CVE-2026-56786

RTKLIB 2.4.3 contains an out-of-bounds write in decode_type1033 that fails to clamp length counters to the destination buffer. This allows up to a 191-byte overflow into fixed 64-byte descriptor fields when processing a crafted RTCM3 type-1033 message. An attacker controlling an NTRIP or serial R...

CVE-2026-56014

Unauthenticated Cross Site Scripting XSS in Master Slider = 3.11.2 versions...

CVE-2026-46733

Dell Display and Peripheral Manager DDPM Windows, versions prior to 2.3, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution...

EUVD-2026-39372

Unauthenticated Local File Inclusion in MDTF = 1.3.8 versions...

EUVD-2026-39365

Contributor Remote Code Execution RCE in Widget Options = 4.2.3 versions...

EUVD-2026-39363

Subscriber Sensitive Data Exposure in Visual Link Preview = 2.3.1 versions...

CVE-2026-54821

The CVE-2026-54821 entry concerns the WordPress Visual Link Preview plugin, affected versions are

EUVD-2026-39361

Contributor Sensitive Data Exposure in Elementor Website Builder = 4.1.3 versions...

CVE-2026-56091 Apache Shiro: Authentication bypass in Guice-Web integration

When using Apache Shiro with the shiro-guice module in a web servlet context, a specially crafted HTTP request may cause an authentication bypass. This vulnerability is similar to https://vulners.com/cve/CVE-2020-1957 https://www.cve.org/CVERecord , except that it affects the shiro-guice module...

CVE-2026-55454

creationtimestamp| type| source ---|---|--- 2026-06-25 00:00:40+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mp34rdzebt2t 2026-06-25 00:01:01+00:00| seen| https://infosec.exchange/users/offseq/statuses/116807803619283441 2026-06-25 02:18:48+00:00| seen|...

Stable Channel Update for Desktop

The Stable channel has been updated to 149.0.7827.200/201 for Windows and Mac and 149.0.7827.200 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log Security Fixes and Rewards Note: Access to bug details and links may be kept...

CVE-2026-37454

Insecure Permissions vulnerability in MSI NBFoundation Service v.2.0.2506.1201 allows a remote attacker to obtain sensitive information via the 3DES-ECB encryption...

CVE-2026-9780

CVE-2026-9780 affects Quest NetVault Backup, specifically the addclient3 webpage. The flaw arises from insufficient validation of user-supplied data, enabling cross-site scripting that can be leveraged to bypass authentication and execute code in the context of SYSTEM. Exploitation requires user ...

CVE-2026-55570 SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj` attribute (Bypass for CVE-2026-45375's patch)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields name, version, author, description when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is...

CVE-2026-54759 SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...

CVE-2026-50129

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by Uncaught Exception vulerability, due to missing exception handling in the math sanitizer. Malformed nodes can result in a DoS of a whole server or targeted...

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

CVE-2026-49851

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear approximately On² behavior in parselinktext. When parsing Markdown containing many consecutive characters, parselinktext repeatedly scans the input usin...

CVE-2026-44020

Docling vulnerability CVE-2026-44020 affects the USPTO patent XML parsers (ICE v4.x, Grant v2.5, Application v1.x) and versions from 2.13.0 up to 2.74.0. The root cause is use of xml.sax.parseString() without protection against XML External Entity (XXE) attacks, enabling attackers to craft USPTO ...

CVE-2026-11877

An unauthorized user can modify configuration through API calls that affects the OpenText Access Manager. This issue affects Access Manager before 5.1.3...