Chromium: CVE-2026-10017 Out of bounds read in Headless

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Google Chrome 缓冲区错误漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.216 contained a buffer overflow vulnerability. This vulnerability stemmed from out-of-bounds read operations in Headless mode, which could allow remote attackers with compromised rendering...

Astra Linux - уязвимость в firefox, thunderbird

The nsWindow::PickerOpenvoid method was vulnerable to a heap buffer overflow when running in headless mode. This vulnerability affects Firefox ESR 115.6, Thunderbird 115.6, and Firefox 121...

Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution

Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. "The vulnerability allowed an...

Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses

Summary Gemini CLI @google/gemini-cli and the run-gemini-cli GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environments like GitHub Actions. This update introduces a breaking change to how non-interactive headless environment...

Command Injection

Overview @google/gemini-cli is a Gemini CLI Affected versions of this package are vulnerable to Command Injection via the processing of untrusted workspace folders in headless mode and the handling of tool allowlisting under --yolo mode. An attacker can execute arbitrary code by submitting...

GHSA-WPQR-6V78-JR5G Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses

Summary Gemini CLI @google/gemini-cli and the run-gemini-cli GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environments like GitHub Actions. This update introduces a breaking change to how non-interactive headless environment...

DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage

Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo's LAB52 threat intelligence team. The campaign, observed in February 2026, has been assessed to share overlaps with a prior campaign mounted b...

CVE-2024-2356 Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui

A Local File Inclusion LFI vulnerability exists in the '/reinstallextension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post"/reinstallextension" route. This vulnerability allows attackers to inject a malicious name parameter, leading ...

PT-2026-5649

A Local File Inclusion LFI vulnerability exists in the '/reinstall extension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post"/reinstall extension" route. This vulnerability allows attackers to inject a malicious name parameter, leadin...

Linux Distros Unpatched Vulnerability : CVE-2023-52911

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: drm/msm: another fix for the headless Adreno GPU Fix another oops reproducible when rebootin...

CVE-2025-48883

Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS cross-site scripting vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding...

CVE-2025-48883 Chrome PHP is missing encoding in `CssSelector`

Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS cross-site scripting vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding...

CVE-2024-4320

A remote code execution RCE vulnerability exists in the '/installextension' endpoint of the parisneo/lollms-webui application, specifically within the @router.post"/installextension" route handler. The vulnerability arises due to improper handling of the name parameter in the...

DEBIAN-CVE-2023-52911

In the Linux kernel, the following vulnerability has been resolved: drm/msm: another fix for the headless Adreno GPU Fix another oops reproducible when rebooting the board with the Adreno GPU working in the headless mode e.g. iMX platforms. Unable to handle kernel NULL pointer dereference at...

CVE-2024-4320 Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui

A remote code execution RCE vulnerability exists in the '/installextension' endpoint of the parisneo/lollms-webui application, specifically within the @router.post"/installextension" route handler. The vulnerability arises due to improper handling of the name parameter in the...

CVE-2024-4320 Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui

A remote code execution RCE vulnerability exists in the '/installextension' endpoint of the parisneo/lollms-webui application, specifically within the @router.post"/installextension" route handler. The vulnerability arises due to improper handling of the name parameter in the...

CVE-2024-4320

CVE-2024-4320 describes a remote code execution via path traversal in parisneo/lollms (extensions builder). The Red Hat and related records credit a vulnerability in parisneo/lollms where ExtensionBuilder().build_extension() on the /mount_extension endpoint (and similarly described install_extens...

CVE-2024-1522

CVE-2024-1522 affects the parisneo/lollms-webui project. The vulnerability is a CSRF in the /execute_code endpoint that fails to validate requests, allowing an attacker to craft a malicious page that submits commands to the victim's local lollms-webui instance and execute arbitrary OS commands. T...

Mozilla: Heap buffer overflow affected <code>nsWindow::PickerOpen(void)</code> in headless mode

The Mozilla Foundation Security Advisory describes this flaw as: The nsWindow::PickerOpenvoid method was susceptible to a heap buffer overflow when running in headless mode...