CVE Brief Security Intelligence

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters

A use-after-free vulnerability in the Views component of Google Chrome on Mac allows for potential arbitrary code execution.

A use-after-free vulnerability in the media component of Google Chrome allows for potential arbitrary code execution.

A use-after-free vulnerability exists within the WebRTC component of Google Chrome, potentially allowing for arbitrary code execution.

A heap buffer overflow vulnerability in the WebRTC component of Google Chrome could allow an attacker to crash the application or execute arbitrary code.

A use-after-free vulnerability in the WebRTC component of Google Chrome could allow an unauthenticated attacker to trigger memory corruption.

A use-after-free vulnerability in the WebView component of Google Chrome on Android may allow for remote code execution.

A use-after-free vulnerability in the Accessibility component of Google Chrome on Windows could allow for arbitrary code execution.

Use after free in Codecs in Google Chrome prior to 147

Use after free in Media in Google Chrome prior to 147

Use after free in Navigation in Google Chrome prior to 147

Use after free in Animation in Google Chrome prior to 147

Use after free in ANGLE in Google Chrome prior to 147

Use after free in iOS in Google Chrome prior to 147

Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147

Use after free in WebMIDI in Google Chrome prior to 147

Use after free in Media in Google Chrome on Android prior to 147

Heap buffer overflow in Skia in Google Chrome prior to 147

Use after free in Chromoting in Google Chrome prior to 147

Use after free in Cast in Google Chrome prior to 147

Use after free in Cast in Google Chrome prior to 147

Use after free in GPU in Google Chrome prior to 147

Type Confusion in V8 in Google Chrome prior to 147

Out of bounds read and write in Angle in Google Chrome prior to 147

Insufficient validation of untrusted input in Feedback in Google Chrome prior to 147

Inappropriate implementation in Tint in Google Chrome prior to 147

Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings

OpenClaw before 2026

Jenkins Credentials Binding Plugin 719

Cockpit 2

Out-of-bounds Read vulnerability in Apache Thrift

An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central

XATABoost CMS 1

Jenkins HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission

Integer Overflow or Wraparound vulnerability in Apache Thrift TFramedTransport Go language implementation This issue affects Apache Thrift: before 0

Uncontrolled Recursion vulnerability in Apache Thrift Node

pgjdbc is an open source postgresql JDBC Driver

Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift

Integer Overflow or Wraparound vulnerability in Apache Thrift

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints

NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that causes the agent to read and exfiltrate host environment variables not properly restricted during sandbox creation

NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message

Improper neutralization of CRLF sequences ('CRLF injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus allows Authentication Bypass

TLS protocol dissector heap overflow in Wireshark 4

Local privilege escalation due to improper input validation

Local privilege escalation due to improper input validation

A vulnerability has been found in D-Link DIR-825M 1

A vulnerability was found in D-Link DIR-825M 1

Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking a privileged process

Improper link resolution before file access ('link following') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus About allows Symlink Attack

Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS My Computer allows OS Command Injection

Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4

SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs

An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes

Authentication Bypass vulnerability exists in Netmaker versions prior to 1

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Burge TaxoPress simple-tags allows Blind SQL Injection

OpenClaw before 2026

OpenClaw before 2026

OpenClaw before 2026

OpenClaw before 2026

BuddyPress Xprofile Custom Fields Type 2

A vulnerability was determined in UTT HiPER 1250GW up to 3

A vulnerability was identified in UTT HiPER 1250GW up to 3

A security flaw has been discovered in UTT HiPER 1250GW up to 3

A flaw has been found in Tenda 4G300 US_4G300V1

OpenClaw before 2026

Text::CSV_XS versions before 1

Prime95 29

Easy MPEG to DVD Burner 1

Allok Video to DVD Burner 2

Free Download Manager 2

SysGauge Pro 4

Allok soft WMV to AVI MPEG DVD WMV Converter 4

Alloksoft Video joiner 4

OpenClaw before 2026

OpenClaw before 2026

OpenClaw before 2026

mod_sql in ProFTPD before 1

Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4

A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing

AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory, resulting in arbitrary code execution with system privileges when the system loads the DLL

OpenClaw before 2026

OpenClaw before 2026

OpenClaw before 2026

OpenClaw before 2026

An issue in the TVicPort64

Allok AVI to DVD SVCD VCD Converter 4

Outline is a service that allows for collaborative documentation

OpenClaw before 2026

The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8

Information disclosure due to incorrect boundary conditions in the Audio/Video component

OpenClaw before 2026

OpenClaw before 2026

OpenClaw before 2026

Starman versions before 0

TOTOLINK A3002RU V3 <= V3

An issue was discovered in libsndfile 1

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2