Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Thursday's disclosures center on container infrastructure and browser sandboxing, with Docker Gotenberg, Google Chrome, and OpenClaw Sandbox Browser carrying the highest-impact flaws. Critical CVEs totaled 11 (down 27% from 15) while high-priority CVEs reached 100 (up 9% from 92). Notable entries include CVE-2026-40281 (CVSS 10) in Docker Gotenberg, CVE-2026-7908 (CVSS 9.6) in Google Chrome, and CVE-2026-41930 (CVSS 9.8) in Apache Vvveb. Remote code execution and sandbox-escape patterns dominate, with Apache projects (Vvveb, Wicket, mod) and OpenClaw Sandbox Browser appearing across multiple critical entries. Eight KEV entries cover D-Link, Samsung MagicINFO, SimpleHelp, Palo Alto PAN-OS, ConnectWise ScreenConnect, Microsoft Windows, and the Linux Kernel; patch availability for today's batch is reported at 0%, so defenders should prioritize compensating controls and monitoring.
Immediate action: Prioritize Docker Gotenberg, Google Chrome, OpenClaw Sandbox Browser, and Apache Vvveb/Wicket/mod deployments for review, and apply compensating controls on KEV-listed Palo Alto PAN-OS, Microsoft Windows, Linux Kernel, SimpleHelp, and ConnectWise ScreenConnect installations. With 0% patch availability across today's critical batch, focus on network segmentation, exposure reduction, and detection coverage until vendor fixes ship.
Unauthenticated RCE in Palo Alto PAN-OS firewalls
A buffer overflow in the User-ID Authentication Portal lets an unauthenticated network attacker execute arbitrary code as root on PA-Series and VM-Series firewalls. Palo Alto Networks confirms limited exploitation in the wild against portals reachable from untrusted IP space.
D-Link DIR-823X Command Injection Vulnerability - Active in CISA KEV catalog.
Samsung MagicINFO 9 Server Path Traversal Vulnerability - Active in CISA KEV catalog.
SimpleHelp Path Traversal Vulnerability - Active in CISA KEV catalog.
SimpleHelp Missing Authorization Vulnerability - Active in CISA KEV catalog.
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability - Active in CISA KEV catalog.
ConnectWise ScreenConnect Path Traversal Vulnerability - Active in CISA KEV catalog.
Microsoft Windows Protection Mechanism Failure Vulnerability - Active in CISA KEV catalog.
Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability - Active in CISA KEV catalog.
Vvveb contains hard-coded credentials in its docker-compose-apache.yaml configuration, allowing unauthenticated remote access to the bundled phpMyAdmin container.
A use-after-free vulnerability in the Google Chrome Fullscreen implementation allows a remote attacker to achieve sandbox escape via a crafted HTML page.
OpenClaw contains an improper network binding configuration that exposes the Chrome DevTools Protocol externally, allowing unauthorized remote access.
Apache Wicket fails to invoke the changeSessionId method after session binding, exposing the application to session fixation attacks.
Gotenberg contains a command injection vulnerability where unsanitized metadata values allow attackers to manipulate ExifTool arguments, leading to arbitrary file system operations.
The Apache::Session::Generate::ModUniqueId module generates insecure session IDs using predictable environment variables, allowing for potential session hijacking.
OpenClaw contains an authentication bypass in the noVNC helper route, allowing unauthenticated attackers to hijack interactive browser sessions.
OpenClaw contains an authentication bypass in webhook validation that allows unauthenticated attackers to execute arbitrary commands.
OpenClaw contains a privilege escalation vulnerability where heartbeat owner downgrade detection misses async execution completion events.
CI4MS contains a stored DOM-based XSS vulnerability in the backup module that can be leveraged for full account takeover.
Spring Cloud Config allows directory traversal via specially crafted URLs, enabling unauthorized access to arbitrary files.
A Use-After-Free (UAF) vulnerability in the PresentationAPI of Google Chrome allows for potential arbitrary code execution via a specially crafted web page.
A Use-After-Free vulnerability in the Chromoting component of Google Chrome for Linux allows for potential arbitrary code execution.
A Use-After-Free vulnerability in the ANGLE graphics engine of Google Chrome on Mac allows for potential arbitrary code execution.
A Use-After-Free vulnerability in the SVG implementation of Google Chrome allows for potential arbitrary code execution.
Use after free in DOM in Google Chrome prior to 148
Use after free in Passwords in Google Chrome prior to 148
Use after free in WebRTC in Google Chrome on Windows prior to 148
Use after free in CSS in Google Chrome prior to 148
Use after free in V8 in Google Chrome prior to 148
Use after free in Blink in Google Chrome prior to 148
Use after free in WebAudio in Google Chrome prior to 148
Use after free in ReadingMode in Google Chrome prior to 148
Use after free in WebRTC in Google Chrome prior to 148
Use after free in UI in Google Chrome prior to 148
Use after free in Audio in Google Chrome on Mac prior to 148
Use after free in WebRTC in Google Chrome prior to 148
Heap buffer overflow in ANGLE in Google Chrome prior to 148
Use after free in Aura in Google Chrome on Windows prior to 148
Use after free in Fullscreen in Google Chrome on Windows prior to 148
Use after free in GPU in Google Chrome prior to 148
Use after free in Aura in Google Chrome prior to 148
Use after free in Skia in Google Chrome prior to 148
Use after free in ServiceWorker in Google Chrome prior to 148
Use after free in Navigation in Google Chrome prior to 148
Use after free in TopChrome in Google Chrome prior to 148
Use after free in DevTools in Google Chrome prior to 148
Use after free in GPU in Google Chrome prior to 148
Use After Free in Printing in Google Chrome on Linux, Mac, ChromeOS prior to 148
Use after free in Chromoting in Google Chrome on Windows prior to 148
Integer overflow in Blink in Google Chrome prior to 148
Out of bounds read and write in V8 in Google Chrome prior to 148
Out of bounds memory access in V8 in Google Chrome prior to 148
Integer overflow in ANGLE in Google Chrome on Mac,Windows prior to 148
Type Confusion in Runtime in Google Chrome prior to 148
Insufficient validation of untrusted input in Cookies in Google Chrome prior to 148
Out of bounds write in WebRTC in Google Chrome prior to 148
Out of bounds write in Media in Google Chrome on Mac, iOS prior to 148
Integer overflow in Dawn in Google Chrome on Windows prior to 148
Type Confusion in WebRTC in Google Chrome prior to 148
Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148
Out of bounds read in AdFilter in Google Chrome prior to 148
Insufficient validation of untrusted input in ChromeDriver in Google Chrome on Windows prior to 148
YesWiki is a wiki system written in PHP
Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148
Type Confusion in Accessibility in Google Chrome on Windows prior to 148
Insufficient data validation in InterestGroups in Google Chrome prior to 148
Out of bounds write in Skia in Google Chrome prior to 148
Inappropriate implementation in ServiceWorker in Google Chrome prior to 148
Insufficient validation of untrusted input in Navigation in Google Chrome prior to 148
Inappropriate implementation in Companion in Google Chrome on Mac prior to 148
Insufficient policy enforcement in DevTools in Google Chrome prior to 148
Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148
Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148
Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148
Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device
OpenClaw is affected by a security vulnerability requiring immediate attention to prevent potential exploitation of the software environment.
The Betheme theme for WordPress is vulnerable to arbitrary file upload, which can allow attackers to execute malicious code on the server.
The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7
In Eclipse BaSyx Java Server SDK versions prior to 2
The WP-Optimize â Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4
Redis is an in-memory data structure store
Redis is an in-memory data structure store
Vvveb before version 1
Vvveb before version 1
Redis is an in-memory data structure store
Vvveb before version 1
A heap buffer overflow in the MongoDB C Driver's Cyrus SASL integration allows for potential arbitrary code execution before authentication.
A remote code execution vulnerability exists in the Notification Settings of GeoVision GV-ASWeb 6.
A vulnerability was detected in D-Link DI-8100 16
The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution
The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution
HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation
Frappe Framework ERPNext 13
ERPGo SaaS 3
OpenClaw versions 2026
OpenClaw versions from 2026
OpenClaw before 2026
OpenClaw before 2026
HCL BigFix RunBookAI is affected by a command smuggling vulnerability due to unvalidated command input.
gopls by default communicates via pipe
NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out
OpenClaw before 2026
OpenClaw before 2026
OpenClaw before 2026
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry
Math
OpenClaw before 2026
OpenClaw before 2026
OpenClaw before 2026
OpenClaw before 2026
Admidio is an open-source user management solution
Admidio is an open-source user management solution
In ProFTPD through 1
OpenClaw before 2026
OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28
OpenClaw before 2026
OpenClaw before 2026
OpenClaw before 2026
OpenClaw versions 2026