Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Today's Security Brief
Yesterday's disclosures reveal 12 critical vulnerabilities concentrated across WordPress plugins, HP products, and NPM packages, alongside continued active exploitation of Google Chrome and Apple platforms. Critical CVE volume dropped 60% from the prior day (12 vs. 30), while 100 high-priority vulnerabilities held steady. Notable critical findings include CVE-2026-25366 (CVSS 9.9, HP code execution), CVE-2026-4484 (CVSS 9.8, WordPress), and CVE-2026-26830 (CVSS 9.8, pdf-image NPM package command injection). Attack patterns are dominated by remote code execution across web content management systems and supply chain risks in NPM dependencies. No patches are currently available for yesterday's disclosures, and 10 vulnerabilities have confirmed active exploitation targeting Google Chromium, Apple products, and Zimbra.
HP, WordPress plugins, and NPM packages account for the majority of critical-severity disclosures
12 critical CVEs disclosed, a 60% decrease from the prior day's 30
100 high-priority CVEs, unchanged from the previous day
Remote code execution dominates attack patterns, with supply chain risks in pdf-image and node-tesseract-ocr NPM packages (CVSS 9.8)
0% patch availability across all disclosed vulnerabilities â no vendor fixes released yet
10 actively exploited vulnerabilities include Google Chromium V8, Apple multiple products, and Langflow
Immediate action: Prioritize monitoring Google Chromium, Apple iOS/iPadOS, Zimbra, and Wing FTP Server environments where active exploitation is confirmed, and apply any out-of-band mitigations available from vendors. Review WordPress plugin deployments â especially JetFormBuilder, Green Downloads, and TotalPoll Lite â and consider disabling vulnerable plugins until patches are released, as no fixes are currently available for any of yesterday's critical disclosures.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2026-3910
9.5đ
GoogleChromium V8
â° Federal Deadline:March 26, 2026(1 days remaining)
Google Chrome versions prior to 146 feature an inappropriate implementation in the V8 JavaScript engine that is currently being exploited in the wild to achieve code execution.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-3909
9.5đ
GoogleSkia
â° Federal Deadline:March 26, 2026(1 days remaining)
Google Chrome versions prior to 146 contain an out-of-bounds write vulnerability in the Skia graphics engine, which is currently being exploited in the wild.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-47813
9.5
Wing FTP ServerWing FTP Server
â° Federal Deadline:March 29, 2026(4 days remaining)
Wing FTP Server Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-66376
9.5
SynacorZimbra Collaboration Suite (ZCS)
â° Federal Deadline:March 31, 2026(6 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-32432
9.5
Craft CMSCraft CMS
â° Federal Deadline:April 2, 2026(8 days remaining)
Craft CMS Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54068
9.5
LaravelLivewire
â° Federal Deadline:April 2, 2026(8 days remaining)
Laravel Livewire Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43510
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(8 days remaining)
Apple Multiple Products Improper Locking Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-43520
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(8 days remaining)
Apple Multiple Products Classic Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-31277
9.5
AppleMultiple Products
â° Federal Deadline:April 2, 2026(8 days remaining)
Apple Multiple Products Buffer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-33017
9.5
LangflowLangflow
â° Federal Deadline:April 7, 2026(13 days remaining)
Langflow Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2026-28858
9.8đ
AppleiOS and iPadOS
A buffer overflow vulnerability in the kernel was addressed through improved bounds checking. Remote attackers may cause system termination or corrupt kernel memory.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-4484
9.8đ
WordPressis vulnerable
The Masteriyo LMS plugin for WordPress allows authenticated Student-level users to escalate their privileges to Administrator via the InstructorsController.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-25366
9.9đ
HPallows Code
The Woody ad snippets plugin for WordPress is vulnerable to code injection. Attackers can exploit the insert-php component to execute arbitrary code on the host server.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-32539
9.3đ
HPPublishPress Revisions
PublishPress Revisions is vulnerable to Blind SQL Injection due to improper neutralization of special elements in SQL commands. This affects versions up to 3.7.23.
CVSS Base9.3
â
CRSSelect profile
CVE-2025-32991
9đ
N2WSBackup & Recovery
A two-step attack targeting the RESTful API in N2WS Backup & Recovery enables remote code execution. This critical flaw is resolved in version 4.4.0.
CVSS Base9
â
CRSSelect profile
CVE-2026-27044
9.9đ
TotalSuite TotalTotal Poll Lite
Total Poll Lite is vulnerable to Remote Code Inclusion (RCI) due to improper control of code generation. This affects versions up to and including 4.12.0.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-32525
9.9đ
jetmonsters JetFormBuilderJetFormBuilder
JetFormBuilder is vulnerable to Code Injection due to improper control of code generation. This affects versions up to and including 3.5.6.1.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-32536
9.9đ
halfdata GreenGreen Downloads
Green Downloads allows unrestricted upload of files with dangerous types, enabling the use of malicious files. This affects versions up to 2.08.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-26830
9.8đ
pdf-image (NPM Package)pdf-image
The pdf-image npm package is vulnerable to OS command injection via the pdfFilePath parameter. This occurs due to improper interpolation of user paths into shell commands.
The node-tesseract-ocr npm package allows OS command injection in the recognize() function. File path parameters are concatenated into shell commands without proper sanitization.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-25447
9.1đ
Jonathan DaggerhartWidget Wrangler
Widget Wrangler is vulnerable to Code Injection due to improper control of code generation. This affects versions up to and including 2.3.9.
CVSS Base9.1
â
CRSSelect profile
CVE-2026-32573
9.1đ
Nelio SoftwareNelio AB Testing
Nelio AB Testing plugin for WordPress contains a code injection vulnerability. This allows remote attackers to execute arbitrary code by exploiting improper control of code generation.
CVSS Base9.1
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-20012
8.6đ
CiscoIOS Software
A vulnerability in Cisco's IKEv2 implementation allows unauthenticated remote attackers to cause a memory leak. This leak eventually leads to a Denial of Service (DoS) condition on the affected network device.
CVSS Base8.6
â
CRSSelect profile
CVE-2026-20084
8.6đ
CiscoIOS XE
A flaw in the DHCP snooping feature of Cisco IOS XE allows unauthenticated attackers to cause BOOTP packets to be forwarded between VLANs. This leads to a Denial of Service (DoS) condition.
CVSS Base8.6
â
CRSSelect profile
CVE-2026-20086
8.6
CiscoIOS XE
A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device
CVSS Base8.6
â
CRSSelect profile
CVE-2026-20125
7.7
CiscoIOS Software
A vulnerability in the HTTP Server feature of Cisco IOS Software and Cisco IOS XE Software Release 3E could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition
CVSS Base7.7
â
CRSSelect profile
CVE-2019-25636
8.2đ Late Disclosure
HPwith malicious
Zeeways Jobsite CMS contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' GET parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25640
8.2đ Late Disclosure
HPto extract
Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25641
8.2đ Late Disclosure
HPwith malicious
Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter
CVSS Base8.2
â
CRSSelect profile
CVE-2026-32531
8.1
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion
CVSS Base8.1
â
CRSSelect profile
CVE-2026-24141
7.8
NVIDIAcontains
NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file
CVSS Base7.8
â
CRSSelect profile
CVE-2024-58341
8.2đ Late Disclosure
OpenCartCore
OpenCart Core 4
CVSS Base8.2
â
CRSSelect profile
CVE-2026-24157
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2019-25635
8.2đ Late Disclosure
InforMultiple Products
Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25639
8.2đ Late Disclosure
ArchMultiple Products
Matrimony Website Script M-Plus contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various POST parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4758
8.8
WordPressis vulnerable
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2
CVSS Base8.8
â
CRSSelect profile
CVE-2026-2931
8.8
WordPressis vulnerable
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9
CVSS Base8.8
â
CRSSelect profile
CVE-2026-4840
8.8
NetcoreMultiple Products
A security flaw has been discovered in Netcore Power 15AX up to 3
CVSS Base8.8
â
CRSSelect profile
CVE-2026-27654
8.2
NginxOpen Source
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root
CVSS Base8.2
â
CRSSelect profile
CVE-2019-25630
8.8đ Late Disclosure
HPfiles through
PhreeBooks ERP 5
CVSS Base8.8
â
CRSSelect profile
CVE-2019-25647
8.8đ Late Disclosure
HPfiles by
PhreeBooks ERP 5
CVSS Base8.8
â
CRSSelect profile
CVE-2026-26306
7.8
UnknownMultiple Products
The installer for OM Workspace (Windows Edition) Ver 2
CVSS Base7.8
â
CRSSelect profile
CVE-2026-28760
7.8
MonitoringMultiple Products
The installer of RATOC RAID Monitoring Manager for Windows searches the current directory to load certain DLLs
CVSS Base7.8
â
CRSSelect profile
CVE-2026-32680
7.8
MonitoringMultiple Products
The installer of RATOC RAID Monitoring Manager for Windows allows to customize the installation folder
CVSS Base7.8
â
CRSSelect profile
CVE-2019-25643
8.2đ Late Disclosure
HPwith crafted
eNdonesia Portal v8
CVSS Base8.2
â
CRSSelect profile
CVE-2026-27784
7.8
NginxOpen Source
The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-32647
7.8
NginxOpen Source
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24150
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24152
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33399
7.7
HPexecutes
Wallos is an open-source, self-hostable personal subscription tracker
CVSS Base7.7
â
CRSSelect profile
CVE-2019-25642
8.2đ Late Disclosure
HPMultiple Products
Bootstrapy CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters
CVSS Base8.2
â
CRSSelect profile
CVE-2026-29839
8.8
HPMultiple Products
DedeCMS v5
CVSS Base8.8
â
CRSSelect profile
CVE-2025-33247
7.8
NVIDIAMegatron LM
NVIDIA Megatron LM contains a vulnerability in quantization configuration loading, which could allow remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24159
7.8
NVIDIANeMo Framework
NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution
CVSS Base7.8
â
CRSSelect profile
CVE-2026-34055
8.1
HPMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33918
7.6
HPMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base7.6
â
CRSSelect profile
CVE-2024-51348
8.8đ Late Disclosure
withMultiple Products
A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33
CVSS Base8.8
â
CRSSelect profile
CVE-2026-30976
8.6
Linuxare unaffected
Sonarr is a PVR for Usenet and BitTorrent users
CVSS Base8.6
â
CRSSelect profile
CVE-2026-3857
8.1
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17
CVSS Base8.1
â
CRSSelect profile
CVE-2026-29187
8.1
Archfunctionality
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.1
â
CRSSelect profile
CVE-2026-25001
8.5
Saad Iqbal PostMultiple Products
Improper Control of Generation of Code ('Code Injection') vulnerability in Saad Iqbal Post Snippets post-snippets allows Remote Code Inclusion
CVSS Base8.5
â
CRSSelect profile
CVE-2025-33248
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in the hybrid conversion script where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file
CVSS Base7.8
â
CRSSelect profile
CVE-2026-24151
7.8
NVIDIAMegatron
NVIDIA Megatron-LM contains a vulnerability in inferencing where an Attacker may cause an RCE by convincing a user to load a maliciously crafted input
CVSS Base7.8
â
CRSSelect profile
CVE-2026-33331
8.2
UnknownMultiple Products
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards
CVSS Base8.2
â
CRSSelect profile
CVE-2026-2995
7.7
versionshas remediated
GitLab has remediated an issue in GitLab EE affecting all versions from 15
CVSS Base7.7
â
CRSSelect profile
CVE-2026-4722
8.8
PrivilegeMultiple Products
Privilege escalation in the IPC component
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32513
8.8
Miguel Useche JSMultiple Products
Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2026-32534
8.5
JoomSky JS Help DeskMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection
CVSS Base8.5
â
CRSSelect profile
CVE-2026-33310
8.8
UnknownMultiple Products
Intake is a package for finding, investigating, loading and disseminating data
CVSS Base8.8
â
CRSSelect profile
CVE-2026-22559
8.8
NetworkMultiple Products
An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link
CVSS Base8.8
â
CRSSelect profile
CVE-2026-20631
8.8
UnknownMultiple Products
A logic issue was addressed with improved checks
CVSS Base8.8
â
CRSSelect profile
CVE-2026-23514
8.8
UnknownMultiple Products
Kiteworks is a private data network (PDN)
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33917
8.8
ajaxMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.8
â
CRSSelect profile
CVE-2026-33348
8.7
functionMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base8.7
â
CRSSelect profile
CVE-2026-4687
8.6
SandboxMultiple Products
Sandbox escape due to incorrect boundary conditions in the Telemetry component
CVSS Base8.6
â
CRSSelect profile
CVE-2026-4690
8.6
SandboxMultiple Products
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component
CVSS Base8.6
â
CRSSelect profile
CVE-2026-33216
8.6
PerformanceMultiple Products
NATS-Server is a High-Performance server for NATS
CVSS Base8.6
â
CRSSelect profile
CVE-2019-25626
8.4đ Late Disclosure
CamMultiple Products
River Past Cam Do 3
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25627
8.4đ Late Disclosure
StreamMultiple Products
FlexHEX 2
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25629
8.4đ Late Disclosure
loggingMultiple Products
AIDA64 Extreme 5
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25631
8.4đ Late Disclosure
UnknownMultiple Products
AIDA64 Business 5
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25633
8.4đ Late Disclosure
UnknownMultiple Products
AIDA64 Extreme 5
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25634
8.4đ Late Disclosure
UnknownMultiple Products
Base64 Decoder 1
CVSS Base8.4
â
CRSSelect profile
CVE-2019-25637
8.4đ Late Disclosure
NetStatMultiple Products
X-NetStat Pro 5
CVSS Base8.4
â
CRSSelect profile
CVE-2026-2072
8.2
HitachiMultiple Products
Cross-Site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor (Analytics probe component), Hitachi Ops Center Analyzer
CVSS Base8.2
â
CRSSelect profile
CVE-2026-4718
8.1
SignalMultiple Products
Undefined behavior in the WebRTC: Signaling component
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33316
8.1
UnknownMultiple Products
Vikunja is an open-source self-hosted task management platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33678
8.1
UnknownMultiple Products
Vikunja is an open-source self-hosted task management platform
CVSS Base8.1
â
CRSSelect profile
CVE-2026-32853
8.1
LibVNCServerMultiple Products
LibVNCServer versions 0
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33329
8.1
fileMultiple Products
FileRise is a self-hosted web file manager / WebDAV server
CVSS Base8.1
â
CRSSelect profile
CVE-2026-33344
8.1
workflowMultiple Products
Dagu is a workflow engine with a built-in Web user interface
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28817
8.1
UnknownMultiple Products
A race condition was addressed with improved state handling
CVSS Base8.1
â
CRSSelect profile
CVE-2026-28891
8.1
UnknownMultiple Products
A race condition was addressed with additional validation
CVSS Base8.1
â
CRSSelect profile
CVE-2026-30975
8.1
UnknownMultiple Products
Sonarr is a PVR for Usenet and BitTorrent users
CVSS Base8.1
â
CRSSelect profile
CVE-2026-4775
7.8
the putcontig8bitYCbCr44tileMultiple Products
A flaw was found in the libtiff library
CVSS Base7.8
â
CRSSelect profile
CVE-2026-1995
7.8đ
AMDid_service
A vulnerability exists in IDriveâs id_service component. The flaw could allow for unauthorized actions or service disruption depending on the specific implementation of the service.
CVSS Base7.8
â
CRSSelect profile
CVE-2024-51346
7.7đ Late Disclosure
EufyMultiple Products
An issue in Eufy Homebase 2 version 3
CVSS Base7.7
â
CRSSelect profile
CVE-2026-33913
7.7
UnknownMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base7.7
â
CRSSelect profile
CVE-2026-34056
7.7
SUSEMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base7.7
â
CRSSelect profile
CVE-2026-24750
7.6
UnknownMultiple Products
Kiteworks is a private data network (PDN)
CVSS Base7.6
â
CRSSelect profile
CVE-2026-33932
7.6
CCDAMultiple Products
OpenEMR is a free and open source electronic health records and medical practice management application
CVSS Base7.6
â
CRSSelect profile
CVE-2026-4684
7.5
RaceMultiple Products
Race condition, use-after-free in the Graphics: WebRender component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4685
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics: Canvas2D component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4686
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics: Canvas2D component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4693
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Audio/Video: Playback component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4694
7.5
IncorrectMultiple Products
Incorrect boundary conditions, integer overflow in the Graphics component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4695
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Audio/Video: Web Codecs component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4697
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Audio/Video: Web Codecs component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4699
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Layout: Text and Fonts component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4704
7.5
SignalMultiple Products
Denial-of-service in the WebRTC: Signaling component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4706
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics: Canvas2D component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4707
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics: Canvas2D component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4708
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4709
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Audio/Video: GMP component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4712
7.5
InforMultiple Products
Information disclosure in the Widget: Cocoa component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4713
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4714
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Audio/Video component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4719
7.5
IncorrectMultiple Products
Incorrect boundary conditions in the Graphics: Text component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4726
7.5
UnknownMultiple Products
Denial-of-service in the XML component
CVSS Base7.5
â
CRSSelect profile
CVE-2026-4727
7.5
UnknownMultiple Products
Denial-of-service in the Libraries component in NSS
CVSS Base7.5
â
CRSSelect profile
CVE-2026-33418
7.5
UnknownMultiple Products
DiceBear is an avatar library for designers and developers
CVSS Base7.5
â
CRSSelect profile
CVE-2026-33484
7.5
UnknownMultiple Products
Langflow is a tool for building and deploying AI-powered agents and workflows