๐จ CVE-2026-5867
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 147 to the stable channel for Windows, Mac and Linux. This will roll out ...
๐จ CVE-2026-6068
NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution.
๐@cveNotify
NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or remote code execution.
๐@cveNotify
GitHub
NASM heap-use-after-free in -@ response file parsing via dangling depend_file ยท Issue #222 ยท netwide-assembler/nasm
Summary NASM has a reproducible heap-use-after-free in the -@ response file parsing path. A pointer derived from the response-file buffer is stored into global depend_file at asm/nasm.c:1157, the b...
๐จ CVE-2026-32202
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
๐@cveNotify
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
๐@cveNotify
๐จ CVE-2026-40864
JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy.
๐@cveNotify
JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy.
๐@cveNotify
GitHub
don't skip xsrf check for no-cors ยท jupyterhub/jupyterhub@9c5ec27
Multi-user server for Jupyter notebooks. Contribute to jupyterhub/jupyterhub development by creating an account on GitHub.
๐จ CVE-2026-41069
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0 (creating no chunks) while still passing validation because saio.entry_count == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode.
๐@cveNotify
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0 (creating no chunks) while still passing validation because saio.entry_count == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode.
๐@cveNotify
GitHub
Release v1.22.0 - generic image components, ISO/IEC 23001-17 (lossless images) rewrite ยท strukturag/libheif
This is a large release with substantial new functionality, mainly with generalized image formats (e.g., multi-spectral images) and a reworked implementation of ISO/IEC 23001-17 (lossless image cod...
๐จ CVE-2026-48898
An improper access check allows privilege escalation through the com_users batch task.
๐@cveNotify
An improper access check allows privilege escalation through the com_users batch task.
๐@cveNotify
Joomla! Developer Networkโข
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
๐จ CVE-2026-48899
An improper access check allows privilege escalation through the com_users batch task.
๐@cveNotify
An improper access check allows privilege escalation through the com_users batch task.
๐@cveNotify
Joomla! Developer Networkโข
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
๐จ CVE-2026-48900
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
๐@cveNotify
An improper access check allowed low privileged users to edit the task types of existing scheduler tasks.
๐@cveNotify
Joomla! Developer Networkโข
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
๐จ CVE-2026-48903
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
๐@cveNotify
Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components.
๐@cveNotify
Joomla! Developer Networkโข
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
๐จ CVE-2026-48904
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
๐@cveNotify
An improper access check allows privelege escalation through the com_users group editing webservice endpoint.
๐@cveNotify
Joomla! Developer Networkโข
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
๐จ CVE-2026-48905
Lack of input filtering leads to an XSS vector in the HTML filter code.
๐@cveNotify
Lack of input filtering leads to an XSS vector in the HTML filter code.
๐@cveNotify
Joomla! Developer Networkโข
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
๐จ CVE-2026-46745
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
๐@cveNotify
Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated.
๐@cveNotify
GitHub
fix: the ldap authentication handler in the flask-ap... in override.py by orbisai0security ยท Pull Request #66417 ยท apache/airflow
Summary
Fix critical severity security issue in providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py.
Vulnerability
Field
Value
ID
V-001
Severity
CRITICAL
Sc...
Fix critical severity security issue in providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py.
Vulnerability
Field
Value
ID
V-001
Severity
CRITICAL
Sc...
๐จ CVE-2026-9078
Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1.
๐@cveNotify
Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1.
๐@cveNotify
bugzilla.mozilla.org
Access Denied
You are not authorized to access bug 2029371. To see this bug, you must
first log in to an account with the appropriate permissions.
first log in to an account with the appropriate permissions.
๐จ CVE-2026-42797
Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.
An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.
๐@cveNotify
Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope.
An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information.
This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0.
Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition.
๐@cveNotify
๐จ CVE-2026-38587
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators.
๐@cveNotify
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators.
๐@cveNotify
GitHub
DocSpace/CHANGELOG.md at master ยท ONLYOFFICE/DocSpace
ONLYOFFICE DocSpace is a room-based collaborative platform which allows organizing a clear file structure depending on users' needs or project goals. Flexible access permissions and user ro...
๐จ CVE-2026-48683
FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read vulnerability in the NetFlow v9 data flowset processor. In src/netflow_plugin/netflow_v9_collector.cpp, the Data template branch (lines 1695-1702) iterates over flow records without performing a per-iteration bounds check against the packet end pointer. In contrast, the Options template branch (lines 1709-1719) correctly checks 'if (pkt + offset + field_template->total_length > packet_end)' before each iteration. The Data branch omits this check entirely. Since template definitions are sent by the network peer (and are unauthenticated UDP), an attacker can craft templates that cause the parser to read arbitrary memory past the packet buffer. This can leak sensitive memory contents or cause a crash.
๐@cveNotify
FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read vulnerability in the NetFlow v9 data flowset processor. In src/netflow_plugin/netflow_v9_collector.cpp, the Data template branch (lines 1695-1702) iterates over flow records without performing a per-iteration bounds check against the packet end pointer. In contrast, the Options template branch (lines 1709-1719) correctly checks 'if (pkt + offset + field_template->total_length > packet_end)' before each iteration. The Data branch omits this check entirely. Since template definitions are sent by the network peer (and are unauthenticated UDP), an attacker can craft templates that cause the parser to read arbitrary memory past the packet buffer. This can leak sensitive memory contents or cause a crash.
๐@cveNotify
GitHub
GitHub - pavel-odintsov/fastnetmon: Very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
Very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support - pavel-odintsov/fastnetmon
๐จ CVE-2026-48684
FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer.
๐@cveNotify
FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer.
๐@cveNotify
GitHub
GitHub - pavel-odintsov/fastnetmon: Very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
Very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support - pavel-odintsov/fastnetmon
๐จ CVE-2026-48685
FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the parse_raw_bgp_attribute() function correctly identifies when extended_length_bit is set and sets length_of_length_field to 2, but then reads only a single byte for the attribute value length (attribute_value_length = value[2] at line 173). Per RFC 4271 Section 4.3, when the Extended Length bit is set, the Attribute Length field is two octets and the value should be read as a 16-bit big-endian integer from value[2] and value[3]. As a result, any attribute longer than 255 bytes has its length silently truncated to the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). The remaining 256 bytes are then misinterpreted as subsequent attributes, causing cascading parse failures and potential out-of-bounds memory access.
๐@cveNotify
FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the parse_raw_bgp_attribute() function correctly identifies when extended_length_bit is set and sets length_of_length_field to 2, but then reads only a single byte for the attribute value length (attribute_value_length = value[2] at line 173). Per RFC 4271 Section 4.3, when the Extended Length bit is set, the Attribute Length field is two octets and the value should be read as a 16-bit big-endian integer from value[2] and value[3]. As a result, any attribute longer than 255 bytes has its length silently truncated to the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). The remaining 256 bytes are then misinterpreted as subsequent attributes, causing cascading parse failures and potential out-of-bounds memory access.
๐@cveNotify
GitHub
GitHub - pavel-odintsov/fastnetmon: Very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
Very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support - pavel-odintsov/fastnetmon
๐จ CVE-2025-43357
This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to fingerprint the user.
๐@cveNotify
This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.7 and iPadOS 18.7, iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to fingerprint the user.
๐@cveNotify
Apple Support
About the security content of iOS 26 and iPadOS 26 - Apple Support
This document describes the security content of iOS 26 and iPadOS 26.