firefox: Memory safety bugs fixed in Firefox ESR 115.36, Firefox ESR 140.11 and Firefox 151

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these...

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor JCE to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The vulnerability, tracked as...

VMware VRealize Network Insight - Remote Code Execution

VMWare Aria Operations for Networks vRealize Network Insight is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the ro...

Apache Struts2 S2-057 - Remote Code Execution

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true either by user or a plugin like Convention Plugin and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace...

Malicious code in pkg-telemetry-r4f9 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine childprocess, os, and http modules to collect...

MAL-2026-5990 Malicious code in pkg-telemetry-r4f9 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine childprocess, os, and http modules to collect...

Malicious code in params-valid-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate request package bugs URL...

MAL-2026-5988 Malicious code in params-valid-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate request package bugs URL...

Malicious code in tobihook (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c093ec7049ebbe26ca860033bc1fd81ad98f4f586b66fc68170e1ff81ae90bb The package masquerades as an HTTP helper functions named post/get/fetch, module comment ' request/init.py', and an unused requests dependency but ea...

SUSE CVE-2026-6893

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP Dynamic Host Configuration Protocol options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and...

CVE-2026-12466

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

CVE-2026-12466

Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

CVE-2026-12466

Summary (CVE-2026-12466) : A heap buffer overflow in WebRTC within Google Chrome on Windows before version 149.0.7827.155 allows remote code execution via a crafted HTML page. Multiple connected sources corroborate the Windows/WebRTC/chrome vector and fixed version, signaling a high-severity Chro...

CVE-2026-12462

CVE-2026-12462 is a use-after-free in the Media component of Google Chrome before 149.0.7827.155. An attacker who has compromised the renderer process could trigger a crafted HTML page to execute arbitrary code inside Chrome’s sandbox. The vulnerability is tied to the Chromium-based Media stack a...

CVE-2026-12447

Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-12447

CVE-2026-12447 affects Google Chrome/WebRTC (Chromium). The issue is a heap buffer overflow in WebRTC that allows remote code execution via a crafted HTML page, affecting builds prior to 149.0.7827.155. Impact is a sandbox escape/total compromise of the browser process, per the cited descriptions...

CVE-2026-12443

Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-12443

CVE-2026-12443 is a use-after-free in Chrome’s Web Authentication implementation that could allow a remote attacker to execute arbitrary code via a crafted HTML page. Affected software: Google Chrome (Chromium). Underlying issue is in Web Authentication handling that leads to memory misuse. Impac...

CVE-2026-12442

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-12442

The CVE-2026-12442 entry describes a use-after-free in Passwords in Google Chrome on Android before version 149.0.7827.155, allowing a remote attacker to execute arbitrary code via a crafted HTML page (Chromium security severity: Critical). Connected sources confirm this vulnerability affects Chr...