CVE-2025-67135

Weak Security in the PF-50 1.2 keyfob of PGST PG107 Alarm System 1.25.05.hf allows attackers to compromise access control via a code replay attack...

CVE-2026-20652

CVE-2026-20652 is a remote DoS vulnerability in WebKit-based components (Apple Safari/WebKit and WebKitGTK family) caused by a memory handling issue when processing malicious web content. Affected products include Safari (macOS/iOS/iPadOS/watchOS/tvOS/visionOS) and WebKitGTK/WebKit2GTK in Linux d...

CVE-2026-20652

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A remote attacker may be able to cause a denial-of-service...

CVE-2026-20700

A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, visionOS 26.3, watchOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this...

CVE-2026-20700

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this...

CVE-2026-1669 Arbitrary File Read in Keras via HDF5 External Datasets

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

AZL-77649 CVE-2026-26014 affecting package telegraf 1.31.0-12

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonc...

CVE-2026-25924

CVE-2026-25924 affects Kanboard prior to 1.2.50. A security control bypass allows an authenticated administrator to trigger a remote code execution via the plugin installation workflow: the PLUGIN_INSTALLER setting is not enforced in the backend endpoint, enabling forced download and installation...

CVE-2025-68686

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability CWE-200 vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may allow a remote unauthenticated attacker to bypas...

CVE-2026-21525

Null pointer dereference in Windows Remote Access Connection Manager allows an unauthorized attacker to deny service locally...

CVE-2026-21231

Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Kernel allows an authorized attacker to elevate privileges locally...

CVE-2026-21510

Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network...

CVE-2026-21251

Use after free in Windows Cluster Client Failover allows an authorized attacker to elevate privileges locally...

CVE-2026-21237

Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally...

CVE-2026-21238

Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally...

CVE-2026-21531

Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network...

CVE-2026-20841

Improper neutralization of special elements used in a command 'command injection' in Windows Notepad App allows an unauthorized attacker to execute code locally...

Lazy Blocks <= 3.8.2 - Cross-Site Scripting

Custom Block Builder WordPress plugin 3.8.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to load malicious page. id:...

CVE-2026-2318

Inappropriate implementation in PictureInPicture in Google Chrome prior to 145.0.7632.45 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...

First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials

Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild. In this unusual supply chain attack detailed by Koi Security, an unknown attacker claimed the domain associated with a now-abandoned legitimate add-in to serve a fa...