New
CVE-2026-58281: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability: Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
CVE-2026-10660: Shared reassembly buffer in Bluetooth BAP Broadcast Assistant enables cross-connection memory corruption: The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assistant.c reassembled remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512 bytes) shared by all connection instances, while the BUSY f...
CVE-2026-61870: ImageMagick before 7.1.2-26 Memory Leak via VIFF Encoder: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memory allocation fails. Attackers can trigger allocation failures by processing specially crafted VIFF images to exhaust available memory and cause denial of service.
CVE-2026-61861: ImageMagick before 7.1.2-26 Use-After-Free in FormatMagickCaption: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption method when memory allocation fails. Attackers can trigger memory allocation failures to cause a dangling pointer to reference freed memory, potentially enabling denial of service or code execution.
CVE-2026-61858: ImageMagick before 7.1.2-26 Policy Bypass via APNG encoder: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process.
Updated
CVE-2023-5574: Xorg-x11-server: use-after-free bug in damagedestroy: A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb...
CVE-2026-58525: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability: Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-58291: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability: Operation on a resource after expiration or release in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVE-2026-45489: Microsoft Edge (Chromium-based) Spoofing Vulnerability: Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2026-54998: Microsoft Exchange Online Elevation of Privilege Vulnerability: Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
CISA Known Exploited Vulnerabilities
CVE-2026-56291 Balbooa Forms: Balbooa Forms contains an unrestricted upload of file with dangerous type vulnerability that allows an unauthenticated arbitrary file upload which could allow uploading of executable files leading to full RCE.
CVE-2026-48939 iCagenda iCagenda: iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
CVE-2026-48282 Adobe ColdFusion: Adobe ColdFusion contains a path traversal vulnerability that could lead to arbitrary code execution in the context of the current user.
CVE-2026-55255 Langflow Langflow: Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
CVE-2026-56290 Joomlack Page Builder: Joomlack Page Builder contains an improper access control vulnerability that could allow for remote code execution via unauthenticated arbitrary file upload.