CVE-2026-33807 - @fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path,... read CVE-2026-33807
Published: April 15, 2026; 6:16:48 AM -0400

CVE-2026-10015 - Integer overflow in WTF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:43 PM -0400

CVE-2026-10003 - Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:42 PM -0400

CVE-2026-33808 - Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate s... read CVE-2026-33808
Published: April 15, 2026; 6:16:48 AM -0400

V3.1: 9.1 CRITICAL

CVE-2026-10007 - Use after free in SVG in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:42 PM -0400

CVE-2026-10009 - Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:42 PM -0400

CVE-2026-9969 - Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:55 PM -0400

CVE-2026-9970 - Use after free in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:55 PM -0400

CVE-2026-10016 - Use after free in DOM in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:43 PM -0400

CVE-2026-9974 - Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Published: May 28, 2026; 7:16:55 PM -0400

CVE-2026-33805 - @fastify/reply-from v12.6.1 and earlier and @fastify/http-proxy v11.4.3 and earlier process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-adde... read CVE-2026-33805
Published: April 15, 2026; 7:16:34 AM -0400

V3.1: 8.6 HIGH

CVE-2026-27289 - Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability ... read CVE-2026-27289
Published: April 14, 2026; 4:16:34 PM -0400

V3.1: 7.8 HIGH

CVE-2026-48906 - The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites.
Published: May 27, 2026; 7:16:24 AM -0400

V3.1: 8.1 HIGH

CVE-2026-7210 - `xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat t... read CVE-2026-7210
Published: May 11, 2026; 2:16:42 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-4410 - IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A... read CVE-2026-4410
Published: May 27, 2026; 10:17:33 AM -0400

V3.1: 7.5 HIGH

CVE-2026-41863 - Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted dir... read CVE-2026-41863
Published: May 25, 2026; 3:16:16 AM -0400

CVE-2026-42398 - Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause... read CVE-2026-42398
Published: May 28, 2026; 5:16:30 PM -0400

CVE-2026-42399 - Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a s... read CVE-2026-42399
Published: May 28, 2026; 5:16:30 PM -0400

CVE-2026-42400 - Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks... read CVE-2026-42400
Published: May 28, 2026; 5:16:30 PM -0400

CVE-2026-49093 - Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the eg... read CVE-2026-49093
Published: May 28, 2026; 5:16:34 PM -0400

V3.1: 7.7 HIGH