CVE-2026-13026

Use after free in Digital Credentials in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

EUVD-2026-39044

Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: High...

CVE-2026-47386 NocoDB: OAuth Authorization Code Race Condition

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...

CVE-2026-54007

CVE-2026-54007 describes a cross-origin postMessage bypass in Open WebUI prior to version 0.9.6. The root cause is a chat input/submit flow in the Chat.svelte window message listener that accepts non-same-origin messages (input:prompt and action:submit) and forwards them to submitPrompt(), enabli...

CVE-2026-10857 Reflected XSS in Akinsoft's e-Commerce

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS. This issue affects e-Commerce: before 1.25.01.06...

UBUNTU-CVE-2026-54282

Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating scheme://hostpath and re-parsing the result, a path that does not begin with / for example...

CVE-2026-56109

The Advanced Linux Sound Architecture ALSA library before 1.2.16.1 contains a double-free vulnerability in parsedef in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parsedef...

EUVD-2026-38263

A path traversal attack when using a "configName" parameter in qSnapper before version 1.3.3 allowed a local attacker to use malicious config files for snapper and so cause a denial of service or potentially escalate privileges to root...

Linux Distros Unpatched Vulnerability : CVE-2026-54275

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the serverhostname TLS SNI check can be bypassed when an existi...

Astra Linux – Vulnerability in libzstd

Starting from v1.4.1 and before v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and immediately restricted those permissions afterward. As a result, the output files could temporarily be readable or writable by...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement in image handling in iOS in Google Chrome on iOS prior to version 92.0.4515.107 allowed a remote attacker to leak cross-origin data through a crafted HTML page...

Astra Linux – Vulnerability in Chromium

A heap buffer overflow in ANGLE in Google Chrome on Windows, prior to version 90.0.4430.93, allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page...

Astra Linux – Vulnerability in libwebp

A heap-based buffer overflow was discovered in libwebp in versions prior to 1.0.1 in the GetLE24 function...

Astra Linux – Vulnerability in libraw

LibRaw before 0.20-RC1 lacks a check for the thumbnail size range. This affects decoders/unpackthumb.cpp, postprocessing/memimage.cpp, and utils/thumbutils.cpp. For example, mallocsizeoflibrawprocessedimaget+T.tlength is used without validating T.tlength...

Astra Linux – Vulnerability in Firefox

Spoofing issue in the Site Permissions component. This vulnerability has been fixed in Firefox 143 and Thunderbird 143...

EUVD-2025-210275

Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials...

MongoDB Compass < 1.49.6 Prototype Pollution

The version of MongoDB Compass installed on the remote host is prior to 1.49.6. It is, therefore, affected by a vulnerability: - Prototype pollution in csv parsing logic during import can lead to untrusted file paths but not arguments entering shell.openExternal after specific user behavior leadi...

CVE-2026-49107

Unauthenticated PHP Object Injection in Thrive Apprentice 10.8.10.2 versions...

CVE-2026-27395

Unauthenticated Privilege Escalation in Support Board 3.8.9 versions...

CVE-2026-42629 WordPress PowerPack Pro for Elementor plugin < v2.13.0 - Broken Authentication vulnerability

Unauthenticated Broken Authentication in PowerPack Pro for Elementor v2.13.0 versions...