0af6643a43ee15521d49bcdea","https://git.kernel.org/stable/c/24ec89123fc9d0d24ce719dcf7fd6c57e5b0d753","https://git.kernel.org/stable/c/2a9d50e9ea406e0c8735938484adc20515ef1b47","https://git.kernel.org/stable/c/fa3790c7ea98328ddc3f7d8bf40247556245a6fc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53333","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mincore: handle non-swap entries before !CONFIG_SWAP guard\n\nmincore_swap() also fields migration/hwpoison entries (and shmem\nswapin-error entries), which can exist on !CONFIG_SWAP builds when\nCONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled.  The\n!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return,\nso mincore_pte_range() can spuriously WARN and report these pages\nnonresident on !CONFIG_SWAP kernels.\n\nMove the guard below the non-swap-entry check so only true swap entries\ntrip the WARN, and migration/hwpoison entries take the existing \"uptodate\n/ non-shmem\" path.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0c25b8734367574e21aeb8468c2e522713134da7","https://git.kernel.org/stable/c/3481d4372ae34243f7025925314385b852c50f7e","https://git.kernel.org/stable/c/a8f91ddf67f669f547bb9fb559738da6f8ee2cf3"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53334","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/reclaim: handle ctx allocation failure\n\nPatch series \"mm/damon/{reclaim,lru_sort}: handle ctx allocation failures\".\n\nDAMON_RECLAIM and DAMON_LRU_SORT could dereference NULL pointers if their\ndamon_ctx object allocations fail.  The bugs are expected to happen\ninfrequently because the allocations are arguably too small to fail on\ncommon setups.  But theoretically they are possible and the consequences\nare bad.  Fix those.\n\nThe issues were discovered [1] by Sashiko.\n\n\nThis patch (of 2):\n\nDAMON_RECLAIM allocates the damon_ctx object for its kdamond in its init\nfunction.  damon_reclaim_enabled_store() wrongly assumes the allocation\nwill always succeed once tried.  If the damon_ctx allocation was failed,\ntherefore, code execution reaches to damon_commit_ctx() while 'ctx' is\nNULL.  As a result, it dereferences the NULL 'ctx' pointer.  Avoid the\nNULL dereference by returning -ENOMEM if 'ctx' is NULL.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/635b45ce61de53a9357e28ac97461428cdb650f0","https://git.kernel.org/stable/c/66bc00ea37fa8ec14be5a3909d067a5967ef234b","https://git.kernel.org/stable/c/7e2ed8a29427af534bf2cb9b8bc51762b8b6e654"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53335","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/lru_sort: handle ctx allocation failure\n\nDAMON_LRU_SORT allocates the damon_ctx object for its kdamond in its init\nfunction.  damon_lru_sort_enabled_store() wrongly assumes the allocation\nwill always succeed once tried.  If the damon_ctx allocation was failed,\ntherefore, code execution reaches to damon_commit_ctx() while 'ctx' is\nNULL.  As a result, it dereferences the NULL 'ctx' pointer.  Avoid the\nNULL dereference by returning -ENOMEM if 'ctx' is NULL.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/6d48f15659395bf1381114f01be91bc68e0be46a","https://git.kernel.org/stable/c/ab04340b5ae5d52c1d46b750538febcde9d889e7","https://git.kernel.org/stable/c/daab1996431a71f43219dcac48ecc9ad2aad3f1c"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53336","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: layouts: onie-tlv: fix hang on unknown types\n\nThe EEPROM on my board has a vendor specific entry of type 0x41. When\nstumbling upon that, this driver hangs in an endless loop.\n\nFix it by keep incrementing the offset on unknown entries, so the loop\nwill eventually stop.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/033d498b0f473c6456be5f885be172024ad84972","https://git.kernel.org/stable/c/4a4d21f531ccf5bb333d99b620e0d66551f3652c","https://git.kernel.org/stable/c/4f27eb01619c36cc8e3ce9a2a9af97f145f5d1c6","https://git.kernel.org/stable/c/ea41020b9018e31c2ea7e9d89021e3e6d7470883","https://git.kernel.org/stable/c/fd47edeabadfaa75422009dc5894e92c4c697517"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53337","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix NULL pointer dereference in bond_do_ioctl()\n\nIn bond_do_ioctl(), slave_dev is obtained via __dev_get_by_name() which\ncan return NULL if the requested interface name does not exist. However,\nthe subsequent slave_dbg() call is placed before the NULL check:\n\n    slave_dev = __dev_get_by_name(net, ifr->ifr_slave);\n    slave_dbg(bond_dev, slave_dev, \"slave_dev=%p:\\n\", slave_dev); //here\n    if (!slave_dev)\n        return -ENODEV;\n\nThe slave_dbg() macro expands to netdev_dbg(bond_dev, \"(slave %s): \" fmt,\n(slave_dev)->name, ...) which unconditionally dereferences slave_dev->name\nbefore the NULL check is performed. This results in a NULL pointer\ndereference kernel oops when a user calls bonding ioctl (e.g.\nSIOCBONDENSLAVE, SIOCBONDRELEASE, etc.) with a non-existent slave\ninterface name.\n\nThis is reachable from userspace via the bonding ioctl interface with\nCAP_NET_ADMIN capability, making it a potential local denial-of-service\nvector.\n\nFix by moving the slave_dbg() call after the NULL check.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1b7558c85493467b2ea20738866b822db6442034","https://git.kernel.org/stable/c/66693957bacd1c9dae6188a7312d6be69a221f2d","https://git.kernel.org/stable/c/a629418d463fb50d132a1aa063b0105857311e5f","https://git.kernel.org/stable/c/a764b0e8317a863006e05732e1aefe821b9d8c2d","https://git.kernel.org/stable/c/b02b2e3e876c18733b868a29064abd11cdbf8feb","https://git.kernel.org/stable/c/b0878106ddc486375084145848ff255dedfff46a","https://git.kernel.org/stable/c/bcb8fad90f27300add583a8371db504b766d95c7","https://git.kernel.org/stable/c/c2cfe290fdb1c32a4f4eb2b8ca3f363b305d21ba"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53338","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()\n\nof_reserved_mem_lookup() may return NULL if the reserved memory region\nreferenced by the \"memory-region\" phandle is not found in the reserved\nmemory table (e.g. due to a misconfigured DTS or a removed\nmemory-region node).  The current code dereferences the returned\npointer without checking for NULL, leading to a kernel NULL pointer\ndereference at the following lines:\n\n    dma_addr = rmem->base;                          // line 1156\n    num_desc = div_u64(rmem->size, buf_size);       // line 1160\n\nAdd a NULL check after of_reserved_mem_lookup() and return -ENODEV if\nthe lookup fails, which is consistent with the existing error handling\nfor of_parse_phandle() failure in the same code block.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01f7d4b504580664d36faea5671cde5e3f0d8a5b","https://git.kernel.org/stable/c/cdb96c42db7b256348f9b57718debfaa4bca6b39","https://git.kernel.org/stable/c/f9f25118faa4dd2b6e3d14a03d123bbdbd59925d"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53339","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qcom-cci: Fix NULL pointer dereference in cci_remove()\n\nOn all modern platforms Qualcomm CCI controller provides two I2C masters,\nand on particular boards only one I2C master may be initialized, and in\nsuch cases the device unbinding or driver removal causes a NULL pointer\ndereference, because cci_halt() is called for all two I2C masters, but\na completion is initialized only for the single enabled master:\n\n    % rmmod i2c-qcom-cci\n    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n    <snip>\n    Call trace:\n    __wait_for_common+0x194/0x1a8 (P)\n    wait_for_completion_timeout+0x20/0x2c\n    cci_remove+0xc4/0x138 [i2c_qcom_cci]\n    platform_remove+0x20/0x30\n    device_remove+0x4c/0x80\n    device_release_driver_internal+0x1c8/0x224\n    driver_detach+0x50/0x98\n    bus_remove_driver+0x6c/0xbc\n    driver_unregister+0x30/0x60\n    platform_driver_unregister+0x14/0x20\n    qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]\n    ....","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/4cd206c1d57a9370d5219f7b1fc45169d7bdf951","https://git.kernel.org/stable/c/4d2b4a9cda6837e5ee1de1290f2e773a713b71e9","https://git.kernel.org/stable/c/7107627b8b35015027201e7a095a3f6e30b4a46f","https://git.kernel.org/stable/c/729ac5a4b966aac42e08a94dea966f4429008548","https://git.kernel.org/stable/c/8ce7ff721a5e9d06d53ef65d01c89fce6d26d6ff","https://git.kernel.org/stable/c/a162a260c8c4db7501c65220e76913e8e351f823","https://git.kernel.org/stable/c/a50b8adb9cdb9a495b0b45583956897b7411ed7a","https://git.kernel.org/stable/c/e8669d12da0ade52adfe0abe96cd99e708abc9bd"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:41","euvd":null},{"cve_id":"CVE-2026-53326","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndebugobjects: Don't call fill_pool() in early boot hardirq context\n\nWhen booting a debug PREEMPT_RT kernel on an ARM64 system, a \"inconsistent\n{HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage\" lockdep warning message was\nreported to the console.\n\nDuring early boot, interrupts are enabled before the scheduler is\nenabled. In this window (before SYSTEM_SCHEDULING is set) interrupts can\nfire and in the hard interrupt context handler attempt to fill the pool\n\nThis can lead to a deadlock when the interrupt occurred when the interrupt\nhits a region which holds a lock that is required to be taken in the\nallocation path.\n\nAdd a new can_fill_pool() helper and reorder the exception rule and forbid\nthis scenario by excluding allocations from hard interrupt context.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0d046ae106255cba5eb83b23f78ee93f3620247d","https://git.kernel.org/stable/c/44b8b03a9fb5c575548fc72c674653d6baba142a","https://git.kernel.org/stable/c/7bc71bdb1c1526c7f02a6adab324394ff1327b0a"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:40","euvd":null},{"cve_id":"CVE-2026-53327","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndebugobjects: Do not fill_pool() if pi_blocked_on\n\nOn RT enabled kernels, fill_pool() ends up calling rtlock_lock(), which\nasserts if current::pi_blocked_on is set, because a task can obviously only\nblock on one lock as otherwise the priority inheritenace chain gets\ncorrupted.\n\nPrevent this by expanding the conditional to take current::pi_blocked_on\ninto account.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/33bee10644f8fff3b1a0187ad5ad34513e5e8e72","https://git.kernel.org/stable/c/3a408cae608d9c075dd3a9e5cfc03b3cb0726863","https://git.kernel.org/stable/c/5f41161059fd0f1bbf18c90f3180e38cc45a14eb"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:40","euvd":null},{"cve_id":"CVE-2026-53328","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task()\n\nA WARN fires when systemd's user manager writes \"+cpu +memory +pids\" to\nits own subtree_control while a sched_ext scheduler is loaded:\n\n  WARNING: at kernel/sched/ext.c:3227 scx_cgroup_move_task+0xa8/0xb0\n   scx_cgroup_move_task+0xa8/0xb0\n   sched_move_task+0x134/0x290\n   cpu_cgroup_attach+0x39/0x70\n   cgroup_migrate_execute+0x37d/0x450\n   cgroup_update_dfl_csses+0x1e3/0x270\n   cgroup_subtree_control_write+0x3e7/0x440\n\nscx_cgroup_can_attach() arms cgrp_moving_from only when a task's cpu\ncgroup changes. It can still be NULL when scx_cgroup_move_task() runs,\nthrough this sequence:\n\n  Step                               Result\n  ---------------------------------  ----------------------------------\n  1. cpu enabled on cgroup G         cpu css = A\n  2. cpu toggled off then on for G   A killed, B created (same cgroup)\n  3. an exiting task keeps A alive   migration skips it, A now stale\n  4. +memory migrates G              stale A vs current B pulls cpu in\n  5. cpu attach runs for all tasks   hits a live, cpu-unchanged task\n  6. scx_cgroup_move_task() on it    cgrp_moving_from NULL -> WARN\n\nThe mismatch is that scx_cgroup_can_attach() keys on cgroup identity\nwhile migration drives the move on css identity, so a NULL cgrp_moving_from\nhere is a legitimate css-only migration, not a missing prep.\n\nThe call is already gated on cgrp_moving_from, so just drop the warning.\nops.cgroup_prep_move() and ops.cgroup_move() stay paired.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/02e545c4297a26dbbc41df81b831e7f605bcd306","https://git.kernel.org/stable/c/0ffcad63b19a1cadb475c9f405a93607fdcd0d7c","https://git.kernel.org/stable/c/bc75f5951fac4e49d175c4433fc08fb1ec01172f","https://git.kernel.org/stable/c/cdff2eb97be147d2ce52ac1327841068781f25dc"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:40","euvd":null},{"cve_id":"CVE-2026-53329","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Use krealloc_array() in dal_vector_reserve()\n\n[Why & How]\ndal_vector_reserve() computes the allocation size as\n\"capacity * vector->struct_size\" using uint32_t arithmetic, which can\nsilently wrap to a small value on overflow. This would cause krealloc to\nreturn a smaller buffer than expected, leading to heap overflows on\nsubsequent vector appends.\n\nReplace krealloc() with krealloc_array() which performs an internal\noverflow check and returns NULL on wrap, preventing the issue.\n\n(cherry picked from commit 37668568641ccc4cc1dbca4923d0a16609dd5707)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/201151e120f0062bcda21cad5d007b82725ad23b","https://git.kernel.org/stable/c/31180638a33acad12c863132704a76536fb66211","https://git.kernel.org/stable/c/a914aa802669e073f014dae2e5708633b5cecd34","https://git.kernel.org/stable/c/b15825deac1acff72638bbc8f05b89ceef8dfb13","https://git.kernel.org/stable/c/da48bc4461b8a5ebfb9264c9b191a701d8e99009","https://git.kernel.org/stable/c/de988c7a31f0774f07894cfe4802996f318e2870","https://git.kernel.org/stable/c/e09689286385a66311ac6922af95339d7a3cef8d"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:40","euvd":null},{"cve_id":"CVE-2026-53330","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()\n\n[Why & How]\nThe aux_rd_interval array in struct dc_lttpr_caps is declared with\nMAX_REPEATER_CNT - 1 (7) elements, indexed 0..6. However, the offset\nparameter passed to dp_get_eq_aux_rd_interval() can be as large as\nMAX_REPEATER_CNT (8) when a sink reports 8 LTTPR repeaters via DPCD.\nThis leads to an out-of-bounds read of aux_rd_interval[7] when offset\nis 8.\n\nFix this by growing aux_rd_interval to MAX_REPEATER_CNT elements to\naccommodate the full range of valid repeater counts defined by the DP\nspec.\n\n(cherry picked from commit a55a458a8df37a65ffda5cf721d554a8f74f6b04)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/454d3b3d499c18373f8960d31aea48338a3ca9e0","https://git.kernel.org/stable/c/dc1490927d79fe9621e29f4a4f5d7b5ccb6aea3e","https://git.kernel.org/stable/c/e8b4d37eba05141ee01794fc6b7f2da808cee83b"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:40","euvd":null},{"cve_id":"CVE-2026-53331","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nslimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock\n\nDuring the SSR/PDR down notification the tx_lock is taken with the\nintent to provide synchronization with active DMA transfers.\n\nBut during this period qcom_slim_ngd_down() is invoked, which ends up in\nslim_report_absent(), which takes the slim_controller lock. In multiple\nother codepaths these two locks are taken in the opposite order (i.e.\nslim_controller then tx_lock).\n\nThe result is a lockdep splat, and a possible deadlock:\n\n  rprocctl/449 is trying to acquire lock:\n  ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus\n\n  but task is already holding lock:\n  ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl\n\n  which lock already depends on the new lock.\n\n  Possible unsafe locking scenario:\n\n        CPU0                    CPU1\n        ----                    ----\n   lock(&ctrl->tx_lock);\n                                lock(&ctrl->lock);\n                                lock(&ctrl->tx_lock);\n   lock(&ctrl->lock);\n\nThe assumption is that the comment refers to the desire to not call\nqcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction.\nBut any such transaction is initiated and completed within a single\nqcom_slim_ngd_xfer_msg().\n\nPrior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn\ndown, all child devices are notified that the slimbus is gone and the\nchild devices are removed.\n\nStop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the\ndeadlock.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3d1561537237c6cc1db76155183d8bbdac2339f0","https://git.kernel.org/stable/c/55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec","https://git.kernel.org/stable/c/9708eb50fd7343145b422be852f890212155d845","https://git.kernel.org/stable/c/9f0d45d509b434c54da10e01f4ef8086e4583401","https://git.kernel.org/stable/c/aad4337a21b9ad3ae8d668fa8678d05e26ecbaa8","https://git.kernel.org/stable/c/d54a221b0f3cd9e1f03f18104be34e02a8258fae","https://git.kernel.org/stable/c/dc4d5c57e012c2c669793deb1515a57bbc6bf5dd"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:40","euvd":null},{"cve_id":"CVE-2026-13603","summary":"The payment integration pretix-oppwa provides support \nfor the payment providers VR Payment, Hobex, and potentially others \nbased on Oppwa's technology. The integration of Oppwa, following their \nofficial documentation, includes a step where the user is redirected \nfrom the payment provider back to our system with a query parameter like\n ?resourcePath=/v1/checkouts/{checkoutId}/payment in the URL. Our system is then supposed to fetch the status of the transaction from the URL given by baseUrl + resourcePath.\n\n\n\nOur plugin pretix-oppwa did so insecurely by \nconcatenating the parameter form the URL to the base domain of the API \nwithout further validation and, critically, without a / at the end of the baseUrl. Therefore, an attacker could inject a resourcePath argument in a way that causes pretix to call a different\n server instead. Since the request includes the access token (API key) \nof the Oppwa account, this would leak the access token, giving access to\n data contained in the payment provider's system. This is fixed with the\n release today by strictly validating the given API URL.\n\n\n\n\n\n\n\n\n\nAfter installing the update, we recommend asking your payment provider for a new access token and updating it in pretix.","cvss":9.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pretix.eu/about/en/blog/20260701-release-2026-5-3/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T14:16:31","euvd":null},{"cve_id":"CVE-2026-8387","summary":"A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting `.zip` archives using the `ZipFile.extractall()` method in `StorageManager._extract_to_cache()`. This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.","cvss":2.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/allegroai/clearml/commit/4fd611c564256e4f294a6db133705120f203f476","https://huntr.com/bounties/0f69bb0b-728e-411c-8676-8f2dfaf238db","https://huntr.com/bounties/0f69bb0b-728e-411c-8676-8f2dfaf238db"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:54","euvd":null},{"cve_id":"CVE-2026-5120","summary":"A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.3ds.com/trust-center/security/security-advisories/cve-2026-5120"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:48","euvd":null},{"cve_id":"CVE-2026-53909","summary":"MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:46","euvd":null},{"cve_id":"CVE-2026-53902","summary":"MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation.\nAn attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques.\n\n\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:45","euvd":null},{"cve_id":"CVE-2026-53903","summary":"MCO is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct retrieval based on a user-supplied identifier.\nAn attacker can access trading documents belonging to other users by providing a valid document ID. Although exploitation requires guessing the identifier, predictable ID patterns enable feasible enumeration, leading to unauthorized disclosure of sensitive information.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:45","euvd":null},{"cve_id":"CVE-2026-53904","summary":"MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who provides victim's email and answer to their security question, can successfully initiate the reset process and continuously invalidate credentials, effectively locking the victim out of their account. Answering security questions has a limited number of tries which lowers the risk of this vulnerability.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:45","euvd":null},{"cve_id":"CVE-2026-53905","summary":"MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks.\nThis may expose sensitive permission mappings and internal configuration details.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:45","euvd":null},{"cve_id":"CVE-2026-53906","summary":"MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:45","euvd":null},{"cve_id":"CVE-2026-53907","summary":"MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:45","euvd":null},{"cve_id":"CVE-2026-53908","summary":"MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.\n\nBecause vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/07/CVE-2026-53902","https://mco.mycomplianceoffice.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T13:17:45","euvd":null},{"cve_id":"CVE-2026-13323","summary":"In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX containing a crafted HTML payload, and induce an authenticated user to visit the resulting URL. The browser renders the file inline in the open-vsx.org origin context, enabling session token exfiltration, persistent Personal Access Token (PAT) generation, and unauthorized publication of malicious extension versions. Because Open VSX extensions are distributed to VS Code, VSCodium, Cursor, Windsurf, and compatible editors, a compromised extension update constitutes a supply chain attack against all downstream users.","cvss":4.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/eclipse-openvsx/openvsx/pull/1922","https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/485","https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/485"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T12:16:38","euvd":null},{"cve_id":"CVE-2026-14181","summary":"@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder to throw synchronously, and the exception escapes the middie normalize step and terminates the Node.js process. The bypass affects applications that call middie.run directly on the standalone engine API, causing an immediate denial of service for all connected clients until restart. Applications using the Fastify plugin path are not affected because Fastifys error handler catches the exception. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: migrate from the standalone engine API to the Fastify plugin path, where the framework error handler catches the exception.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.openjsf.org/security-advisories.html","https://github.com/fastify/middie/security/advisories/GHSA-qcc9-jh8q-47vh"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T12:16:38","euvd":null},{"cve_id":"CVE-2026-14198","summary":"@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to match a URL that the route handler does match. When middleware is used for authentication, authorization, rate limiting, or auditing on parameterized paths, an attacker can reach the protected handler by sending a single crafted URL with an encoded slash in the parameter position. The bypass is HTTP method agnostic and requires no authentication or special preconditions. Patches: upgrade to @fastify/middie 9.3.3. Workarounds: avoid parameterized middleware paths for security decisions, or enforce authentication at the route handler or via a Fastify hook that runs after the router has resolved the request.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.openjsf.org/security-advisories.html","https://github.com/fastify/middie/security/advisories/GHSA-2v46-jxjm-7q3v"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T12:16:38","euvd":null},{"cve_id":"CVE-2026-13228","summary":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer's email field (including one linked to a WordPress Administrator's account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L112","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L127","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L137","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/auth_helper.php#L256","https://plugins.trac.wordpress.org/changeset/3590914/latepoint/trunk/lib/controllers/orders_controller.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.6.3&new_path=%2Flatepoint/tags/5.6.4","https://www.wordfence.com/threat-intel/vulnerabilities/id/8f9db3b8-dd37-4d8b-b041-50b453858a39?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T11:16:25","euvd":null},{"cve_id":"CVE-2026-14258","summary":"A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-14258","https://bugzilla.redhat.com/show_bug.cgi?id=2462305","https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca","https://github.com/NetworkConfiguration/dhcpcd/issues/415","https://github.com/NetworkConfiguration/dhcpcd/issues/415"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T11:16:25","euvd":null},{"cve_id":"CVE-2026-12142","summary":"The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The wp_kses() output filtering pass provides no mitigation because NEXForms_allowed_tags() explicitly permits &lt;script&gt;, &lt;iframe src/srcdoc&gt;, and JS event handlers such as onClick, onBlur, and onChange in its allow-list.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/includes/classes/class.db.php#L2660","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/includes/classes/class.db.php#L2809","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/includes/classes/class.functions.php#L2343","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/main.php#L2660","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/main.php#L2720","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.10/main.php#L2903","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/includes/classes/class.db.php#L2660","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/includes/classes/class.db.php#L2809","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/includes/classes/class.functions.php#L2343","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/main.php#L2660","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/main.php#L2720","https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.2.2/main.php#L2903","https://plugins.trac.wordpress.org/changeset?old_path=%2Fnex-forms-express-wp-form-builder/tags/9.2.2&new_path=%2Fnex-forms-express-wp-form-builder/tags/9.2.3","https://www.wordfence.com/threat-intel/vulnerabilities/id/da235dea-4884-4e6a-a8b8-65d34f050684?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T11:16:24","euvd":null},{"cve_id":"CVE-2026-10095","summary":"The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A contributor-level attacker can embed the malicious [photo] shortcode in a post submitted for review, causing the stored payload to execute when an administrator or any other user views the post.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.09.005/wppa-filter.php#L1151","https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.09.005/wppa-filter.php#L1301","https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.09.005/wppa-filter.php#L1320","https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.09.005/wppa-functions.php#L4291","https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.13.005/wppa-filter.php#L1151","https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.13.005/wppa-filter.php#L1301","https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.13.005/wppa-filter.php#L1320","https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/9.1.13.005/wppa-functions.php#L4291","https://plugins.trac.wordpress.org/changeset/3557877/wp-photo-album-plus/trunk/wppa-filter.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-photo-album-plus/tags/9.1.13.005&new_path=%2Fwp-photo-album-plus/tags/9.2.01.001","https://www.wordfence.com/threat-intel/vulnerabilities/id/59f914e2-a671-46cc-a2b8-664816639f3e?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T11:16:21","euvd":null},{"cve_id":"CVE-2026-27435","summary":"Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Woffice: from n/a before 5.4.33.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00242,"ranking_epss":0.15268,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/woffice/vulnerability/wordpress-woffice-theme-5-4-31-broken-access-control-vulnerability?_s_id=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T10:16:28","euvd":null},{"cve_id":"CVE-2026-13454","summary":"The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the mpa_appointment_employee custom role, meaning any user assigned this role can perform the attack.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00361,"ranking_epss":0.28076,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/admin-pages/manage/ManageBookingsPage.php#L247","https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.3/includes/admin-pages/manage/ManageBookingsPage.php#L310","https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.5/includes/admin-pages/manage/ManageBookingsPage.php#L247","https://plugins.trac.wordpress.org/browser/motopress-appointment-lite/tags/2.4.5/includes/admin-pages/manage/ManageBookingsPage.php#L310","https://plugins.trac.wordpress.org/changeset/3591693/motopress-appointment-lite/trunk/includes/admin-pages/manage/ManageBookingsPage.php","https://www.wordfence.com/threat-intel/vulnerabilities/id/64e4d51a-7b65-4fba-9742-bc7d23f46f8d?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T10:16:27","euvd":null},{"cve_id":"CVE-2026-12754","summary":"The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires the targeted page to render the [vikbooking view=\"roomslist\"] shortcode, as the vulnerable layoutstyle parameter is only processed in that view context.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00293,"ranking_epss":0.21022,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/libraries/adapter/input/filter.php#L385","https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/site/views/roomslist/tmpl/default.php#L26","https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.12/site/views/roomslist/tmpl/default.php#L46","https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.13/site/views/roomslist/tmpl/default.php#L46","https://www.wordfence.com/threat-intel/vulnerabilities/id/6d126213-e342-4271-aca0-5cc47214ae8b?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T10:16:26","euvd":null},{"cve_id":"CVE-2026-12435","summary":"The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to mark or unmark any other user's car listing as sold by replaying a valid nonce harvested from their own listing against an arbitrary victim post ID, triggering a site-wide 'Sold' badge on the victim's listing and silently stripping its special_car featured post meta as a side effect. Exploitation requires the attacker to hold an active listing of their own (obtainable by a Subscriber via the plugin's add-listing form) in order to harvest a valid nonce for the 'stm_mark_as_sold_car' action, which can then be replayed against any other listing's post ID.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00232,"ranking_epss":0.14049,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2400","https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/includes/vehicle_functions.php#L2402","https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.108/templates/listing-cars/listing-list-owner-actions.php#L74","https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/includes/vehicle_functions.php#L2400","https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/includes/vehicle_functions.php#L2402","https://plugins.trac.wordpress.org/browser/motors-car-dealership-classified-listings/tags/1.4.110/templates/listing-cars/listing-list-owner-actions.php#L74","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3577332%40motors-car-dealership-classified-listings&new=3577332%40motors-car-dealership-classified-listings&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/5238c344-d685-4eab-822c-d3c1050cc982?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-12575","summary":"DVP80ES3 with \nImproper Resource Shutdown or Release vulnerability.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00263,"ranking_epss":0.17663,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00009_DVP80ES3%20Multiple%20Vulnerabilities_v1%20(CVE-2026-12575,%2012576,%2012577).pdf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-12576","summary":"DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00153,"ranking_epss":0.04881,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00009_DVP80ES3%20Multiple%20Vulnerabilities_v1%20(CVE-2026-12575,%2012576,%2012577).pdf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-12577","summary":"DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00253,"ranking_epss":0.16569,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00009_DVP80ES3%20Multiple%20Vulnerabilities_v1%20(CVE-2026-12575,%2012576,%2012577).pdf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-12732","summary":"The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class=\"%s\">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does not apply shortcode_atts() filtering, so raw user attributes flow directly through do_action('learn-press/filter-courses/layout', $data) into the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00193,"ranking_epss":0.09236,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.0/inc/Shortcodes/Course/FilterCourseShortcode.php#L29","https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.0/inc/TemplateHooks/Course/FilterCourseTemplate.php#L98","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3587186%40learnpress&new=3587186%40learnpress&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/09c8db69-60fa-4087-9096-5d34ce44f616?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-13733","summary":"The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'no_data_msg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Although wp_kses_post is applied to post content on save, it only strips HTML tokens and does not neutralize C-style escape sequences embedded within shortcode attribute values, meaning contributors can craft a payload that survives the kses filter and is silently reconstructed into a raw script tag at render time.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00206,"ranking_epss":0.10713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.59/src/Package/Shortcodes.php#L37","https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.59/src/Package/Shortcodes.php#L398","https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.59/src/Package/views/all-packages-shortcode.php#L396","https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.60/src/Package/Shortcodes.php#L37","https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.60/src/Package/Shortcodes.php#L398","https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.60/src/Package/views/all-packages-shortcode.php#L396","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590868%40download-manager&new=3590868%40download-manager&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/ebf96aa9-2ee7-4411-8f43-3e8d023197bd?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-50043","summary":"Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":8.6,"epss":0.01129,"ranking_epss":0.62389,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jvn.jp/en/jp/JVN20721579/","https://www.seiko-sol.co.jp/archives/94618/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-56016","summary":"CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources.\n\nThe generate_id method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand() function. All three are predictable, low-entropy sources: the PID is drawn from a small range, the epoch time can be guessed or read from the HTTP Date header, and Perl's rand() is unsuitable for security purposes because it is predictable and reversible.\n\nAn attacker who predicts a session id can impersonate the corresponding session and bypass authentication.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00187,"ranking_epss":0.08495,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://metacpan.org/release/MARKSTOS/CGI-Session-4.49/changes","https://metacpan.org/release/MARKSTOS/CGI-Session-4.49/source/lib/CGI/Session/ID/md5.pm","http://www.openwall.com/lists/oss-security/2026/07/01/6"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:21","euvd":null},{"cve_id":"CVE-2026-10538","summary":"Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker to trigger unintended server-side behavior through crafted serialized content.","cvss":8.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":8.9,"epss":0.00246,"ranking_epss":0.15807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFKrCAO&type=Solution"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:20","euvd":null},{"cve_id":"CVE-2026-10539","summary":"A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. \n\n\n\nThis vulnerability affects Control-M/Server versions 9.0.20.x to 9.0.21.200 (included) and potentially earlier unsupported versions.","cvss":9.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":9.5,"epss":0.00235,"ranking_epss":0.14485,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFZNCA4&type=Solution"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:20","euvd":null},{"cve_id":"CVE-2026-10540","summary":"The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentially earlier unsupported versions","cvss":5.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.6,"cvss_v4":5.6,"epss":0.00078,"ranking_epss":0.00177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA3cx000000GFeDCAW&type=Solution"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:20","euvd":null},{"cve_id":"CVE-2026-11387","summary":"The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.0038,"ranking_epss":0.29925,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-ultimatemember.php#L288","https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-ultimatemember.php#L88","https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-wpresetpassword.php#L116","https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-wpresetpassword.php#L130","https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/forms/class-wpresetpassword.php#L68","https://plugins.trac.wordpress.org/browser/sms-alert/tags/3.9.5/handler/smsalert_form_handler.php#L91","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3587983%40sms-alert&new=3587983%40sms-alert&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c31906da-f2fd-40ac-86e0-3f1ed0409d0c?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:20","euvd":null},{"cve_id":"CVE-2026-12158","summary":"The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10562,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.9/plus/chronos/controllers/task_controller.php#L63","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.9/plus/chronos/libs/rm_chronos.php#L277","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.9/plus/chronos/libs/task.php#L176","https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.8.9/plus/chronos/services/service.php#L43","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3579552%40custom-registration-form-builder-with-submission-manager&new=3579552%40custom-registration-form-builder-with-submission-manager&sfp_email=&sfph_mail=#file8","https://www.wordfence.com/threat-intel/vulnerabilities/id/ef7aff85-e1ca-47ce-86e9-a0fe356993a1?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:20","euvd":null},{"cve_id":"CVE-2026-12224","summary":"The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4.  This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00246,"ranking_epss":0.15759,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://dokan.co/","https://www.wordfence.com/threat-intel/vulnerabilities/id/6ff9c202-b3e8-4660-8763-a9fee468203e?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:20","euvd":null},{"cve_id":"CVE-2026-12408","summary":"The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass the attacker-controlled post ID to `Data::get_post_content()`, which calls `get_post()` regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw `post_content` of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00257,"ranking_epss":0.17052,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/AI.php#L21","https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/AI.php#L55","https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.5/src/MetaTags/Data.php#L117","https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/AI.php#L21","https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/AI.php#L55","https://plugins.trac.wordpress.org/browser/slim-seo/tags/4.9.8/src/MetaTags/Data.php#L117","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3576523%40slim-seo&new=3576523%40slim-seo&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/6e6603a0-8f35-49fb-a517-ba6344538c4d?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:20","euvd":null},{"cve_id":"CVE-2026-10096","summary":"The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, to modify the stored Qi Blocks styles of arbitrary posts, templates, or widgets they do not own — including site-wide surfaces via the reserved 'template' and 'widget' page_id values — enabling unauthorized frontend defacement, content hiding, and degradation of any page on the site. The endpoint's permission_callback checks only the generic edit_posts and publish_posts capabilities, meaning any user with the built-in Author role satisfies the check regardless of post ownership.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00196,"ranking_epss":0.09539,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L134","https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L142","https://plugins.trac.wordpress.org/browser/qi-blocks/tags/1.4.9/inc/admin/global-styles/class-qi-blocks-framework-global-styles.php#L82","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3572812%40qi-blocks&new=3572812%40qi-blocks&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/64251fd4-1627-49d0-831f-5cb9898c38bf?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T08:16:19","euvd":null},{"cve_id":"CVE-2026-11568","summary":"The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00162,"ranking_epss":0.05757,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/e208fee5-dad5-4aeb-b9b5-fbd72a5633e4/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-11570","summary":"The User Submitted Posts  WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled.","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00172,"ranking_epss":0.06892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/35c33c56-5b12-4be5-9d45-68f47cd854ec/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-11794","summary":"The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the user role to a public form field. This requires a specific, non-default multi-Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 configuration.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00138,"ranking_epss":0.03551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/614b9517-d6d5-499f-8172-280280a312b2/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-11823","summary":"The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00285,"ranking_epss":0.20284,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking-pro/trunk/core/classes/class.bookingpress_pro_staff_members.php#L3353","https://www.wordfence.com/threat-intel/vulnerabilities/id/1663be8e-a6b8-4e0d-97d0-af7db2a2875c?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-11880","summary":"The Fluent Forms  WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users.","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"cvss_v4":null,"epss":0.00138,"ranking_epss":0.03551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/5de7c9e9-3a47-4bc6-a1b2-33eb8d3e3ec0/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-11883","summary":"The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00209,"ranking_epss":0.11144,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/f718390c-1d7c-4048-bce6-a3170998e828/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-11887","summary":"The Salon Booking System  WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System  WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00146,"ranking_epss":0.04281,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/ed203765-0482-4d55-b36f-cdab11ed3cf0/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-12579","summary":"AS228T with Authentication Bypass Vulnerability","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00273,"ranking_epss":0.19099,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00012_AS228T%20Authentication%20Bypass%20Vulnerability%20(CVE-2026-12579).pdf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-14193","summary":"DVP80ES300T with Improper Validation of Array Index Vulnerability","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00263,"ranking_epss":0.17666,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00013_DVP80ES300T%20Improper%20Validation%20of%20Array%20Index%20Vulnerability%20(CVE-2026-14193).pdf"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2026-1239","summary":"The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0026,"ranking_epss":0.17392,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3489168/ninja-forms","https://www.wordfence.com/threat-intel/vulnerabilities/id/973ebafc-85c0-4cc5-b307-2fdb0a4a7577?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:22","euvd":null},{"cve_id":"CVE-2025-15666","summary":"A security vulnerability has been detected in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function Assimp::SceneCombiner::Copy of the file code/Common/SceneCombiner.cpp of the component Model File Handler. Such manipulation of the argument width/height leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. This and similar defects are tracked and handled via issue #6128.","cvss":1.9,"cvss_version":4.0,"cvss_v2":4.3,"cvss_v3":5.3,"cvss_v4":1.9,"epss":0.00123,"ranking_epss":0.02455,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/assimp/assimp/issues/6079","https://vuldb.com/cve/CVE-2025-15666","https://vuldb.com/submit/844487","https://vuldb.com/vuln/374595","https://vuldb.com/vuln/374595/cti"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:21","euvd":null},{"cve_id":"CVE-2026-10750","summary":"The Royal MCP  WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00195,"ranking_epss":0.09451,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/8678ef91-ff05-43a1-a8e3-6d35da548826/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:21","euvd":null},{"cve_id":"CVE-2026-11562","summary":"The WS Form LITE  WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE  WordPress plugin before 1.11.8's settings.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00151,"ranking_epss":0.04631,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/e0283d75-0622-490c-9442-cf1aa0a1d167/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T07:16:21","euvd":null},{"cve_id":"CVE-2026-9107","summary":"The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'meta[kaliforms_field_components]' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00241,"ranking_epss":0.15203,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/Inc/Backend/Posts/class-forms.php#L381","https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/Inc/Backend/Posts/class-forms.php#L391","https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L332","https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.10/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L96","https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/Inc/Backend/Posts/class-forms.php#L381","https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/Inc/Backend/Posts/class-forms.php#L391","https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L332","https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.11/resources/assets/js/forms/components/Builder/BuilderFormField.jsx#L96","https://plugins.trac.wordpress.org/changeset?old_path=%2Fkali-forms/tags/2.4.13&new_path=%2Fkali-forms/tags/2.4.14","https://www.wordfence.com/threat-intel/vulnerabilities/id/3d81e41d-e62c-49d7-bba5-6a2a0a586c84?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:25","euvd":null},{"cve_id":"CVE-2026-7829","summary":"UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy_s copies a rule token into temp1[rule1] (25-byte destination) or temp2/temp3 (16-byte destination), the code unconditionally writes a NUL terminator at temp1[rule1][len] = 0 without clamping len to the destination size. When an authenticated administrator saves a rule with a token length equal to or greater than the destination size, the NUL byte is written one or more bytes past the end of the stack-allocated array, corrupting adjacent stack data. An attacker who has obtained admin credentials (including via CVE-2026-7839 default password) can trigger this to gain code execution on the repeater host.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00504,"ranking_epss":0.39365,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:24","euvd":null},{"cve_id":"CVE-2026-7830","summary":"UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme (rfbUltraVNC_MsLogonIIAuth). In rfb/dh.cpp the Diffie-Hellman key exchange is performed with parameters that fit in an unsigned 64-bit integer (DH_MAX_BITS controls the prime size). A 64-bit DH key can be broken by Pollard's rho algorithm in under one second on current hardware. Additionally, the private exponent is generated by the rng() function, which multiplies three libc rand() values seeded from time(NULL). With approximately 31 bits of internal state and a time-based seed, the private exponent is recoverable in under a minute by a passive observer. A network attacker who can observe the MS-Logon II handshake (via sniffing, recording, or man-in-the-middle) can derive the shared DH key and decrypt the encapsulated username and password, resulting in full credential disclosure. This affects legacy MS-Logon II connections; MS-Logon III (X25519 + AES-256-GCM) is unaffected.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00183,"ranking_epss":0.08084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:24","euvd":null},{"cve_id":"CVE-2026-7831","summary":"UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.","cvss":7.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":null,"epss":0.00416,"ranking_epss":0.33419,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:24","euvd":null},{"cve_id":"CVE-2026-7838","summary":"UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte network-supplied reasonLen field (type CARD32) is passed as reasonLen+1 to CheckBufferSize(). Because both operands are unsigned 32-bit, a reasonLen of 0xFFFFFFFF overflows to 0, causing CheckBufferSize to allocate only 256 bytes. The subsequent ReadString(m_netbuf, reasonLen) call then performs ReadExact for the original 4 GiB length into that 256-byte heap buffer. This overflow is reachable via rfbConnFailed (auth-scheme negotiation) and rfbVncAuthFailed (post-handshake) message types without successful authentication. A malicious VNC server, or any man-in-the-middle on the RFB stream, can trigger this condition when the victim viewer connects, potentially resulting in remote code execution as the user running the viewer. The crash was confirmed with AddressSanitizer on a portable reproduction harness (heap-buffer-overflow WRITE at offset 256).","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.01152,"ranking_epss":0.63032,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:24","euvd":null},{"cve_id":"CVE-2026-7839","summary":"UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string \"adminadmi2\" as the admin password via strcpy_s(saved_password, 64, \"adminadmi2\"). The HTTP Basic-auth handler wi_decode_auth() checks this password without rate-limiting or lockout. Any remote attacker who can reach the repeater HTTP port (default TCP 80) can authenticate as administrator using the well-known default credential on a fresh or unmodified installation, gaining full control of the repeater configuration including allow/deny rules and session visibility.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00326,"ranking_epss":0.24487,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:24","euvd":null},{"cve_id":"CVE-2026-7840","summary":"UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-byte global buffer (hdrbuf) via unchecked sprintf calls. The HTTP receive buffer accepts URIs up to approximately 150 KB (WI_RXBUFSIZE = 153600), so an unauthenticated attacker who can reach the repeater HTTP port (default TCP 80) can overflow hdrbuf by at least 500 bytes with a single HTTP request containing a URI of 1500 bytes or longer, corrupting adjacent .bss-segment globals. The overflow occurs before any authentication check, making it reachable without credentials. A remote, unauthenticated attacker can achieve arbitrary code execution on the host running the repeater.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.01203,"ranking_epss":0.64481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:24","euvd":null},{"cve_id":"CVE-2026-58519","summary":"Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.\n\nThis issue affects Mediawiki - Cargo Extension: from * before 3.9.1.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00268,"ranking_epss":0.18413,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/1277612","https://phabricator.wikimedia.org/T424140","https://phabricator.wikimedia.org/T424140"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:23","euvd":null},{"cve_id":"CVE-2026-6070","summary":"The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files — including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00409,"ranking_epss":0.32741,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-businessdirectory/tags/4.0.0/site/controllers/upload.php#L127","https://plugins.trac.wordpress.org/browser/wp-businessdirectory/tags/4.0.0/site/controllers/upload.php#L450","https://plugins.trac.wordpress.org/browser/wp-businessdirectory/trunk/site/controllers/upload.php#L127","https://plugins.trac.wordpress.org/browser/wp-businessdirectory/trunk/site/controllers/upload.php#L450","https://www.wordfence.com/threat-intel/vulnerabilities/id/d7d68f43-2a57-4352-8aae-0657b386ac7c?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:23","euvd":null},{"cve_id":"CVE-2026-7517","summary":"The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is exploitable by unauthenticated guest users submitting a crafted checkout POST request, requiring no custom input fields to be configured in the plugin.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00247,"ranking_epss":0.15901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/custom-payment-gateways-woocommerce/tags/2.1.0/includes/class-alg-wc-custom-payment-gateways-input-fields.php#L241","https://plugins.trac.wordpress.org/browser/custom-payment-gateways-woocommerce/tags/2.1.0/includes/class-alg-wc-custom-payment-gateways-input-fields.php#L264","https://plugins.trac.wordpress.org/browser/custom-payment-gateways-woocommerce/tags/2.1.0/includes/class-alg-wc-custom-payment-gateways-input-fields.php#L86","https://plugins.trac.wordpress.org/browser/custom-payment-gateways-woocommerce/trunk/includes/class-alg-wc-custom-payment-gateways-input-fields.php#L241","https://plugins.trac.wordpress.org/browser/custom-payment-gateways-woocommerce/trunk/includes/class-alg-wc-custom-payment-gateways-input-fields.php#L264","https://plugins.trac.wordpress.org/browser/custom-payment-gateways-woocommerce/trunk/includes/class-alg-wc-custom-payment-gateways-input-fields.php#L86","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3578163%40custom-payment-gateways-woocommerce&new=3578163%40custom-payment-gateways-woocommerce&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/1defa728-9f9d-4e8f-8f6c-432c615da7f5?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:23","euvd":null},{"cve_id":"CVE-2026-7828","summary":"UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from HTTP request URIs. If strlen(line) is sufficiently large, the addition overflows to a value smaller than sizeof(struct LIST), causing a heap allocation smaller than required. The subsequent strcpy of the full string into the undersized allocation produces a heap buffer overflow. In the current implementation this overflow is bounded by the HTTP receive buffer size (WI_RXBUFSIZE = 153600 bytes, well below SIZE_MAX on 32-bit builds), limiting practical exploitability to a partial heap write. A remote unauthenticated attacker can trigger the theoretical overflow path by sending a maximally-sized URI in an HTTP request to the repeater HTTP port.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00839,"ranking_epss":0.53291,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:23","euvd":null},{"cve_id":"CVE-2026-58518","summary":"Cross-Site request forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - RedirectManager Extension allows Cross Site Request Forgery.\n\nThis issue affects Mediawiki - RedirectManager Extension: from * before 1.3.3.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00157,"ranking_epss":0.05239,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RedirectManager/+/1275494","https://phabricator.wikimedia.org/T423826","https://phabricator.wikimedia.org/T423826"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:22","euvd":null},{"cve_id":"CVE-2026-44041","summary":"UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a wide-character buffer that is not properly NUL-terminated, wcslen() reads past the end of the buffer until it encounters a NUL wchar, resulting in an out-of-bounds read. Under typical Win32 API usage this requires an abnormal caller contract. Impact is limited to a potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00284,"ranking_epss":0.20191,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:21","euvd":null},{"cve_id":"CVE-2026-44042","summary":"UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00313,"ranking_epss":0.23089,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:21","euvd":null},{"cve_id":"CVE-2026-44040","summary":"UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand() and generates a 16-byte challenge. The combined seed space is approximately 31 bits (libc rand() internal state) and is entirely determined by publicly-observable values (wall-clock time and process ID). An attacker who can observe the authentication exchange can enumerate the seed space and predict the challenge within seconds, enabling forgery or offline brute-forcing of responses. Note: on Windows, the active code path may use vncEncryptBytes2.cpp which calls CryptGenRandom; reachability on shipped Windows binaries requires compile-graph verification and is under investigation.","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00219,"ranking_epss":0.12422,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ultravnc/UltraVNC","https://uvnc.com/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:20","euvd":null},{"cve_id":"CVE-2026-2387","summary":"The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00156,"ranking_epss":0.05177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3589132/event-organiser","https://www.wordfence.com/threat-intel/vulnerabilities/id/3f417afd-2822-412f-b68a-f09c013d6049?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:19","euvd":null},{"cve_id":"CVE-2026-12923","summary":"The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00319,"ranking_epss":0.23738,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/youtube-showcase/tags/4.0.3/includes/class-install-deactivate.php#L53","https://plugins.trac.wordpress.org/browser/youtube-showcase/tags/4.0.3/includes/common-functions.php#L1067","https://plugins.trac.wordpress.org/browser/youtube-showcase/tags/4.0.3/includes/common-functions.php#L1070","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3588198%40youtube-showcase&new=3588198%40youtube-showcase&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/be4743d5-e4ca-4579-84e2-5eb3ef0e274d?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:18","euvd":null},{"cve_id":"CVE-2026-13015","summary":"The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to, and including, 18.1. This is due to insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php, where the $_GET['place'] value is URL-decoded, stripslashes()'d, and echoed directly into an HTML value attribute with no esc_attr() call when the supplied place is not already a stored key in the wprev_google_crawls option. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11383,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-google-places-review-slider/trunk/admin/partials/googlecrawl_dfs.php#L109","https://plugins.trac.wordpress.org/browser/wp-google-places-review-slider/trunk/admin/partials/googlecrawl_dfs.php#L22","https://plugins.trac.wordpress.org/browser/wp-google-places-review-slider/trunk/admin/partials/googlecrawl_dfs.php#L48","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590253%40wp-google-places-review-slider&new=3590253%40wp-google-places-review-slider&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/815054e2-c575-439a-9a66-fce251b4da80?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:18","euvd":null},{"cve_id":"CVE-2026-13246","summary":"The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00241,"ranking_epss":0.15202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Actions/RegisterCampaignShortcodes.php#L30","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Blocks/CampaignComments/Controller/BlockRenderController.php#L23","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Blocks/CampaignComments/render.php#L20","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L17","https://plugins.trac.wordpress.org/browser/give/tags/4.16.0/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L78","https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Actions/RegisterCampaignShortcodes.php#L30","https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Blocks/CampaignComments/Controller/BlockRenderController.php#L23","https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Blocks/CampaignComments/render.php#L20","https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L17","https://plugins.trac.wordpress.org/browser/give/trunk/src/Campaigns/Shortcodes/CampaignCommentsShortcode.php#L78","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590193%40give&new=3590193%40give&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/08f8f489-6b31-45d8-a122-bbaa283a2b10?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:18","euvd":null},{"cve_id":"CVE-2026-13443","summary":"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00206,"ranking_epss":0.10713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/classes/Utils.php#L1688","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/classes/Utils.php#L1720","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/templates/global/attachments.php#L34","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L1688","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L1720","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/templates/global/attachments.php#L34","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590029%40tutor&new=3590029%40tutor&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/7483762c-5356-4844-90a9-511d9ec48625?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:18","euvd":null},{"cve_id":"CVE-2026-13468","summary":"The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site — including charts in draft, private, pending, future, or trash status — as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00367,"ranking_epss":0.28651,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module.php#L182","https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Frontend.php#L155","https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Frontend.php#L219","https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.3/classes/Visualizer/Module.php#L182","https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.3/classes/Visualizer/Module/Frontend.php#L155","https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.3/classes/Visualizer/Module/Frontend.php#L219","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591310%40visualizer&new=3591310%40visualizer&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/45dbcc5e-2746-4a55-a1d1-a7c67fa2950e?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:18","euvd":null},{"cve_id":"CVE-2026-13731","summary":"The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'conversation' parameter in all versions up to, and including, 8.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The AJAX nonce required to authenticate the save request is publicly emitted on every frontend page via wp_localize_script, making it freely obtainable by any anonymous visitor and removing any practical barrier to exploitation.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00241,"ranking_epss":0.1519,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/functions.php#L1811","https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/reports/view/partials/view-single-chat.php#L148","https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/wpbot-chat-sessions.php#L509","https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/wpbot-chat-sessions.php#L644","https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/qcld-wpwbot.php#L603","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591600%40chatbot&new=3591600%40chatbot&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/124f2b72-d8da-46ba-844f-e9cc01441702?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:18","euvd":null},{"cve_id":"CVE-2026-12110","summary":"The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'task_search' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The wppm_get_task_list AJAX handler performs no capability check and no nonce verification, meaning any authenticated user including those with Subscriber-level access can invoke it directly.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00328,"ranking_epss":0.24676,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.7/includes/admin/tasks/wppm_tasks_list.php#L215","https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.7/includes/admin/tasks/wppm_tasks_list.php#L9","https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.7/includes/class-wppm-admin.php#L40","https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.7/includes/class-wppm-admin.php#L516","https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/admin/tasks/wppm_tasks_list.php#L215","https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/admin/tasks/wppm_tasks_list.php#L9","https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/class-wppm-admin.php#L40","https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/class-wppm-admin.php#L516","https://plugins.trac.wordpress.org/changeset/3576941/taskbuilder/trunk/includes/admin/tasks/wppm_tasks_list.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Ftaskbuilder/tags/5.0.8&new_path=%2Ftaskbuilder/tags/5.0.9","https://www.wordfence.com/threat-intel/vulnerabilities/id/78ab6263-7762-4fd2-af42-2224efa9509e?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:17","euvd":null},{"cve_id":"CVE-2026-12113","summary":"The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer names, email addresses, phone numbers, appointment comments, and other booking personally identifiable information.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00228,"ranking_epss":0.13503,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/cpabc_appointments.php#L187","https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_on.inc.php#L255","https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_on.inc.php#L328","https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/cpabc_appointments.php#L187","https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_on.inc.php#L255","https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_on.inc.php#L328","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581633%40appointment-booking-calendar&new=3581633%40appointment-booking-calendar&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/3838bb64-fd85-43a4-97a2-7ca7930697ad?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:17","euvd":null},{"cve_id":"CVE-2026-12127","summary":"The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processing the Reply-To display name through smart-tag expansion with context `'notification'` instead of `'notification-reply-to'`, which bypasses email-address validation while `wpforms_sanitize_textarea_field()` intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw `Reply-To:` mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers — such as `Bcc:` — into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00343,"ranking_epss":0.26242,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/includes/fields/class-textarea.php#L326","https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Mailer.php#L368","https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1098","https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1138","https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/includes/fields/class-textarea.php#L326","https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Mailer.php#L368","https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1098","https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1138","https://plugins.trac.wordpress.org/changeset/3586095/wpforms-lite/trunk/src/Emails/Mailer.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforms-lite/tags/1.10.2&new_path=%2Fwpforms-lite/tags/1.10.2.1","https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a51c22-c4ca-4897-ad7e-c5df00b07fe0?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:17","euvd":null},{"cve_id":"CVE-2026-12133","summary":"The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which only verifies a nonce before executing a DELETE query on attacker-supplied group IDs. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary JoomSport group records.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.0025,"ranking_epss":0.163,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/joomsport-shortcodes.php#L473","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L25","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L294","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/tags/5.7.8/includes/posts/joomsport-post-season.php#L296","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/joomsport-shortcodes.php#L473","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L25","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L294","https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/includes/posts/joomsport-post-season.php#L296","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3581673%40joomsport-sports-league-results-management&new=3581673%40joomsport-sports-league-results-management&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/03122c29-4ca5-426a-8240-74ce96dd21f2?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:17","euvd":null},{"cve_id":"CVE-2026-12135","summary":"The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10627,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/shortcodes.php#L227","https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/tags/7.5.49.7212/controller/shortcodes.php#L293","https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/shortcodes.php#L227","https://plugins.trac.wordpress.org/browser/fv-wordpress-flowplayer/trunk/controller/shortcodes.php#L293","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3586305%40fv-wordpress-flowplayer%2Ftrunk&old=3557974%40fv-wordpress-flowplayer%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a3a560-08e6-43b7-b953-4e704eafc49b?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:17","euvd":null},{"cve_id":"CVE-2026-12902","summary":"The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create arbitrary Media Library attachments by downloading remote images to the site's uploads directory via wp_upload_bits() and wp_insert_attachment(), bypassing the upload_files capability boundary.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00272,"ranking_epss":0.19001,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/class-kadence-blocks-prebuilt-library.php#L1078","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/class-kadence-blocks-prebuilt-library.php#L1223","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/class-kadence-blocks-prebuilt-library.php#L817","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/class-kadence-blocks-prebuilt-library.php#L916","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/class-kadence-blocks-prebuilt-library.php#L1078","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/class-kadence-blocks-prebuilt-library.php#L1223","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/class-kadence-blocks-prebuilt-library.php#L817","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/class-kadence-blocks-prebuilt-library.php#L916","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590217%40kadence-blocks&new=3590217%40kadence-blocks&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/7de2cb7a-dc3d-41f2-8faa-9e87f78531b5?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:17","euvd":null},{"cve_id":"CVE-2026-12904","summary":"The Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the Optimize_Rest_Controller's create_item(), get_item(), delete_item(), and bulk_delete_items() endpoints — authorization is checked via current_user_can('edit_post'/'delete_post', $post_id) against the user-supplied post_id, while the storage layer keys analysis records on sha256($post_path) from a separately supplied, attacker-controlled post_path parameter, with no enforcement that post_path corresponds to post_id. This makes it possible for authenticated attackers, with Contributor-level access and above, to read or delete optimizer analysis records belonging to posts owned by other users by submitting their own post_id (which passes the capability check) together with the victim post's path.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00293,"ranking_epss":0.2104,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Path/Path.php#L60","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L153","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L197","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L232","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L339","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L383","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L420","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L458","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.6.7/includes/resources/Optimizer/Store/Table_Store.php#L96","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Path/Path.php#L60","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L153","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L197","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L232","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L339","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L383","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L420","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Rest/Optimize_Rest_Controller.php#L458","https://plugins.trac.wordpress.org/browser/kadence-blocks/tags/3.7.6/includes/resources/Optimizer/Store/Table_Store.php#L96","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590217%40kadence-blocks&new=3590217%40kadence-blocks&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/24cdd50f-742c-457c-85f7-9cccaf366e87?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:17","euvd":null},{"cve_id":"CVE-2026-11380","summary":"The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered inside an HTML class attribute. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00156,"ranking_epss":0.05178,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3583305/jetwidgets-for-elementor","https://www.wordfence.com/threat-intel/vulnerabilities/id/fffd6fc5-1578-414c-bb36-4f5dc0f27e19?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:16","euvd":null},{"cve_id":"CVE-2026-11981","summary":"The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0494,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L24","https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L25","https://plugins.trac.wordpress.org/browser/give/tags/3.19.4/includes/admin/emails/ajax-handler.php#L32","https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L24","https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L25","https://plugins.trac.wordpress.org/browser/give/tags/4.15.3/includes/admin/emails/ajax-handler.php#L32","https://plugins.trac.wordpress.org/changeset/3573301/give/trunk/includes/admin/emails/ajax-handler.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fgive/tags/4.15.3&new_path=%2Fgive/tags/4.15.4","https://www.wordfence.com/threat-intel/vulnerabilities/id/49954c72-df0d-46ec-a252-8af84dea41bf?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:16","euvd":null},{"cve_id":"CVE-2026-11988","summary":"The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00275,"ranking_epss":0.19324,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118","https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137","https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/user/abstract-lp-user.php#L680","https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118","https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137","https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/user/abstract-lp-user.php#L680","https://plugins.trac.wordpress.org/changeset?old_path=%2Flearnpress/tags/4.3.9.1&new_path=%2Flearnpress/tags/4.4.0","https://www.wordfence.com/threat-intel/vulnerabilities/id/6b5e8cfd-989e-4a64-abb0-9daa22df46a4?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:16","euvd":null},{"cve_id":"CVE-2026-12090","summary":"The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. No nonce verification is performed on the wp_ajax_wppm_view_project_tasks handler, meaning any authenticated session — including subscriber-level — can reach the vulnerable code path without any additional preconditions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00319,"ranking_epss":0.23766,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.6/includes/admin/projects/open_project/wppm_view_project_tasks.php#L181","https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.6/includes/admin/projects/open_project/wppm_view_project_tasks.php#L21","https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.6/includes/class-wppm-admin.php#L506","https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/admin/projects/open_project/wppm_view_project_tasks.php#L181","https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/admin/projects/open_project/wppm_view_project_tasks.php#L21","https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/class-wppm-admin.php#L506","https://plugins.trac.wordpress.org/changeset/3576941/taskbuilder/trunk/includes/admin/projects/open_project/wppm_view_project_tasks.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Ftaskbuilder/tags/5.0.8&new_path=%2Ftaskbuilder/tags/5.0.9","https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a78208-0909-4134-bc78-19e395fe7e24?source=cve"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T05:16:16","euvd":null},{"cve_id":"CVE-2026-20460","summary":"In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01811421; Issue ID: MSV-6788.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/July-2026"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:17:15","euvd":null},{"cve_id":"CVE-2026-20461","summary":"In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01267281 / MOLY01318201; Issue ID: MSV-6486.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00192,"ranking_epss":0.09126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/July-2026"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:17:15","euvd":null},{"cve_id":"CVE-2026-20462","summary":"In Telephony, there is a possible memory corruption due to a heap buffer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS11006447; Issue ID: MSV-7871.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00136,"ranking_epss":0.03367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/July-2026"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:17:15","euvd":null},{"cve_id":"CVE-2026-20463","summary":"In Modem, there is a possible escalation of privilege due to a permissions bypass. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: MOLY01716533; Issue ID: MSV-6309.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00134,"ranking_epss":0.03276,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/July-2026"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:17:15","euvd":null},{"cve_id":"CVE-2026-20459","summary":"In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01816800; Issue ID: MSV-6842.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08027,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/July-2026"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:17:14","euvd":null},{"cve_id":"CVE-2026-20457","summary":"In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01826924; Issue ID: MSV-7301.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00192,"ranking_epss":0.09125,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/July-2026"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:17:13","euvd":null},{"cve_id":"CVE-2026-20458","summary":"In Modem, there is a possible memory corruption due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01402160; Issue ID: MSV-7298.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00192,"ranking_epss":0.09126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corp.mediatek.com/product-security-bulletin/July-2026"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:17:13","euvd":null},{"cve_id":"CVE-2026-14191","summary":"An out-of-bounds heap write exists in the RAR5 recovery-volume (.rev) parser in WinRAR and UnRAR (RecVolumes5::ReadHeader in recvol5.cpp). The RecItems vector is sized only when the first .rev file in a set is processed; subsequent .rev files supply an independent RecNum value that is validated against that file's own TotalCount field but never against the actual size of RecItems. A crafted set of two or more .rev files can therefore write an attacker-controlled 32-bit value (the header's RevCRC field) to RecItems[RecNum] at an attacker-controlled offset up to 65534 * sizeof(RecVolItem) bytes past the allocation, corrupting adjacent heap objects. Triggering requires the victim to run a recovery/test operation on an attacker-supplied .rev set (for example 'unrar t x.part1.rev', WinRAR 'Repair archive', or auto-recovery when extracting a volume set with a missing .rar part). This is the RAR5-path sibling of CVE-2023-40477 (which was fixed in the RAR3 path only in WinRAR 6.23). Fixed in WinRAR / RAR 7.23.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00286,"ranking_epss":0.20451,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2023-40477","https://www.rarlab.com/download.htm"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T04:16:58","euvd":null},{"cve_id":"CVE-2026-41579","summary":"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.","cvss":3.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":null,"epss":0.00222,"ranking_epss":0.12687,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/opencontainers/runc/commit/864db8042dbb","https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T02:17:00","euvd":{"id":"EUVD-2026-40859","description":"runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.","published_time":"2026-07-01T00:02:08","cvss":3.3,"cvss_version":"3.1","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47","https://github.com/opencontainers/runc/commit/864db8042dbb"],"products":["runc","runc","runc"],"vendors":["opencontainers"]}},{"cve_id":"CVE-2026-53488","summary":"containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.4,"epss":0.00229,"ranking_epss":0.13656,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T02:17:00","euvd":{"id":"EUVD-2026-40860","description":"containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from an image config (LABEL instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. This issue has been fixed in versions 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10.","published_time":"2026-07-01T00:11:20","cvss":9.4,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp"],"products":["containerd","containerd","containerd","containerd","containerd"],"vendors":["containerd"]}},{"cve_id":"CVE-2026-57962","summary":"A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00142,"ranking_epss":0.039,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=2042872","https://www.mozilla.org/security/advisories/mfsa2026-63/","https://www.mozilla.org/security/advisories/mfsa2026-64/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T02:17:00","euvd":{"id":"EUVD-2026-40861","description":"A malicious LDAP server, which a Thunderbird user is configured to query for address-book autocomplete, can stash arbitrarily large amounts of attacker-supplied data into the Thunderbird LDAP client until it crashes due to memory exhaustion. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.","published_time":"2026-07-01T00:58:32","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"mozilla","references":["https://bugzilla.mozilla.org/show_bug.cgi?id=2042872","https://www.mozilla.org/security/advisories/mfsa2026-63/","https://www.mozilla.org/security/advisories/mfsa2026-64/"],"products":[],"vendors":[]}},{"cve_id":"CVE-2026-57963","summary":"An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00142,"ranking_epss":0.03901,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugzilla.mozilla.org/show_bug.cgi?id=2042910","https://www.mozilla.org/security/advisories/mfsa2026-63/","https://www.mozilla.org/security/advisories/mfsa2026-64/"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T02:17:00","euvd":{"id":"EUVD-2026-40862","description":"An attacker who can send HTML chat messages (via Matrix or XMPP) can inject arbitrary styled content, phishing links, and CSS that manipulates the chat UI. This vulnerability was fixed in Thunderbird 152.0.1 and Thunderbird 140.12.1.","published_time":"2026-07-01T00:58:33","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"mozilla","references":["https://bugzilla.mozilla.org/show_bug.cgi?id=2042910","https://www.mozilla.org/security/advisories/mfsa2026-63/","https://www.mozilla.org/security/advisories/mfsa2026-64/"],"products":[],"vendors":[]}},{"cve_id":"CVE-2026-54898","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":0.00117,"ranking_epss":0.01947,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-q2gm-54r6-8fwm","https://github.com/ohler55/oj/security/advisories/GHSA-q2gm-54r6-8fwm"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:33","euvd":{"id":"EUVD-2026-40854","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.","published_time":"2026-06-30T23:24:23","cvss":2.1,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-q2gm-54r6-8fwm"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54899","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free. This issue has been fixed in version 3.17.2.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00428,"ranking_epss":0.34362,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r","https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:33","euvd":{"id":"EUVD-2026-40848","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free. This issue has been fixed in version 3.17.2.","published_time":"2026-06-30T23:03:15","cvss":6.3,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54900","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in usual mode with create_id enabled, Oj::Parser#parse is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process. The issue has been fixed in version 3.17.2.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00253,"ranking_epss":0.16569,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx","https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:33","euvd":null},{"cve_id":"CVE-2026-54901","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not mark array_class and hash_class references during garbage collection, leading to Use-After-Free. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed object, producing a segfault. This issue has been fixed in version 3.17.2.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00253,"ranking_epss":0.16568,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745","https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:33","euvd":{"id":"EUVD-2026-40856","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not mark array_class and hash_class references during garbage collection, leading to Use-After-Free. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed object, producing a segfault. This issue has been fixed in version 3.17.2.","published_time":"2026-06-30T23:36:38","cvss":6.3,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54902","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (≥ 35 bytes) from garbage collection, and a Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content). This issue has been fixed in version 3.17.2.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00253,"ranking_epss":0.16568,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm","https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:33","euvd":{"id":"EUVD-2026-40857","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (≥ 35 bytes) from garbage collection, and a Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content). This issue has been fixed in version 3.17.2.","published_time":"2026-06-30T23:40:32","cvss":6.3,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54903","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00253,"ranking_epss":0.16569,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp","https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:33","euvd":{"id":"EUVD-2026-40858","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.","published_time":"2026-06-30T23:42:06","cvss":6.3,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54500","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, `b`, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. This issue has been fixed in version 3.17.3.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00197,"ranking_epss":0.09713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:32","euvd":{"id":"EUVD-2026-40849","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, `b`, populating it with the attribute name, and then freeing it — but it passed the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. This issue has been fixed in version 3.17.3.","published_time":"2026-06-30T23:08:28","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-fm7p-mprw-wjm9"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54502","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the (size_t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process. This issue has been fixed in version 3.17.2.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00257,"ranking_epss":0.17017,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-3v45-f3vh-wg7m","https://github.com/ohler55/oj/security/advisories/GHSA-3v45-f3vh-wg7m"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:32","euvd":null},{"cve_id":"CVE-2026-54592","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doc#each_child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS.  In a two-step chain in ext/oj/fast.c, doc_each_child increments doc->where past the where_path[MAX_STACK = 100] array with no bounds check and never restores it (the doc->where-- is missing), so calling each_child recursively from inside the yield block drives doc->where beyond the array. On the next entry  the function copies the path into the 800-byte stack-local buffer save_path[MAX_STACK]  using wlen = doc->where - doc->where_path, so when the previous recursive call left doc->where past where_path[100] the wlen exceeds MAX_STACK and  the memcpy overflows save_path on the C stack; because the Oj::Doc parser imposes no JSON nesting-depth limit (relying on a C-stack pressure check), deeply nested attacker input reaches this path. This issue has been fixed in version 3.17.3.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00263,"ranking_epss":0.17665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9","https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:32","euvd":{"id":"EUVD-2026-40851","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doc#each_child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS.  In a two-step chain in ext/oj/fast.c, doc_each_child increments doc->where past the where_path[MAX_STACK = 100] array with no bounds check and never restores it (the doc->where-- is missing), so calling each_child recursively from inside the yield block drives doc->where beyond the array. On the next entry  the function copies the path into the 800-byte stack-local buffer save_path[MAX_STACK]  using wlen = doc->where - doc->where_path, so when the previous recursive call left doc->where past where_path[100] the wlen exceeds MAX_STACK and  the memcpy overflows save_path on the C stack; because the Oj::Doc parser imposes no JSON nesting-depth limit (relying on a C-stack pressure check), deeply nested attacker input reaches this path. This issue has been fixed in version 3.17.3.","published_time":"2026-06-30T23:16:24","cvss":7.5,"cvss_version":"3.1","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-3m6q-jj5j-38c9"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54896","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":0.00119,"ranking_epss":0.02053,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95","https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:32","euvd":{"id":"EUVD-2026-40852","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.","published_time":"2026-06-30T23:20:27","cvss":2.1,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-54897","summary":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby. This issue has been fixed in version 3.17.2.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":0.00117,"ranking_epss":0.01947,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ohler55/oj/security/advisories/GHSA-9ppp-w3g4-fh4q","https://github.com/ohler55/oj/security/advisories/GHSA-9ppp-w3g4-fh4q"],"vendor":null,"product":null,"version":null,"published_time":"2026-07-01T00:16:32","euvd":{"id":"EUVD-2026-40853","description":"Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby. This issue has been fixed in version 3.17.2.","published_time":"2026-06-30T23:22:43","cvss":2.1,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/ohler55/oj/security/advisories/GHSA-9ppp-w3g4-fh4q"],"products":["oj"],"vendors":["ohler55"]}},{"cve_id":"CVE-2026-56413","summary":"Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.","cvss":10.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":10.0,"epss":0.03081,"ranking_epss":0.86068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/","https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:32","euvd":{"id":"EUVD-2026-40845","description":"Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.","published_time":"2026-06-30T22:50:58","cvss":10.0,"cvss_version":"4.0","epss":0.0,"assigner":"icscert","references":["https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06","https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/"],"products":["Storage Concentrator Virtual Machine","Storage Concentrator"],"vendors":["StoneFly"]}},{"cve_id":"CVE-2026-56415","summary":"Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.","cvss":10.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":10.0,"epss":0.03074,"ranking_epss":0.8604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/","https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:32","euvd":{"id":"EUVD-2026-40844","description":"Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.","published_time":"2026-06-30T22:40:55","cvss":10.0,"cvss_version":"4.0","epss":0.0,"assigner":"icscert","references":["https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06","https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/"],"products":["Storage Concentrator","Storage Concentrator Virtual Machine"],"vendors":["StoneFly"]}},{"cve_id":"CVE-2026-56700","summary":"Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\\JobQueue, Framework\\Cache\\Adapter\\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.01683,"ranking_epss":0.74146,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/getgrav/grav/security/advisories/GHSA-vj3m-2g9h-vm4p","https://www.vulncheck.com/advisories/grav-multiple-remote-code-execution-vulnerabilities-via-unsafe-unserialize-and-command-injection"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:32","euvd":null},{"cve_id":"CVE-2026-56777","summary":"n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":5.3,"epss":0.00253,"ranking_epss":0.16572,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-jwm3-qcfw-c5pp","https://www.vulncheck.com/advisories/n8n-ast-validator-bypass-in-python-code-node"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:32","euvd":null},{"cve_id":"CVE-2026-57995","summary":"phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-value permissions to a group they belong to, inheriting those rights and escalating privileges up to full administrative control.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00325,"ranking_epss":0.24372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pg62-f8g4-4wqh","https://www.vulncheck.com/advisories/phpmyfaq-privilege-escalation-via-missing-self-rights-constraint-in-groupcontroller-updatepermissions","https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pg62-f8g4-4wqh"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:32","euvd":null},{"cve_id":"CVE-2026-56361","summary":"ImageMagick before 7.1.2-19 contains an off-by-one error in morphology validation allowing out-of-bounds heap buffer reads. Attackers can trigger heap buffer overflow by providing incorrect morphology parameters causing single pixel memory access violations.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00122,"ranking_epss":0.02346,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-q8h3-jv9v-57qx","https://www.vulncheck.com/advisories/imagemagick-heap-buffer-overflow-via-off-by-one-in-morphology-processing"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:31","euvd":null},{"cve_id":"CVE-2026-56363","summary":"ImageMagick before 7.1.2-22 contains a division by zero vulnerability in binomial kernel processing that allows attackers to cause denial of service. An attacker can supply a large binomial kernel value causing integer overflow, resulting in division by zero and application crash.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00111,"ranking_epss":0.01574,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vf33-6r7x-66xx","https://www.vulncheck.com/advisories/imagemagick-division-by-zero-in-binomial-kernel-processing"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:31","euvd":null},{"cve_id":"CVE-2026-56364","summary":"ImageMagick before 7.1.2-13 contains a memory leak vulnerability in LoadOpenCLDeviceBenchmark() function when parsing malformed OpenCL device profile XML files with unclosed device elements. Attackers with write access to the OpenCL cache directory can place malicious XML files to exhaust memory and cause denial of service.","cvss":1.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":1.9,"cvss_v4":1.8,"epss":0.00119,"ranking_epss":0.02044,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/a52c1b402be08ef8ae193f28ac5b2e120f2fa26f","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv","https://www.vulncheck.com/advisories/imagemagick-memory-leak-in-loadopencldevicebenchmark-via-malformed-xml","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp59-x883-77qv"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:31","euvd":null},{"cve_id":"CVE-2026-56365","summary":"ImageMagick before 7.1.2-19 contains a memory leak vulnerability in the PNG encoder when writing MNG images. Attackers can trigger the encoder failure condition to exhaust memory resources and cause denial of service.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00273,"ranking_epss":0.19104,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x928-4434-crqj","https://www.vulncheck.com/advisories/imagemagick-memory-leak-in-png-encoder-via-mng-image-writing"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:31","euvd":null},{"cve_id":"CVE-2026-56369","summary":"ImageMagick before 7.1.2-22 contains an information disclosure vulnerability in the PasskeyEncipherImage method due to AES-CTR nonce reuse. Attackers can exploit nonce reuse in the cipher implementation to recover plaintext information from encrypted images.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00229,"ranking_epss":0.1371,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qv2q-c278-pch5","https://www.vulncheck.com/advisories/imagemagick-information-disclosure-via-aes-ctr-nonce-reuse-in-passkeyencipherimage"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:31","euvd":null},{"cve_id":"CVE-2026-56377","summary":"ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path policy restrictions in sandboxed conversion services to write arbitrary files outside intended boundaries.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00175,"ranking_epss":0.07257,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-gm48-c7f2-v67p","https://www.vulncheck.com/advisories/imagemagick-policy-bypass-via-incorrect-path-validation"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:31","euvd":null},{"cve_id":"CVE-2026-56399","summary":"Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":5.3,"epss":0.0032,"ranking_epss":0.2387,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774","https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw","https://www.vulncheck.com/advisories/open-webui-server-side-request-forgery-via-location-redirect-in-api-v1-retrieval-process-web","https://github.com/open-webui/open-webui/security/advisories/GHSA-82r6-c5jm-f3mw"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:31","euvd":null},{"cve_id":"CVE-2026-56320","summary":"Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00222,"ranking_epss":0.12734,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-mhrc-qhq8-872f","https://www.vulncheck.com/advisories/capgo-org-app-scope-mismatch-in-device-creation-endpoint","https://github.com/Cap-go/capgo/security/advisories/GHSA-mhrc-qhq8-872f"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56327","summary":"Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00261,"ranking_epss":0.17458,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-35q8-ghfg-vp6m","https://www.vulncheck.com/advisories/capgo-unauthenticated-organization-existence-oracle-via-public-invite-user-to-org-rpc","https://github.com/Cap-go/capgo/security/advisories/GHSA-35q8-ghfg-vp6m"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56328","summary":"Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00247,"ranking_epss":0.15946,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-3cmp-pm5x-8464","https://www.vulncheck.com/advisories/capgo-integrity-issue-in-release-routing-via-multiple-public-channels","https://github.com/Cap-go/capgo/security/advisories/GHSA-3cmp-pm5x-8464"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56331","summary":"Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors when magic_invite_string is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magic_invite_string values to cause server errors and leak internal processing details.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.0025,"ranking_epss":0.16228,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-34p8-fh3m-376x","https://www.vulncheck.com/advisories/capgo-improper-error-handling-in-accept-invitation-endpoint-via-invalid-magic-string","https://github.com/Cap-go/capgo/security/advisories/GHSA-34p8-fh3m-376x"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56333","summary":"Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser, circumventing field-level validation checks for max_apikey_expiration_days and other security-sensitive configuration parameters.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00234,"ranking_epss":0.14293,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-964v-j58v-2q3h","https://www.vulncheck.com/advisories/capgo-server-side-validation-bypass-via-direct-browser-side-organization-security-settings-updates","https://github.com/Cap-go/capgo/security/advisories/GHSA-964v-j58v-2q3h"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56334","summary":"Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_requests rows stuck in pending state with null last_error values.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00192,"ranking_epss":0.09121,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-gc46-h5j6-qp6q","https://www.vulncheck.com/advisories/capgo-missing-update-rls-policy-for-build-status-persistence","https://github.com/Cap-go/capgo/security/advisories/GHSA-gc46-h5j6-qp6q"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56350","summary":"n8n before 2.8.0 contains an authentication bypass vulnerability allowing authenticated SSO users to disable SSO enforcement through the API. Attackers can create local password credentials to authenticate directly, bypassing organizational SSO policies and identity-provider-enforced multi-factor authentication.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":6.0,"epss":0.00276,"ranking_epss":0.19367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v","https://www.vulncheck.com/advisories/n8n-sso-enforcement-bypass-via-api"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56356","summary":"n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 (fixed in 1.123.27, 2.13.3, and 2.14.1). An authenticated user with permission to create or modify workflows can inject JavaScript that bypasses sanitization, resulting in stored XSS against any user who visits the public chat page.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":5.1,"epss":0.00182,"ranking_epss":0.0803,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279","https://www.vulncheck.com/advisories/n8n-stored-cross-site-scripting-in-chat-trigger-node-custom-css-field"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:30","euvd":null},{"cve_id":"CVE-2026-56247","summary":"Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00303,"ranking_epss":0.22033,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-55q2-p3m2-x66x","https://www.vulncheck.com/advisories/capgo-privilege-escalation-via-cross-scope-rbac-role-assignment","https://github.com/Cap-go/capgo/security/advisories/GHSA-55q2-p3m2-x66x"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-56249","summary":"Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign channel ownership and modify critical production channel configurations.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.6,"cvss_v4":7.2,"epss":0.00257,"ranking_epss":0.17068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-vj24-j594-3wv3","https://www.vulncheck.com/advisories/capgo-unauthorized-channel-overwrite-and-ownership-takeover-via-post-channel-name-collision","https://github.com/Cap-go/capgo/security/advisories/GHSA-vj24-j594-3wv3"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-56264","summary":"Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":9.2,"epss":0.00521,"ranking_epss":0.4037,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/unclecode/crawl4ai","https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg","https://www.vulncheck.com/advisories/crawl4ai-arbitrary-javascript-execution-via-execute-js-endpoint"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-56277","summary":"Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00182,"ranking_epss":0.0798,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-m837-xvxr-vqwg","https://www.vulncheck.com/advisories/flowise-hardcoded-cors-wildcard-in-tts-endpoint"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-56278","summary":"Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":9.3,"epss":0.00379,"ranking_epss":0.29802,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-2qqc-p94c-hxwh","https://www.vulncheck.com/advisories/flowise-session-hijacking-via-weak-default-express-session-secret"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-56286","summary":"Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.0,"epss":0.00353,"ranking_epss":0.27334,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-cjvr-jxp5-4p9x","https://www.vulncheck.com/advisories/capgo-account-deletion-without-password-confirmation","https://github.com/Cap-go/capgo/security/advisories/GHSA-cjvr-jxp5-4p9x"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-56300","summary":"Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00349,"ranking_epss":0.26862,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-7r6g-whg3-5mm4","https://www.vulncheck.com/advisories/capgo-unauthenticated-api-key-validity-and-permission-oracle-via-rpc-functions","https://github.com/Cap-go/capgo/security/advisories/GHSA-7r6g-whg3-5mm4"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-56318","summary":"Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00261,"ranking_epss":0.17458,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-fwwh-rqv7-6pjf","https://www.vulncheck.com/advisories/capgo-information-disclosure-via-private-validate-password-compliance-endpoint","https://github.com/Cap-go/capgo/security/advisories/GHSA-fwwh-rqv7-6pjf"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:29","euvd":null},{"cve_id":"CVE-2026-54673","summary":"electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase \"authorization\", exposing credentials. Other credential-bearing headers — most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) — were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":0.00235,"ranking_epss":0.14312,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/electron-userland/electron-builder/commit/22a7532bd01b9fb42cff7c58d599c7ad683569fe","https://github.com/electron-userland/electron-builder/security/advisories/GHSA-p2f4-r6v6-j797","https://github.com/electron-userland/electron-builder/security/advisories/GHSA-p2f4-r6v6-j797"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":null},{"cve_id":"CVE-2026-54696","summary":"Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an\nattacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.00301,"ranking_epss":0.2184,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ruby/json/releases/tag/v2.19.9","https://github.com/ruby/json/security/advisories/GHSA-x2f5-4prf-w687","https://github.com/ruby/json/security/advisories/GHSA-x2f5-4prf-w687"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":null},{"cve_id":"CVE-2026-55223","summary":"c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0,  c3p0 in combination with other libraries, can compose to a \"sink\" for  deserialization gadgets. The JDBC spec's DataSource.getConnection() and  ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as \"properties\" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious  DataSource objects whose property lookups invoke vulnerable drivers, then  smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a  susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the  CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an  essential component of the trigger. This issue has been fixed in version 0.14.0.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00284,"ranking_epss":0.2017,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27","https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":{"id":"EUVD-2026-40847","description":"c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0,  c3p0 in combination with other libraries, can compose to a \"sink\" for  deserialization gadgets. The JDBC spec's DataSource.getConnection() and  ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as \"properties\" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious  DataSource objects whose property lookups invoke vulnerable drivers, then  smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a  susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the  CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an  essential component of the trigger. This issue has been fixed in version 0.14.0.","published_time":"2026-06-30T22:56:55","cvss":6.3,"cvss_version":"4.0","epss":0.0,"assigner":"GitHub_M","references":["https://github.com/swaldman/c3p0/security/advisories/GHSA-w6w4-rjh9-9r58","https://github.com/swaldman/c3p0/commit/7b022c4b6694dabc6204254dc917af9c38f2cb27"],"products":["c3p0"],"vendors":["swaldman"]}},{"cve_id":"CVE-2026-55721","summary":"Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.","cvss":9.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":9.2,"epss":0.00406,"ranking_epss":0.32559,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/","https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":null},{"cve_id":"CVE-2026-56219","summary":"Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00341,"ranking_epss":0.26041,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-vvm7-xhcj-m94h","https://www.vulncheck.com/advisories/capgo-unauthenticated-rbac-bindings-and-email-disclosure-via-get-org-user-access-rbac-null-auth-bypass","https://github.com/Cap-go/capgo/security/advisories/GHSA-vvm7-xhcj-m94h"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":null},{"cve_id":"CVE-2026-56224","summary":"Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":5.1,"epss":0.00194,"ranking_epss":0.09319,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-83f5-439g-pwmj","https://www.vulncheck.com/advisories/capgo-login-csrf-and-session-fixation-via-url-query-parameters","https://github.com/Cap-go/capgo/security/advisories/GHSA-83f5-439g-pwmj"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":null},{"cve_id":"CVE-2026-56230","summary":"Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00322,"ranking_epss":0.24002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-cppm-733w-hg86","https://www.vulncheck.com/advisories/capgo-broken-object-level-authorization-via-x-limited-key-id-header"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":null},{"cve_id":"CVE-2026-56233","summary":"Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal administrative endpoints with the privileged BUILDER_API_KEY header and resulting in server-side privilege escalation.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":8.7,"epss":0.00451,"ranking_epss":0.3607,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Cap-go/capgo/security/advisories/GHSA-qprp-873h-mx6f","https://www.vulncheck.com/advisories/capgo-ssrf-and-privilege-escalation-via-path-traversal-in-builder-upload-proxy","https://github.com/Cap-go/capgo/security/advisories/GHSA-qprp-873h-mx6f"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:28","euvd":null},{"cve_id":"CVE-2026-50040","summary":"Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute within the victim's browser session in the context of the application. This could be leveraged to steal session cookies, redirect users, or perform unauthorized actions on behalf of the victim.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":5.1,"epss":0.00236,"ranking_epss":0.14493,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/","https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:27","euvd":null},{"cve_id":"CVE-2026-50110","summary":"Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.2,"cvss_v4":9.3,"epss":0.00128,"ranking_epss":0.02841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/","https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:27","euvd":{"id":"EUVD-2026-40846","description":"Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.","published_time":"2026-06-30T22:54:42","cvss":9.3,"cvss_version":"4.0","epss":0.0,"assigner":"icscert","references":["https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06","https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json","https://stonefly.com/contact-us/"],"products":["Storage Concentrator Virtual Machine","Storage Concentrator"],"vendors":["StoneFly"]}},{"cve_id":"CVE-2026-52193","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_447CAC component","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00225,"ranking_epss":0.13186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00447048","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00447048"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:27","euvd":{"id":"EUVD-2026-40864","description":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_447CAC component","published_time":"2026-07-01T00:34:12","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00447048","https://nvd.nist.gov/vuln/detail/CVE-2026-52193"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-52195","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_472f08 component","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00225,"ranking_epss":0.13186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00472f08","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00472f08"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:27","euvd":{"id":"EUVD-2026-40865","description":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_472f08 component","published_time":"2026-07-01T00:34:12","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/tree/main/518G/FUN_00472f08","https://nvd.nist.gov/vuln/detail/CVE-2026-52195"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-52197","summary":"An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_44af70 component","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00204,"ranking_epss":0.1051,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_0044af70/README.md","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_0044af70/README.md"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:27","euvd":{"id":"EUVD-2026-40867","description":"An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_44af70 component","published_time":"2026-07-01T00:34:12","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_0044af70/README.md","https://nvd.nist.gov/vuln/detail/CVE-2026-52197"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-52198","summary":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_425994 component","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00225,"ranking_epss":0.13186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_00425994/README.md","https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_00425994/README.md"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:27","euvd":{"id":"EUVD-2026-40868","description":"Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_425994 component","published_time":"2026-07-01T00:34:12","cvss":0.0,"cvss_version":null,"epss":0.0,"assigner":"mitre","references":["https://utt.com.cn/downloadcenter.php?filetypeid=3&model=518G&lang=zhcn","https://github.com/akuma-QAQ/CVEreport/blob/main/518G/FUN_00425994/README.md","https://nvd.nist.gov/vuln/detail/CVE-2026-52198"],"products":["n/a"],"vendors":["n/a"]}},{"cve_id":"CVE-2026-54672","summary":"electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LD_LIBRARY_PATH environment variable at runtime. This causes the current working directory to be added to the dynamic linker search path, which may allow an attacker to execute arbitrary code by placing a malicious shared library in the directory from which the AppImage is launched. This issue has been fixed in version 26.15.0.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00129,"ranking_epss":0.02887,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/electron-userland/electron-builder/commit/01b8ba979","https://github.com/electron-userland/electron-builder/security/advisories/GHSA-7g7r-gx96-252g"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:27","euvd":null},{"cve_id":"CVE-2026-14146","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00202,"ranking_epss":0.10271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514550047"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40833","description":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:43","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514550047"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14147","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.0016,"ranking_epss":0.05547,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514632767"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40834","description":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:44","cvss":6.1,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514632767"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14148","summary":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40835","description":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:44","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14148","summary":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40835","description":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:44","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14148","summary":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40835","description":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:44","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14148","summary":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40835","description":"Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:44","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515426873"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14149","summary":"Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00238,"ranking_epss":0.14841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515427046"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40836","description":"Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:44","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515427046"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14149","summary":"Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00238,"ranking_epss":0.14841,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515427046"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40836","description":"Use after free in Audio in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:44","cvss":8.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515427046"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14150","summary":"Insufficient validation of untrusted input in Speech in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0017,"ranking_epss":0.06637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517376041"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40837","description":"Insufficient validation of untrusted input in Speech in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:45","cvss":4.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517376041"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14151","summary":"Inappropriate implementation in AI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.0017,"ranking_epss":0.06638,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517381770"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40838","description":"Inappropriate implementation in AI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:45","cvss":8.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517381770"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14152","summary":"Out of bounds read and write in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.0017,"ranking_epss":0.06637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517534944"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40839","description":"Out of bounds read and write in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:45","cvss":9.6,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517534944"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14153","summary":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00181,"ranking_epss":0.07892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40840","description":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14153","summary":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00181,"ranking_epss":0.07892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40840","description":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14153","summary":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00181,"ranking_epss":0.07892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40840","description":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14153","summary":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00181,"ranking_epss":0.07892,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40840","description":"Inappropriate implementation in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517684077"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14154","summary":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00129,"ranking_epss":0.02941,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40841","description":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":4.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14154","summary":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00129,"ranking_epss":0.02941,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40841","description":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":4.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14154","summary":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00129,"ranking_epss":0.02941,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40841","description":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":4.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14154","summary":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":0.00129,"ranking_epss":0.02941,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40841","description":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":4.8,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517741170"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14155","summary":"Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0017,"ranking_epss":0.06637,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/518246925"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40842","description":"Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:46","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/518246925"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14156","summary":"Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0018,"ranking_epss":0.078,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/518247789"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:26","euvd":{"id":"EUVD-2026-40843","description":"Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:47","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/518247789"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-28322","summary":"SolarWinds Database Performance Analyzer was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution.","cvss":5.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.6,"cvss_v4":null,"epss":0.00222,"ranking_epss":0.12701,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2026-2_release_notes.htm","https://support.solarwinds.com/SuccessCenter/s/article/DPA-Secure-Configuration-Guide-Best-Practices-and-Recommendations?language=en_US","https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28322"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:26","euvd":null},{"cve_id":"CVE-2026-14135","summary":"Insufficient validation of untrusted input in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514058566"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":null},{"cve_id":"CVE-2026-14136","summary":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514068611"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":null},{"cve_id":"CVE-2026-14136","summary":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514068611"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:25","euvd":null},{"cve_id":"CVE-2026-14137","summary":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07101,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514070067"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40824","description":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:40","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514070067"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14138","summary":"Inappropriate implementation in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00163,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514071775"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40825","description":"Inappropriate implementation in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:40","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514071775"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14138","summary":"Inappropriate implementation in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00163,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514071775"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40825","description":"Inappropriate implementation in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:40","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514071775"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14139","summary":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00163,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40826","description":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:41","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14139","summary":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00163,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40826","description":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:41","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14139","summary":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00163,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40826","description":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:41","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14139","summary":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00163,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40826","description":"Inappropriate implementation in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:41","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072495"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14140","summary":"Insufficient validation of untrusted input in Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072607"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:25","euvd":null},{"cve_id":"CVE-2026-14141","summary":"Incorrect security UI in Document Picture-in-Picture in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08005,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072867"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40828","description":"Incorrect security UI in Document Picture-in-Picture in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:42","cvss":4.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514072867"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14142","summary":"Inappropriate implementation in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08005,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514073460"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40829","description":"Inappropriate implementation in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:42","cvss":4.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514073460"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14143","summary":"Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514075028"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40830","description":"Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:42","cvss":4.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514075028"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14143","summary":"Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08006,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514075028"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40830","description":"Incorrect security UI in Passwords in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:42","cvss":4.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514075028"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14144","summary":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00136,"ranking_epss":0.03406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40831","description":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:43","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14144","summary":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00136,"ranking_epss":0.03406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40831","description":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:43","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14144","summary":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00136,"ranking_epss":0.03406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40831","description":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:43","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14144","summary":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00136,"ranking_epss":0.03406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40831","description":"Incorrect security UI in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:43","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514079793"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14145","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00167,"ranking_epss":0.0629,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514485825"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:25","euvd":{"id":"EUVD-2026-40832","description":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:43","cvss":6.1,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514485825"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14123","summary":"Incorrect security UI in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513856644"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14123","summary":"Incorrect security UI in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513856644"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14124","summary":"Inappropriate implementation in CredentialProvider in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.01609,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513867710"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14125","summary":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00253,"ranking_epss":0.16642,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:24","euvd":{"id":"EUVD-2026-40812","description":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:36","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14125","summary":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00253,"ranking_epss":0.16642,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:24","euvd":{"id":"EUVD-2026-40812","description":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:36","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14125","summary":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00253,"ranking_epss":0.16642,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:24","euvd":{"id":"EUVD-2026-40812","description":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:36","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14125","summary":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00253,"ranking_epss":0.16642,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:24","euvd":{"id":"EUVD-2026-40812","description":"Uninitialized Use in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:36","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513918431"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14126","summary":"Incorrect security UI in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07141,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513992796"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14127","summary":"Inappropriate implementation in Printing in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514009654"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14128","summary":"Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514015836"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14128","summary":"Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514015836"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14129","summary":"Inappropriate implementation in PreviewTab in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514018024"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:24","euvd":{"id":"EUVD-2026-40816","description":"Inappropriate implementation in PreviewTab in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:37","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514018024"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14129","summary":"Inappropriate implementation in PreviewTab in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514018024"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:24","euvd":{"id":"EUVD-2026-40816","description":"Inappropriate implementation in PreviewTab in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:37","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514018024"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14130","summary":"Incorrect security UI in Omnibox in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08002,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514019522"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14131","summary":"Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514020982"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14132","summary":"Inappropriate implementation in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514039492"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14133","summary":"Race in History Embeddings in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00145,"ranking_epss":0.04186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514039947"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14134","summary":"Inappropriate implementation in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07141,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514055973"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:24","euvd":null},{"cve_id":"CVE-2026-14112","summary":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00218,"ranking_epss":0.12214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40799","description":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:31","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14112","summary":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00218,"ranking_epss":0.12214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40799","description":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:31","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14112","summary":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00218,"ranking_epss":0.12214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40799","description":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:31","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14112","summary":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00218,"ranking_epss":0.12214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40799","description":"Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:31","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513713946"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14113","summary":"Use after free in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513737335"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14113","summary":"Use after free in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513737335"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14114","summary":"Inappropriate implementation in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.47 allowed a local attacker to perform UI spoofing via a malicious file. (Chromium security severity: Low)","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00107,"ranking_epss":0.01358,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513743129"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14115","summary":"Insufficient validation of untrusted input in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513745699"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14115","summary":"Insufficient validation of untrusted input in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513745699"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14115","summary":"Insufficient validation of untrusted input in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513745699"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14115","summary":"Insufficient validation of untrusted input in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08007,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513745699"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14116","summary":"Insufficient validation of untrusted input in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08005,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513747800"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14117","summary":"Insufficient validation of untrusted input in DevTools in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00232,"ranking_epss":0.14072,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513751020"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40804","description":"Insufficient validation of untrusted input in DevTools in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:33","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513751020"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14117","summary":"Insufficient validation of untrusted input in DevTools in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00232,"ranking_epss":0.14072,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513751020"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40804","description":"Insufficient validation of untrusted input in DevTools in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:33","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513751020"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14118","summary":"Insufficient data validation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513772764"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14119","summary":"Type Confusion in Bluetooth in Google Chrome on Windows prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.01569,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513775483"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40806","description":"Type Confusion in Bluetooth in Google Chrome on Windows prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:33","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513775483"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14119","summary":"Type Confusion in Bluetooth in Google Chrome on Windows prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.01569,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513775483"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":{"id":"EUVD-2026-40806","description":"Type Confusion in Bluetooth in Google Chrome on Windows prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:33","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513775483"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14120","summary":"Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08001,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513777411"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14121","summary":"Use after free in Chromoting in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.09823,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513789382"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14121","summary":"Use after free in Chromoting in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.09823,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513789382"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14122","summary":"Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513824891"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14122","summary":"Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513824891"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:23","euvd":null},{"cve_id":"CVE-2026-14101","summary":"Insufficient policy enforcement in Sandbox in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0714,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513454805"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14102","summary":"Use after free in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0714,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513455047"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14103","summary":"Use after free in SSL in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00219,"ranking_epss":0.12337,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513465245"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":{"id":"EUVD-2026-40790","description":"Use after free in SSL in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:28","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513465245"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14104","summary":"Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11872,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513484193"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14105","summary":"Insufficient policy enforcement in Speech in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513528117"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14106","summary":"Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07138,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513532778"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14107","summary":"Use after free in Scheduling in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513544566"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14107","summary":"Use after free in Scheduling in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513544566"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14107","summary":"Use after free in Scheduling in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513544566"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14107","summary":"Use after free in Scheduling in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513544566"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14108","summary":"Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.09822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513689974"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14108","summary":"Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.09822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513689974"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14108","summary":"Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.09822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513689974"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14108","summary":"Use after free in PDFium in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00198,"ranking_epss":0.09822,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513689974"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14109","summary":"Insufficient policy enforcement in Mojo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07141,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513694957"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14110","summary":"Inappropriate implementation in DarkMode in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08005,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513698452"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14111","summary":"Use after free in WebProtect in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00134,"ranking_epss":0.03273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513710926"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14111","summary":"Use after free in WebProtect in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00134,"ranking_epss":0.03273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513710926"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14111","summary":"Use after free in WebProtect in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00134,"ranking_epss":0.03273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513710926"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14111","summary":"Use after free in WebProtect in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00134,"ranking_epss":0.03273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513710926"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:22","euvd":null},{"cve_id":"CVE-2026-14090","summary":"Insufficient validation of untrusted input in CameraCapture in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513194241"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14091","summary":"Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513208773"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14091","summary":"Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513208773"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14091","summary":"Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513208773"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14091","summary":"Use after free in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513208773"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14092","summary":"Insufficient policy enforcement in Privacy in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via malicious network traffic. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00112,"ranking_epss":0.01619,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513212892"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14092","summary":"Insufficient policy enforcement in Privacy in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via malicious network traffic. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00112,"ranking_epss":0.01619,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513212892"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14092","summary":"Insufficient policy enforcement in Privacy in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via malicious network traffic. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00112,"ranking_epss":0.01619,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513212892"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14092","summary":"Insufficient policy enforcement in Privacy in Google Chrome prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via malicious network traffic. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00112,"ranking_epss":0.01619,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513212892"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14093","summary":"Use after free in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513240099"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14093","summary":"Use after free in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513240099"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14093","summary":"Use after free in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513240099"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14093","summary":"Use after free in Cast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513240099"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14094","summary":"Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.01608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513264273"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14094","summary":"Use after free in Installer in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.01608,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513264273"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14095","summary":"Insufficient policy enforcement in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513271007"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14095","summary":"Insufficient policy enforcement in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513271007"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14095","summary":"Insufficient policy enforcement in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513271007"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14095","summary":"Insufficient policy enforcement in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513271007"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14096","summary":"Inappropriate implementation in Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0714,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513310821"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14096","summary":"Inappropriate implementation in Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0714,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513310821"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14097","summary":"Inappropriate implementation in WebAppInstalls in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513333529"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14097","summary":"Inappropriate implementation in WebAppInstalls in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513333529"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14098","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513375767"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14098","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513375767"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14098","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513375767"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14098","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513375767"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14099","summary":"Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513382161"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14099","summary":"Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00182,"ranking_epss":0.08004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513382161"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14100","summary":"Insufficient data validation in NetworkCache in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513383891"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14100","summary":"Insufficient data validation in NetworkCache in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513383891"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14100","summary":"Insufficient data validation in NetworkCache in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513383891"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14100","summary":"Insufficient data validation in NetworkCache in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513383891"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:21","euvd":null},{"cve_id":"CVE-2026-14079","summary":"Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/512971938"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14080","summary":"Insufficient validation of untrusted input in TabSwitcher in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via malicious network traffic. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00171,"ranking_epss":0.06746,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/512997517"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14081","summary":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00167,"ranking_epss":0.06287,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:20","euvd":{"id":"EUVD-2026-40768","description":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:20","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14081","summary":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00167,"ranking_epss":0.06287,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:20","euvd":{"id":"EUVD-2026-40768","description":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:20","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14081","summary":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00167,"ranking_epss":0.06287,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:20","euvd":{"id":"EUVD-2026-40768","description":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:20","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14081","summary":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00167,"ranking_epss":0.06287,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:20","euvd":{"id":"EUVD-2026-40768","description":"Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:20","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513030698"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14082","summary":"Race in Storage in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00145,"ranking_epss":0.04187,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513049578"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14083","summary":"Insufficient validation of untrusted input in HTML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00179,"ranking_epss":0.07661,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513128322"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14084","summary":"Insufficient validation of untrusted input in Chromoting in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00161,"ranking_epss":0.05673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513138148"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14085","summary":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07131,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513155863"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14086","summary":"Insufficient policy enforcement in HID in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513169718"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14087","summary":"Heap buffer overflow in WebNN in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00193,"ranking_epss":0.09151,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513177237"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14088","summary":"Uninitialized Use in Canvas in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513178869"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:20","euvd":{"id":"EUVD-2026-40775","description":"Uninitialized Use in Canvas in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:22","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513178869"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14089","summary":"Insufficient validation of untrusted input in PopupBlocker in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07126,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513188254"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:20","euvd":null},{"cve_id":"CVE-2026-14068","summary":"Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00179,"ranking_epss":0.07661,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/504210171"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14068","summary":"Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low)","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00179,"ranking_epss":0.07661,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/504210171"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14069","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00219,"ranking_epss":0.12337,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40756","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:15","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14069","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00219,"ranking_epss":0.12337,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40756","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:15","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14069","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00219,"ranking_epss":0.12337,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40756","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:15","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14069","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00219,"ranking_epss":0.12337,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40756","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:15","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505136542"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14070","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40757","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:16","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14070","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40757","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:16","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14070","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40757","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:16","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14070","summary":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":{"id":"EUVD-2026-40757","description":"Integer overflow in WebNN in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:16","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/505137978"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14071","summary":"Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506143724"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14071","summary":"Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506143724"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14071","summary":"Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506143724"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14071","summary":"Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506143724"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14072","summary":"Inappropriate implementation in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507099867"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14073","summary":"Insufficient validation of untrusted input in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507237563"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14073","summary":"Insufficient validation of untrusted input in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507237563"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14073","summary":"Insufficient validation of untrusted input in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507237563"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14073","summary":"Insufficient validation of untrusted input in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507237563"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14074","summary":"Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10974,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511743480"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14075","summary":"Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to bypass no-referrer policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00193,"ranking_epss":0.09253,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511808800"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14076","summary":"Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511815165"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14076","summary":"Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511815165"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14076","summary":"Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511815165"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14076","summary":"Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511815165"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14077","summary":"Inappropriate implementation in Select in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511869411"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14077","summary":"Inappropriate implementation in Select in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/511869411"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14078","summary":"Insufficient validation of untrusted input in WebRTC in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0714,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/512953564"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:19","euvd":null},{"cve_id":"CVE-2026-14057","summary":"Inappropriate implementation in FedCM in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08293,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502212647"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14058","summary":"Insufficient policy enforcement in Parser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12563,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502354038"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14059","summary":"Insufficient policy enforcement in Related-Website-Sets in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502363986"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14059","summary":"Insufficient policy enforcement in Related-Website-Sets in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502363986"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14059","summary":"Insufficient policy enforcement in Related-Website-Sets in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502363986"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14059","summary":"Insufficient policy enforcement in Related-Website-Sets in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502363986"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14060","summary":"Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Low)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00133,"ranking_epss":0.03159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502372527"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14061","summary":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40748","description":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14061","summary":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40748","description":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14061","summary":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40748","description":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14061","summary":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40748","description":"Inappropriate implementation in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502434484"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14062","summary":"Inappropriate implementation in Views in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00223,"ranking_epss":0.12929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502448128"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40749","description":"Inappropriate implementation in Views in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":5.9,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502448128"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14063","summary":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":0.00098,"ranking_epss":0.00992,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40750","description":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":5.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14063","summary":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":0.00098,"ranking_epss":0.00992,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40750","description":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":5.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14063","summary":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":0.00098,"ranking_epss":0.00992,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40750","description":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":5.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14063","summary":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":0.00098,"ranking_epss":0.00992,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":{"id":"EUVD-2026-40750","description":"Out of bounds read in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via malicious network traffic. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:13","cvss":5.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502473563"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14064","summary":"Use after free in PageInfo in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11872,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/502714977"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14065","summary":"Insufficient validation of untrusted input in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503617508"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14065","summary":"Insufficient validation of untrusted input in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503617508"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14065","summary":"Insufficient validation of untrusted input in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503617508"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14065","summary":"Insufficient validation of untrusted input in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503617508"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14066","summary":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00193,"ranking_epss":0.09254,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503779807"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14066","summary":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00193,"ranking_epss":0.09254,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/503779807"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14067","summary":"Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00267,"ranking_epss":0.1836,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/504069465"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14067","summary":"Use after free in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00267,"ranking_epss":0.1836,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/504069465"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:18","euvd":null},{"cve_id":"CVE-2026-14046","summary":"Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497959724"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14046","summary":"Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08296,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497959724"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14047","summary":"Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00118,"ranking_epss":0.02031,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/498864176"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14048","summary":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.0157,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40735","description":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14048","summary":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.0157,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40735","description":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14048","summary":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.0157,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40735","description":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14048","summary":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.0157,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40735","description":"Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/499189601"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14049","summary":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40736","description":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14049","summary":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40736","description":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14049","summary":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40736","description":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14049","summary":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40736","description":"Inappropriate implementation in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:08","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501659888"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14050","summary":"Insufficient policy enforcement in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501708647"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14051","summary":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14862,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40738","description":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:09","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14051","summary":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14862,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40738","description":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:09","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14051","summary":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14862,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40738","description":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:09","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14051","summary":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14862,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:17","euvd":{"id":"EUVD-2026-40738","description":"Uninitialized Use in GamepadAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:09","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501747804"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14052","summary":"Insufficient policy enforcement in FileSystem in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08294,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501810874"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14053","summary":"Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501836539"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14054","summary":"Insufficient policy enforcement in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08294,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501851312"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14055","summary":"Insufficient validation of untrusted input in Device Trust in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501857663"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14055","summary":"Insufficient validation of untrusted input in Device Trust in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501857663"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14056","summary":"Insufficient validation of untrusted input in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00161,"ranking_epss":0.05673,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/501888426"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:17","euvd":null},{"cve_id":"CVE-2026-14034","summary":"Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08294,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496368832"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14034","summary":"Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08294,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496368832"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14035","summary":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:16","euvd":{"id":"EUVD-2026-40722","description":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:03","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14035","summary":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:16","euvd":{"id":"EUVD-2026-40722","description":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:03","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14035","summary":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:16","euvd":{"id":"EUVD-2026-40722","description":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:03","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14035","summary":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00211,"ranking_epss":0.11348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":{"id":"EUVD-2026-40722","description":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:03","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496371586"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14036","summary":"Insufficient policy enforcement in Bluetooth in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496411061"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14037","summary":"Insufficient policy enforcement in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/496522611"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14038","summary":"Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07139,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497241148"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14039","summary":"Insufficient policy enforcement in GetUserMedia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497358012"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14040","summary":"Use after free in BrowserTag in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00117,"ranking_epss":0.01929,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497488593"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14041","summary":"Insufficient policy enforcement in Serial in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07135,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497544822"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14042","summary":"Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07135,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497558336"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14043","summary":"Use after free in GetUserMedia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497632232"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14044","summary":"Use after free in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07134,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497670996"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14045","summary":"Insufficient validation of untrusted input in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/497723649"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:16","euvd":null},{"cve_id":"CVE-2026-14022","summary":"Insufficient validation of untrusted input in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10962,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517791835"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14023","summary":"Insufficient validation of untrusted input in SanitizerAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.0022,"ranking_epss":0.12564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/518063436"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14024","summary":"Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10963,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/518245882"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14024","summary":"Use after free in Ozone in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10963,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/518245882"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14025","summary":"Use after free in Views in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10964,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506482786"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14025","summary":"Use after free in Views in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10964,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/506482786"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14026","summary":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":{"id":"EUVD-2026-40714","description":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:00","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14026","summary":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:15","euvd":{"id":"EUVD-2026-40714","description":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:00","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14026","summary":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:15","euvd":{"id":"EUVD-2026-40714","description":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:00","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14026","summary":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:15","euvd":{"id":"EUVD-2026-40714","description":"Incorrect security UI in SplitView in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:00","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/507263861"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14027","summary":"Use after free in SignIn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/361375787"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14028","summary":"Incorrect security UI in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00163,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/401816601"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:15","euvd":{"id":"EUVD-2026-40716","description":"Incorrect security UI in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:01","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/401816601"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14030","summary":"Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/488762971"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":{"id":"EUVD-2026-40717","description":"Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:01","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/488762971"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14030","summary":"Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/488762971"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:15","euvd":{"id":"EUVD-2026-40717","description":"Inappropriate implementation in SplitView in Google Chrome on Linux prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)","published_time":"2026-06-30T22:39:01","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/488762971"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14031","summary":"Inappropriate implementation in File Input in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/495459838"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14031","summary":"Inappropriate implementation in File Input in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/495459838"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14031","summary":"Inappropriate implementation in File Input in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/495459838"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14031","summary":"Inappropriate implementation in File Input in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/495459838"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14032","summary":"Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Low)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00134,"ranking_epss":0.03273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/495783474"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14033","summary":"Insufficient policy enforcement in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/495848160"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14033","summary":"Insufficient policy enforcement in Media in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Low)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08295,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/495848160"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:15","euvd":null},{"cve_id":"CVE-2026-14011","summary":"Out of bounds read in SurfaceCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07138,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516944556"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14012","summary":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":{"id":"EUVD-2026-40700","description":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:55","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14012","summary":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:14","euvd":{"id":"EUVD-2026-40700","description":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:55","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14012","summary":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:14","euvd":{"id":"EUVD-2026-40700","description":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:55","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14012","summary":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00205,"ranking_epss":0.10605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:14","euvd":{"id":"EUVD-2026-40700","description":"Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:55","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517110749"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14013","summary":"Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07134,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517114175"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14014","summary":"Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517155893"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14015","summary":"Race in WebRTC in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07135,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517207235"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14015","summary":"Race in WebRTC in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07135,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517207235"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14016","summary":"Inappropriate implementation in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07134,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517234388"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14017","summary":"Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07138,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517241992"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14018","summary":"Use after free in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00107,"ranking_epss":0.01358,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517350251"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14018","summary":"Use after free in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00107,"ranking_epss":0.01358,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517350251"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14019","summary":"Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07131,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517455455"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14020","summary":"Insufficient validation of untrusted input in WebXR in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517598518"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14021","summary":"Insufficient policy enforcement in StorageAccessAPI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07135,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/517731924"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:14","euvd":null},{"cve_id":"CVE-2026-14000","summary":"Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00171,"ranking_epss":0.06801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514461552"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14001","summary":"Inappropriate implementation in Network in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00171,"ranking_epss":0.06801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514481943"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14002","summary":"Inappropriate implementation in Geolocation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514489361"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14003","summary":"Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00112,"ranking_epss":0.01619,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514503077"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14004","summary":"Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10964,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514538751"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14005","summary":"Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514740273"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14005","summary":"Use after free in Omnibox in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514740273"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14006","summary":"Use after free in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.11873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/515423596"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14007","summary":"Insufficient policy enforcement in PermissionsPolicy in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00185,"ranking_epss":0.08293,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516425999"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14008","summary":"Uninitialized Use in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14862,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516781007"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":{"id":"EUVD-2026-40696","description":"Uninitialized Use in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:54","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516781007"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14008","summary":"Uninitialized Use in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.14862,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516781007"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:13","euvd":{"id":"EUVD-2026-40696","description":"Uninitialized Use in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:54","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516781007"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14009","summary":"Inappropriate implementation in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07128,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516819850"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":null},{"cve_id":"CVE-2026-14010","summary":"Uninitialized Use in Codecs in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00289,"ranking_epss":0.20663,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516924151"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:13","euvd":{"id":"EUVD-2026-40698","description":"Uninitialized Use in Codecs in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:55","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516924151"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-14010","summary":"Uninitialized Use in Codecs in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00289,"ranking_epss":0.20663,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516924151"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:13","euvd":{"id":"EUVD-2026-40698","description":"Uninitialized Use in Codecs in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:55","cvss":6.5,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/516924151"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13988","summary":"Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07131,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514040614"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13989","summary":"Inappropriate implementation in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514056221"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13990","summary":"Insufficient validation of untrusted input in DataTransfer in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514058439"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13990","summary":"Insufficient validation of untrusted input in DataTransfer in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514058439"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13991","summary":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514061117"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13991","summary":"Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.0713,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514061117"],"vendor":"apple","product":"iphone_os","version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13992","summary":"Inappropriate implementation in UI in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00186,"ranking_epss":0.08419,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514063409"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40680","description":"Inappropriate implementation in UI in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:48","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514063409"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13992","summary":"Inappropriate implementation in UI in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00186,"ranking_epss":0.08419,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514063409"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40680","description":"Inappropriate implementation in UI in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:48","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514063409"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13993","summary":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40681","description":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:48","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13993","summary":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40681","description":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:48","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13993","summary":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40681","description":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:48","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13993","summary":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.0489,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40681","description":"Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:48","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514064139"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13994","summary":"Inappropriate implementation in Credential Management in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07131,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514067416"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13995","summary":"Insufficient validation of untrusted input in Autofill in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10961,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514067524"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13996","summary":"Inappropriate implementation in Permissions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514068972"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13997","summary":"Incorrect security UI in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.04889,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514069689"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40685","description":"Incorrect security UI in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:50","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514069689"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13997","summary":"Incorrect security UI in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.04889,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514069689"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40685","description":"Incorrect security UI in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:50","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514069689"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13998","summary":"Incorrect security UI in File Input in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.04891,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514070501"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40686","description":"Incorrect security UI in File Input in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:50","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514070501"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13998","summary":"Incorrect security UI in File Input in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.04891,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514070501"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:12","euvd":{"id":"EUVD-2026-40686","description":"Incorrect security UI in File Input in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:50","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514070501"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13999","summary":"Insufficient validation of untrusted input in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00133,"ranking_epss":0.03179,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514071697"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:12","euvd":null},{"cve_id":"CVE-2026-13976","summary":"Insufficient data validation in Storage in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.8,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10961,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513858286"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":null},{"cve_id":"CVE-2026-13977","summary":"Inappropriate implementation in HTMLParser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00171,"ranking_epss":0.06801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513859894"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":null},{"cve_id":"CVE-2026-13978","summary":"Insufficient policy enforcement in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.1096,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513866949"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":{"id":"EUVD-2026-40666","description":"Insufficient policy enforcement in PageInfo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:43","cvss":4.3,"cvss_version":"3.1","epss":0.0021,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513866949"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13979","summary":"Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10962,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513988889"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":{"id":"EUVD-2026-40667","description":"Inappropriate implementation in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:43","cvss":4.3,"cvss_version":"3.1","epss":0.0021,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513988889"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13980","summary":"Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10963,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513989973"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":{"id":"EUVD-2026-40668","description":"Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:43","cvss":4.3,"cvss_version":"3.1","epss":0.0021,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513989973"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13981","summary":"Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10963,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513990408"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":null},{"cve_id":"CVE-2026-13982","summary":"Incorrect security UI in Passwords in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10963,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514006829"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":null},{"cve_id":"CVE-2026-13983","summary":"Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00154,"ranking_epss":0.04889,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514009910"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":{"id":"EUVD-2026-40671","description":"Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:45","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514009910"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13984","summary":"Incorrect security UI in TabStrip in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07129,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514010404"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":null},{"cve_id":"CVE-2026-13985","summary":"Inappropriate implementation in MediaCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10962,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514013849"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":null},{"cve_id":"CVE-2026-13986","summary":"Inappropriate implementation in Media UI in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00186,"ranking_epss":0.08419,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514020959"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":{"id":"EUVD-2026-40674","description":"Inappropriate implementation in Media UI in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:46","cvss":4.2,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514020959"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13987","summary":"Incorrect security UI in Mobile in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00174,"ranking_epss":0.07132,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/514039122"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:11","euvd":null},{"cve_id":"CVE-2026-13965","summary":"Use after free in Oilpan in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00256,"ranking_epss":0.16932,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513737952"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:10","euvd":null},{"cve_id":"CVE-2026-13966","summary":"Inappropriate implementation in History in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00208,"ranking_epss":0.10961,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513741393"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40654","description":"Inappropriate implementation in History in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:38","cvss":4.3,"cvss_version":"3.1","epss":0.0021,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513741393"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13967","summary":"Heap buffer overflow in V8 in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00302,"ranking_epss":0.21875,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513751951"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:10","euvd":null},{"cve_id":"CVE-2026-13968","summary":"Insufficient validation of untrusted input in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium)","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00236,"ranking_epss":0.14565,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513762145"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:10","euvd":null},{"cve_id":"CVE-2026-13969","summary":"Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00271,"ranking_epss":0.18724,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513762962"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40657","description":"Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:39","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513762962"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13969","summary":"Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00271,"ranking_epss":0.18724,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513762962"],"vendor":"google","product":"android","version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40657","description":"Uninitialized Use in UI in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:39","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513762962"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13970","summary":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00271,"ranking_epss":0.18724,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40658","description":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:40","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13970","summary":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00271,"ranking_epss":0.18724,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"vendor":"apple","product":"macos","version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40658","description":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:40","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13970","summary":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00271,"ranking_epss":0.18724,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"vendor":"linux","product":"linux_kernel","version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40658","description":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:40","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13970","summary":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00271,"ranking_epss":0.18724,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"vendor":null,"product":null,"version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40658","description":"Uninitialized Use in Media in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:40","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513779283"],"products":["Chrome"],"vendors":["Google"]}},{"cve_id":"CVE-2026-13971","summary":"Uninitialized Use in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00271,"ranking_epss":0.18725,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513780208"],"vendor":"google","product":"chrome","version":null,"published_time":"2026-06-30T23:17:10","euvd":{"id":"EUVD-2026-40659","description":"Uninitialized Use in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)","published_time":"2026-06-30T22:38:40","cvss":5.3,"cvss_version":"3.1","epss":0.0,"assigner":"Chrome","references":["https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html","https://issues.chromium.org/issues/513780208"],"products":["Chrome"],"vendors":["Google"]}}]}