Linux Distros Unpatched Vulnerability : CVE-2026-28903

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe...

CVE-2026-6891

Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have...

PT-2026-44709

Improper handling of symbolic links in the installer of CUPS Printer Driver for macOS may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of directories for which they would not normally have authorization. :Canon...

DEBIAN-CVE-2026-9884

Use after free in Browser in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-9948

Use after free in Views in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...

CVE-2025-43289

A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to access sensitive user data...

Apple macOS 安全漏洞

Apple macOS is a proprietary operating system developed by the American company Apple for Mac computers. Vulnerabilities existed in versions of Apple macOS Sequoia 15.7 and Tahoe 26, which stemmed from race conditions and could allow applications to obtain root access...

MAL-2026-4350 Malicious code in clobprice.api (npm)

A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...

MAL-2026-4347 Malicious code in @devcarron/clob (npm)

A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...

CVE-2026-47114 IINA < 1.4.3 Command Execution via iina://open URL Scheme

IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that pass...

EUVD-2026-31163

Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Chromium security severity: High...

How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102)

Introduction ExifTool is a widely adopted utility for reading and writing metadata in image, PDF, audio, and video files. It is available both as a standalone command-line application and as a library that can be embedded in other software. In this article, we break down CVE-2026-3102, an ExifToo...

Astra Linux - уязвимость в webkit2gtk

A memory corruption issue has been resolved through improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4, and iPadOS 16.4, as well as iOS 15.7.7 and iPadOS 15.7.7. Processing web content may lead to arbitrary code execution. Apple is aware of a report...

Trilium Notes 安全漏洞

Trilium Notes is a hierarchical note application developed by Zadam, a personal developer. It focuses on building large personal knowledge bases. Versions of Trilium Notes prior to 0.102.1 contained security vulnerabilities. These vulnerabilities stemmed from Electron configurations that could be...

CVE-2026-39309

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

VMware Fusion 25H2 < 26H1 Local Privilege Escalation (VMSA-2026-0003)

The version of VMware Fusion installed on the remote macOS host is 25H2 prior to 26H1. It is, therefore, affected by a vulnerability: - VMware Fusion contains a TOCTOU Time-of-check Time-of-use vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with loca...

Mozilla Thunderbird < 140.11

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 140.11. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2026-51 advisory. - Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidenc...

CVE-2026-8543

Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: High...

CVE-2026-0236

CVE-2026-0236 describes a code injection vulnerability in Palo Alto Networks Prisma® Browser for macOS where access to the AppleScript interface is not properly restricted. This allows a locally authenticated non-admin user to exploit an exposed Apple Event handler to send unauthorized commands t...

CVE-2026-0237

An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to an internal automation bridge. This allows a locally authenticated non-admin user to leverage an exposed communication channel to send unauthorized commands t...