539 matches found
CVE-2026-61445 PraisonAI before 4.6.78 Arbitrary File Write and Command Execution
PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in the AICoder component due to missing path validation and command sanitization in LLM tool calls. Attackers can inject malicious prompts through the chat interface to write files to arbitrary filesystem...
CVE-2026-48949 Joomla! Core - [20260703] - XSS in MFA method management
Lack of validation leads to an XSS vulnerability in the MFA management views...
Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects
The following analysis presents the key findings from Kaspersky Compromise Assessment engagements performed in 2025. A compromise assessment is an independent, expert-driven service that examines whether a target network has been compromised. The service combines threat intelligence analysis...
CVE-2026-14440
Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design e.g. 'issue "letsencrypt.org"' without parameters. On Universal SSL zones,...
DRUPAL-CONTRIB-2026-067
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution incurring LLM spend and tool side effects or send messages into other...
EUVD-2026-40734
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. Chromium security severity: Low...
EUVD-2026-40548
Insufficient policy enforcement in Web Authentication Passkeys & Security Keys in Google Chrome on iOS prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...
DEBIAN-CVE-2026-14109
Insufficient policy enforcement in Mojo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: Low...
DEBIAN-CVE-2026-13948
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. Chromium security severity: Medium...
CVE-2026-13793
Insufficient policy enforcement in SVG in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...
PT-2026-54070
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description Insufficient policy enforcement in SVG Scalable Vector Graphics allows a remote attacker to leak cross-origin data by using a crafted HTML page. Recommendations Update Google Chrome to...
PT-2026-54370
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description Insufficient policy enforcement in the Browser component allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape by using a crafted HTM...
PT-2026-54221
Name of the Vulnerable Software and Affected Versions Google Chrome on Linux versions prior to 150.0.7871.47 Description Insufficient policy enforcement in Extensions allows an attacker to perform UI spoofing through a crafted Chrome Extension, provided they can convince a user to install the...
PT-2026-54328
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description Insufficient policy enforcement in Extensions allows a remote attacker who has compromised the renderer process to leak cross-origin data through a crafted HTML page. Recommendations...
The vulnerability of the Endpoint Manager Mobile app for managing the lifecycle of mobile devices and mobile applications (formerly known as MobileIron Core) arises from the lack of measures taken to neutralize specific elements. This allows a malicious user to execute arbitrary commands on behalf of the root user.
The vulnerability of the Ivanti Endpoint Manager Mobile EPMM application for managing the lifecycle of mobile devices and mobile applications formerly known as MobileIron Core is related to the failure to implement measures to neutralize specific elements. Exploiting this vulnerability allows a...
CVE-2026-55455 Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils used by the REST API and GraphQL datasource plugins validates hosts against an exact-match string denylist. The comprehensive address-class check...
ROS-20260623-73-0014
Vulnerability in Python 3.11 related to the lack of measures taken to clean data at the management level. Exploitation of this vulnerability allows a remote attacker to execute arbitrary commands...
CVE-2026-11407
Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed and checkPropertyAllowed implementations in the custom Twig SecurityPolicy. Attackers can...
CVE-2026-12460
Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. Chromium security severity: High...
Survey: 94% of Incidents Involve Anonymized Infrastructure. Teams Are Still Reactive
Security teams have never had more IP data at their disposal. Every day, analysts ingest enrichment feeds, geolocation data, reputation scores, telemetry, and threat intelligence from a growing ecosystem of vendors and platforms. Yet despite this abundance of information, many organizations...