New

CVE-2026-6947: D-Link|DWM-222W USB Wi-Fi Adapter - Brute-Force Protection Bypass: DWM-222W USB Wi-Fi Adapter developed by D-Link has a Brute-Force Protection Bypass vulnerability, allowing unauthenticated adjacent network attackers to bypass login attempt limits to perform brute-force attacks to gain control over the device.

CVE-2026-41324: basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list(): basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list...

CVE-2026-41485: Kyverno Controller Denial of Service via forEach Mutation Panic: Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide background controller into a persistent CrashLoopBackO...

CVE-2026-2028: Maxi Blocks <= 2.1.8 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter: The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated ...

CVE-2026-5488: ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token': The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_...

Updated

CVE-2026-33694: Junction File Manipulation: This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.

CVE-2026-33999: Xorg: xwayland: x.org x server: denial of service via integer underflow in xkb compatibility map handling: A flaw was found in the X.Org X server. This integer underflow vulnerability, specifically in the XKB compatibility map handling, allows an attacker with local or remote X11 server access to trigger a buffer read overrun. This can lead to memory-safety violations and potentially a denial o...

CVE-2026-34003: Xorg: xwayland: x.org x server: information exposure and denial of service via out-of-bounds memory access: A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to ...

CVE-2026-6921: Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium)

CVE-2026-6919: Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CISA Known Exploited Vulnerabilities

CVE-2026-39987 Marimo Marimo: Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.

CVE-2026-33825 Microsoft Defender: Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS): Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting vulnerability that could allow attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information.

CVE-2024-27199 JetBrains TeamCity : JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.

CVE-2023-27351 PaperCut NG/MF : PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.