) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.
Legal Disclaimer:
Here is where you can read the NVD legal disclaimer.
-
CVE-2026-0132 - In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: June 16, 2026; 4:16:24 PM -0400 -
CVE-2026-0133 - In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. ... read CVE-2026-0133
Published: June 16, 2026; 4:16:24 PM -0400 -
CVE-2026-0134 - In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction... read CVE-2026-0134
Published: June 16, 2026; 4:16:24 PM -0400 -
CVE-2026-0135 - In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: June 16, 2026; 4:16:24 PM -0400 -
CVE-2026-53899 - Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to receive cookies belonging to the target site. This vulnerability was fixed in Firefox for iOS 152.0.
Published: June 16, 2026; 9:16:37 AM -0400 -
CVE-2025-55652 - A heap buffer overflow in the gf_isom_vp_config_new function (isomedia/avc_ext.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: June 15, 2026; 4:16:24 PM -0400 -
CVE-2025-55660 - A stack overflow in the gf_opus_read_length function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: June 15, 2026; 4:16:24 PM -0400 -
CVE-2025-55661 - A heap buffer overflow in the Opus audio stream parser component of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: June 15, 2026; 4:16:24 PM -0400 -
CVE-2025-55663 - A segmentation violation in the Track_SetStreamDescriptor function (isomedia/track.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file.
Published: June 15, 2026; 4:16:24 PM -0400 -
CVE-2026-30120 - remotion-dev remotion v4.0.409 was discovered to contain a remote code execution (RCE) vulnerability.
Published: June 15, 2026; 4:16:25 PM -0400 -
CVE-2026-53900 - Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fix... read CVE-2026-53900
Published: June 16, 2026; 9:16:37 AM -0400 -
CVE-2026-47835 - In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-... read CVE-2026-47835
Published: June 15, 2026; 4:16:28 PM -0400V3.1: 7.5 HIGH
-
CVE-2026-41708 - In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service (DoS) condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleu... read CVE-2026-41708
Published: June 15, 2026; 4:16:27 PM -0400 -
CVE-2026-44169 - MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without ... read CVE-2026-44169
Published: June 12, 2026; 2:16:33 PM -0400 -
CVE-2026-0136 - In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: June 16, 2026; 4:16:24 PM -0400 -
CVE-2026-12316 - Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: June 16, 2026; 9:16:32 AM -0400 -
CVE-2026-12301 - Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: June 16, 2026; 9:16:30 AM -0400 -
CVE-2026-12300 - Memory safety bug fixed in Thunderbird 152. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: June 16, 2026; 9:16:30 AM -0400 -
CVE-2026-12327 - Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to ru... read CVE-2026-12327
Published: June 16, 2026; 9:16:33 AM -0400 -
CVE-2026-12293 - Use-after-free in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
Published: June 16, 2026; 9:16:29 AM -0400V3.1: 9.8 CRITICAL