Google Chrome PDFium Heap Buffer Overflow Vulnerability

Google Chrome is a web browser developed by Google with a built-in PDFium component for rendering PDF documents. Google Chrome's PDFium suffers from a heap buffer overflow vulnerability that stems from a failure to properly handle certain data in a specially crafted PDF file, which can be exploit...

EUVD-2026-23052

Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. Chromium security severity: High...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...

BentoML < 1.4.38 Multiple Vulnerabilities (GHSA-fgv4-6jr3-jgfw, GHSA-v959-cwq9-7hr6)

The version of the BentoML library installed on the remote host is prior to 1.4.38. It is, therefore, affected by multiple vulnerabilities: - The cloud deployment path in deployment.py was not included in the fix for CVE-2026-33744. The systempackages field is interpolated directly into a shell...

GHSA-8Q5W-MMXF-48JG SiYuan has incomplete fix for CVE-2026-33066: XSS

Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...

SiYuan has incomplete fix for CVE-2026-33066: XSS

Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...

CVE-2026-35600

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...

Description of the security update for SharePoint Server 2019: April 14, 2026 (KB5002854)

Description of the security update for SharePoint Server 2019: April 14, 2026 KB5002854 Summary Important: If you're currently running SharePoint Workflow Manager, you must install the SharePoint Workflow Manager KB5002799 to your farm before you install this cumulative update. If you're currentl...

CVE-2026-39425

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue Opening Remarks field by wrapping malicious payloads in tags...

CVE-2026-39425

CVE-2026-39425 affects MaxKB (enterprise AI assistant). Versions 2.7.1 and earlier allow Stored XSS via unsanitized tags in the Application prologue, stored through /admin/api/workspace/{workspace_id}/application and rendered by the frontend via innerHTML, enabling persistent XSS and potential s...

[SECURITY] Fedora 43 Update: webkitgtk-2.52.1-1.fc43

WebKitGTK is the port of the WebKit web rendering engine to the GTK platform...

CVE-2026-39423 Stored XSS via Eval Injection in EchartsRander Component

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including...

PT-2026-32585

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability where the frontend's MdRenderer.vue component parses custom tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitizatio...

[SECURITY] Fedora 44 Update: efl-1.28.1-6.fc44

EFL is a collection of libraries for handling many common tasks a developer may have such as data structures, communication, rendering, widgets and more...

CVE-2026-23900

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered...

Note Mark has Stored XSS via Unrestricted Asset Upload

Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...

[SECURITY] Fedora 42 Update: mupdf-1.26.3-6.fc42

MuPDF is a lightweight PDF viewer and toolkit written in portable C. The renderer in MuPDF is tailored for high quality anti-aliased graphics. MuPDF renders text with metrics and spacing accurate to within fractions of a pixel for the highest fidelity in reproducing the look of a printed page on...

[SECURITY] Fedora 43 Update: mupdf-1.27.1-10.fc43

MuPDF is a lightweight PDF viewer and toolkit written in portable C. The renderer in MuPDF is tailored for high quality anti-aliased graphics. MuPDF renders text with metrics and spacing accurate to within fractions of a pixel for the highest fidelity in reproducing the look of a printed page on...

CVE-2026-23900

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered...

CVE-2026-23900

Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered...