368793 matches found
CVE-2026-50280
Craft CMS contains an authorization bypass in the entries/move-to-section endpoint (EntriesController::actionMoveToSection). In versions 5.0.0-RC1 through below 5.9.21, destination section gate relies only on viewEntries:$section->uid instead of requiring saveEntries permission; source entry p...
CVE-2026-50279
Craft CMS (versions 5.0.0-RC1 through 5.9.20) contains an authorization gap in EntriesController::actionSaveEntry where entry-edit checks precede author changes. The code path allows attacker-supplied authors to mutate the authors list when the current user is among the old authors, without re-ru...
CVE-2026-55794
Craft CMS
CVE-2026-55792
Craft CMS is vulnerable in versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x due to dataUrl() being in the Twig sandbox allowlist. A control panel user with the utility:system-messages permission can embed a file-reading payload in system emails, causing the server to read targeted fi...
CVE-2026-55791
Craft CMS vulnerability CVE-2026-55791 enables SSRF and Arbitrary JavaScript Injection via /actions/app/resource-js when assetManager.cacheSourcePaths is false and trustedHosts is permissive. An attacker can poison Host/X-Forwarded-Host to hijack $baseUrl, causing Craft::createGuzzleClient()->...
CVE-2026-14439
CVE-2026-14439 describes a path-traversal in the Git Service shared by Altium Enterprise Server and Altium 365. The vulnerability arises from a post-clone file-manipulation primitive that accepts user-supplied paths without validation, enabling an authenticated user with basic git access to move ...
CVE-2026-55790
Summary of CVE-2026-55790 (Craft CMS) : This is a DOM-based cross-site scripting flaw in Craft CMS. Versions affected are 5.0.0-RC1–5.9.22 and 4.0.0-RC1–4.17.15. An attacker with only a GitHub account can insert a JavaScript payload into a craftcms/cms issue title. When a Craft admin uses the Cra...
CVE-2026-50284
Craft CMS (versions 5.0.0-RC1–5.9.21 and 4.0.0-RC1–4.17.14) has a privilege check flaw in AssetsController::actionDeleteFolder: it only enforces deleteAssets: for the target folder and does not enforce deletePeerAssets:, allowing a low-privilege user with folder-management rights on a shared volu...
CVE-2026-14440
Summary: CVE-2026-14440 concerns Cloudflare’s Universal SSL: automatic, permissive CAA RRset management on Universal SSL zones supersedes customer CAA records. When customers push stricter CAA via RFC 8657 accounturi or validationmethods, CAs do not observe those parameters during RFC 8659 evalua...
CVE-2026-14426
CVE-2026-14426 is a Use After Free in V8 within Google Chrome before 150.0.7871.46. A remote attacker could lure a user into specific UI gestures to run arbitrary code in Chrome’s sandbox via a crafted HTML page. Severity: High. Affected: V8 in Chrome (pre-150.7871.46). Mitigation: Chrome update ...
CVE-2026-14432
The CVE-2026-14432 entry documents a use-after-free in V8 affecting Google Chrome’s JavaScript engine prior to version 150.0.7871.46 . This vulnerability could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, as described in multiple sources. Affected co...
CVE-2026-14394
Summary of CVE-2026-14394 (Google Chrome / V8) : A use-after-free in V8 leads to potential heap corruption when processing crafted HTML pages. Affected software is Google Chrome, with vulnerable versions prior to 150.0.7871.46. The issue is caused by a use-after-free in the JavaScript engine (V8)...
CVE-2026-14403
CVE-2026-14403: Use-after-free in V8 (Chrome) allows remote code execution inside a sandbox via a crafted HTML page on Chrome versions prior to 150.0.7871.46. Severity is listed as Low; the vulnerability stems from a V8 use-after-free condition. Documents do not specify exploitation status or con...
CVE-2026-14393
CVE-2026-14393: Use-after-free in V8 (Chrome) allows remote code execution inside the sandbox via a crafted HTML page. Affected: Google Chrome's V8 engine prior to version 150.0.7871.46. Impact: arbitrary code execution with high/total impact as per the CVSS vector. Remediation: update to Chrome ...
CVE-2026-14419
CVE-2026-14419 affects Google Chrome where a use-after-free in Skia could allow a remote attacker to escape the sandbox via a crafted HTML page. It targets Skia in Chrome before version 150.0.7871.46. The issue is listed as Critical (CVSS: 9.6, Network) with potential for total impact to confiden...
CVE-2026-14417
CVE-2026-14417 affects Dawn in Google Chrome prior to 150.0.7871.46. The issue is a use-after-free in Dawn, enabling a remote attacker to potentially escape the Chrome sandbox via a crafted HTML page. The known remediation is upgrading to Chrome 150.0.7871.46 or later, as reflected in the referen...
CVE-2026-14425
This CVE affects ANGLE in Google Chrome and is caused by a use-after-free in ANGLE that could allow a remote attacker to perform a sandbox escape via a crafted HTML page in Chrome versions prior to 150.0.7871.46. Impact is described as high/critical with potential full compromise of confidentiali...
CVE-2026-14424
CVE-2026-14424 affects Dawn in Google Chrome on macOS prior to 150.0.7871.46. A use-after-free vulnerability in Dawn could allow a remote attacker to potentially escape the sandbox via a crafted HTML page, with Chromium severity listed as High. The available documents consistently describe the tr...
CVE-2026-14390
CVE-2026-14390 describes a use-after-free in ANGLE used by Google Chrome before version 150.0.7871.46. The vulnerability could allow a remote attacker to attempt a sandbox escape via a crafted HTML page. The description and connected sources consistently identify ANGLE as the affected Graphics/AN...
CVE-2026-14398
In Connected sources, CVE-2026-14398 is described as a Use-after-free in ANGLE affecting Google Chrome prior to 150.0.7871.46, enabling a remote attacker to potentially escape the sandbox via a crafted HTML page. The vulnerability is confirmed as part of ANGLE in Chrome, with a critical severity....