CVE-2026-28798 - ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Clo... read CVE-2026-28798
Published: April 03, 2026; 4:16:02 PM -0400

V3.1: 10.0 CRITICAL

CVE-2026-22661 - prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path t... read CVE-2026-22661
Published: April 03, 2026; 5:17:08 PM -0400

V3.1: 8.1 HIGH

CVE-2026-4498 - Execution with Unnecessary Privileges (CWE-250) in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with... read CVE-2026-4498
Published: April 08, 2026; 1:21:24 PM -0400

CVE-2026-33459 - Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively larg... read CVE-2026-33459
Published: April 08, 2026; 2:26:00 PM -0400

CVE-2026-28261 - Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access cou... read CVE-2026-28261
Published: April 08, 2026; 9:16:41 AM -0400

V3.1: 5.5 MEDIUM

CVE-2026-5919 - Insufficient validation of untrusted input in WebSockets in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: ... read CVE-2026-5919
Published: April 08, 2026; 6:16:31 PM -0400

CVE-2026-22662 - prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can e... read CVE-2026-22662
Published: April 03, 2026; 5:17:09 PM -0400

V3.1: 4.3 MEDIUM

CVE-2026-21012 - External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege.
Published: April 13, 2026; 2:16:05 AM -0400

V3.1: 3.3 LOW

CVE-2026-21011 - Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.
Published: April 13, 2026; 2:16:05 AM -0400

V3.1: 6.8 MEDIUM

CVE-2026-22663 - prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with pr... read CVE-2026-22663
Published: April 03, 2026; 5:17:09 PM -0400

V3.1: 7.5 HIGH

CVE-2026-21010 - Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions.
Published: April 13, 2026; 2:16:05 AM -0400

V3.1: 7.8 HIGH

CVE-2026-22664 - prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token para... read CVE-2026-22664
Published: April 03, 2026; 5:17:09 PM -0400

CVE-2026-5867 - Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: April 08, 2026; 6:16:26 PM -0400

CVE-2026-22665 - prompts.chat prior to commit 1464475 contains an identity confusion vulnerability due to inconsistent case-sensitive and case-insensitive handling of usernames across write and read paths, allowing attackers to create case-variant usernames that b... read CVE-2026-22665
Published: April 03, 2026; 5:17:09 PM -0400

V3.1: 8.1 HIGH

CVE-2026-5868 - Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: April 08, 2026; 6:16:26 PM -0400

CVE-2026-5869 - Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Published: April 08, 2026; 6:16:26 PM -0400

CVE-2026-5870 - Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: April 08, 2026; 6:16:26 PM -0400

CVE-2026-25742 - Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) ... read CVE-2026-25742
Published: April 03, 2026; 5:17:10 PM -0400

CVE-2026-5872 - Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: April 08, 2026; 6:16:26 PM -0400

CVE-2026-5873 - Out of bounds read and write in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: April 08, 2026; 6:16:26 PM -0400