Lucene search
K

271 matches found

Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.9 views

PT-2026-32573

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto with the MSG FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are explicitly blocked by th...

5CVSS5.7AI score0.00198EPSS
Exploits0References4
NVD
NVD
added 2026/04/07 10:16 p.m.4 views

CVE-2026-34765

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing...

8.8CVSS0.003EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/07 9:18 p.m.15 views

CVE-2026-34765 Electron named window.open targets not scoped to the opener's browsing context

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing...

6CVSS0.003EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 9:18 p.m.9 views

CVE-2026-34765

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing...

6.2AI score0.003EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/04/04 1:16 a.m.6 views

CVE-2026-34780

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS0.00327EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/04 12:2 a.m.3 views

CVE-2026-34780

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS5.9AI score0.00327EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/04 12:2 a.m.2 views

CVE-2026-34780 Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS5.9AI score0.00327EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/04 12:2 a.m.21 views

CVE-2026-34780 Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects from the WebCodecs API across the...

8.3CVSS0.00327EPSS
Exploits0References1
CVE
CVE
added 2026/04/04 12:2 a.m.20 views

CVE-2026-34780

Electron context isolation bypass via contextBridge VideoFrame transfer affects versions 39.0.0-alpha.1–39.7.x, 40.0.0-alpha.1–40.6.x, and 41.0.0-alpha.1–41.0.0-beta.7 (inclusive) where passing VideoFrame objects across the contextBridge can let a main-world attacker access the isolated world and...

8.3CVSS5.9AI score0.00327EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 2:46 a.m.11 views

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...

8.3CVSS6AI score0.00327EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/04/03 2:46 a.m.3 views

Insecure Default Initialization of Resource

Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the transfer of VideoFrame objects via contextBridge. An attacker can gain...

8.9CVSS5.9AI score0.00327EPSS
Exploits0References3
OSV
OSV
added 2026/04/03 2:46 a.m.2 views

GHSA-JFQG-HF23-QPW2 Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...

8.3CVSS6AI score0.00327EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.5 views

PT-2026-30010

Impact Apps that pass VideoFrame objects from the WebCodecs API across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world for example, via XSS can use a bridged VideoFrame to gain access to the isolated world, including any...

8.3CVSS6AI score0.00327EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/21 12:31 a.m.5 views

EUVD-2026-13838

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aopostpreload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the aometaboxsave function and missing output escaping when the value is rendered in...

6.4CVSS6AI score0.0025EPSS
Exploits0References9
OSV
OSV
added 2026/03/21 12:16 a.m.7 views

CVE-2026-2352

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aopostpreload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the aometaboxsave function and missing output escaping when the value is rendered in...

6.4CVSS6AI score
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/03/20 11:25 p.m.3 views

CVE-2026-2352 Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value

The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aopostpreload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the aometaboxsave function and missing output escaping when the value is rendered in...

6.4CVSS6AI score0.0025EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/03/15 12:0 a.m.4 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-pip (UTSA-2026-006134)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006134 advisory. urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks...

8.9CVSS5.8AI score0.02667EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/03/10 12:0 a.m.5 views

EulerOS 2.0 SP13 : python-urllib3 (EulerOS-SA-2026-1295)

According to the versions of the python-urllib3 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by...

8.9CVSS6.1AI score0.02667EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/03 1:37 p.m.5 views

CVE-2026-1628

Mattermost Desktop App versions =5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server...

4.6CVSS5.9AI score0.00136EPSS
Exploits0References1
NVD
NVD
added 2026/03/02 2:16 p.m.13 views

CVE-2026-1628

Mattermost Desktop App versions =5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server...

4.6CVSS0.00136EPSS
Exploits0References1
Rows per page
Query Builder