New
CVE-2026-22686: Sandbox Escape via Host Error Prototype Chain in enclave-vm: Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error obje...
CVE-2026-0716: Libsoup: out-of-bounds read in libsoup websocket frame processing: A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket s...
CVE-2023-54333: Social-Share-Buttons 2.2.3 - SQL Injection via project_id Parameter: Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents.
CVE-2023-54332: Jetpack 11.4 - Cross Site Scripting (XSS): Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page.
CVE-2023-53985: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS): Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.
Updated
CVE-2025-7195: Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd: Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.1...
CVE-2026-20805: Desktop Window Manager Information Disclosure Vulnerability: Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.
CVE-2025-61662: Grub2: missing unregister call for gettext command may lead to use-after-free: A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory...
CVE-2024-11831: Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causin...
CVE-2024-3727: Containers/image: digest type does not guarantee valid type: A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
CISA Known Exploited Vulnerabilities
CVE-2026-20805 Microsoft Windows: Microsoft Windows contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally.
CVE-2025-8110 Gogs Gogs: Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.
CVE-2009-0556 Microsoft Office: Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.
CVE-2025-37164 Hewlett Packard Enterprise (HPE) OneView: Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.
CVE-2025-14847 MongoDB MongoDB and MongoDB Server: MongoDB Server contains an improper handling of length parameter inconsistency vulnerability in Zlib compressed protocol headers. This vulnerability may allow a read of uninitialized heap memory by an unauthenticated client.