368954 matches found
CVE-2026-54756
The CVE pertains to Jodit Editor (TypeScript WYSIWYG) where versions prior to 4.12.18 expose a Prototype Pollution risk via Jodit.configure(options) and internal ConfigMerge/ConfigProto, which may merge user-controlled options (e.g., under a plain-object option like controls) into Object.prototyp...
CVE-2026-49998
Technical details for CVE-2026-49998 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-55886
CVE-2026-55886 — Jodit Prototype Pollution Affected software: Jodit Editor (npm package) up to version 4.12.25 (vulnerability fixed in 4.12.26). Root cause: Prototype pollution via Jodit.modules.Helpers.set(chain, value, obj) which walks a dot-separated path and creates path segments without filt...
CVE-2026-49997
Technical details for CVE-2026-49997 are not publicly available in the provided documents. The entry is reserved/placeholder. Monitor for updates as information may be released in the future.
CVE-2026-50521
CVE-2026-50521 : Use-after-free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network. The vulnerability has a CVSS v3.1 base score of 8.3 (High) with network attack vector, low attack complexity, required privileges, no user interaction, and impact to co...
CVE-2026-54786
Wasmtime’s native WASIp1 fd_renumber implementation leaks host resources because the guest-facing fd_renumber updates only the WASIp1 descriptor table, not the host’s underlying table. This affects wasm runtimes that expose fd_renumber and allow file descriptors; affected versions include all pri...
CVE-2026-54161
Technical details for CVE-2026-54161 are not publicly available in the provided documents; no affected products, impact, or remediation are listed. Monitor for updates from trusted sources.
CVE-2026-55153
CVE-2026-55153 affects mchange-commons-java before 0.6.0, where the JNDI ObjectFactory (com.mchange.v2.naming.JavaBeanObjectFactory) constructs arbitrary JavaBean properties, enabling JNDI injection and deserialization gadget abuse in some classes. An example is setting a Swing JEditorPane’s cont...
CVE-2026-48815
Technical details for CVE-2026-48815 are not publicly available in the provided documents. No affected products, vectors, or remediation information are disclosed. Monitor for updates.
CVE-2026-48816
Technical details for CVE-2026-48816 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-49989
Technical details for CVE-2026-49989 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-55688
Affected software: AsyncHttpClient (AHC) library for Java. Vulnerable versions: 2.0.0 up to (but not including) 2.16.0, and 3.0.0.Beta1 up to (but not including) 3.0.11. Root cause: ThreadSafeCookieStore may store a cookie using the.Domain value without validating that the responding host is allo...
CVE-2026-36541
Technical details are not publicly available in the provided documents for CVE-2026-36541; no affected products, vectors, or remediation are described. Monitor for updates.
CVE-2026-36542
Technical details for CVE-2026-36542 are not publicly available in the provided documents; no affected products, impact, or remediation are specified. Monitor for updates.
CVE-2026-54908
CVE-2026-54908 affects the Pion DTLS Go implementation. Versions prior to 3.1.4 are vulnerable to a remote Denial of Service caused by a panic while parsing a crafted ECDHE_PSK ServerKeyExchange message. The issue has been fixed in 3.1.4. No exploitation details are provided in the documents.
CVE-2026-14265
The CVE affects AWS Advanced JDBC Wrapper (AWR) RemoteQueryCachePlugin versions 3.3.0–4.0.0. Deserialization of untrusted data via ObjectInputStream without class filtering when reading cached query results from Redis or Valkey enables gadget-chain execution, allowing arbitrary code execution on ...
CVE-2026-58593
NodeBB is affected by CVE-2026-58593 where inbound ActivityPub objects are not correctly bound to the authenticated remote actor. The middleware verifies the HTTP-signature actor and origin of object.id but does not validate that attributedTo corresponds to the sender, treating attributedTo as a ...
CVE-2026-58592
Vulnerability summary (CVE-2026-58592, Ladybird): A dangling-reference memory-safety flaw in Ladybird’s WebAssembly ESM integration loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference...
CVE-2026-49858
API Platform Core contains a cross-user attribute leak in JSON:API and HAL item normalizers due to a missing isCacheKeySafe gate. Affected versions: 2.6.0 up to 4.1.28, 4.2.25, and 4.3.11 (i.e., before 4.1.29, 4.2.26, 4.3.12). Root cause: componentsCache arrays are keyed on $context['cache_key'] ...
CVE-2026-58457
CVE-2026-58457 affects Shenzhen Aitemi M300 MT02 (Wi‑Fi Repeater). An unauthenticated OS command injection exists in the commuos web backend via the smacfilter_conf handler. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are unsanitized and pas...