CVE-2026-12462

Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

DEBIAN-CVE-2026-12447

Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-12447

Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

DEBIAN-CVE-2026-12442

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-12442

Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

CVE-2026-12443

Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: Critical...

redis: Remote code execution via use-after-free in Lua scripting

A flaw was found in Redis, an in-memory data structure store. An authenticated attacker can exploit a use-after-free vulnerability in redis-server with Lua scripting. This occurs through the master-replica synchronization mechanism on replicas where replica-read-only is disabled or can be disable...

redis: use-after-free in unblock client flow may allow remote code execution

A flaw was found in Redis. The unblock client flow does not handle an error return from the processCommandAndResetClient when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can cause a use-after-free issue. This potentially leads to...

Important: Red Hat Security Advisory: valkey security update

An update for valkey is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

CVE-2026-40783

The CVE concerns WordPress Blocksy Companion Pro plugin, affected at versions

CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability

Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...

CVE-2024-52488

CVE-2024-52488 affects WordPress Grip theme (versions ≤ 1.0.9). The issue is an Arbitrary Plugin Activation/Deactivation vulnerability leading to RCE, requiring Subscriber privileges. Patch status is not clearly available in the provided docs; Patchstack indicates high risk with a potential explo...

CVE-2024-52488 WordPress Grip theme <= 1.0.9 - Arbitrary Plugin Activation/Deactivation to RCE vulnerability

Subscriber Arbitrary File Upload in Grip = 1.0.9 versions...

Vulnerabilities in Oracle Fusion Middleware products

Oracle has identified several vulnerabilities in various products within the Oracle Fusion Middleware suite, including WebLogic Server, WebCenter Content, WebCenter Sites, WebCenter Portal, WebCenter Enterprise Capture, Identity Manager, Identity Manager Connector, Access Manager, Coherence,...

kernel: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

A flaw was found in the Linux kernel's Stream Control Transmission Protocol SCTP implementation. A race condition exists in the SCTPSENDALL path where a cached list entry is not properly revalidated after the socket lock is temporarily released. This allows a local attacker or a remote attacker v...

VMware VRealize Network Insight - Remote Code Execution

VMWare Aria Operations for Networks vRealize Network Insight is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the ro...

Apache Struts2 S2-057 - Remote Code Execution

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true either by user or a plugin like Convention Plugin and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace...

MAL-2026-5990 Malicious code in pkg-telemetry-r4f9 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine childprocess, os, and http modules to collect...

Malicious code in pkg-telemetry-r4f9 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine childprocess, os, and http modules to collect...

Malicious code in params-valid-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 397af72237ba3626ac4727497662530f602c2ce6ec71406f48b508055687366c The package presents itself as 'Simplified HTTP request client' and copies identity metadata from Mikeal Rogers' legitimate request package bugs URL...