🚨 CVE-2026-11108
Inappropriate implementation in NFC in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)

🎖@cveNotify

🚨 CVE-2026-11115
Use after free in Updater in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium)

🎖@cveNotify

🚨 CVE-2026-11116
Use after free in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Medium)

🎖@cveNotify

🚨 CVE-2026-11119
Inappropriate implementation in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

🎖@cveNotify

🚨 CVE-2026-11129
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

🎖@cveNotify

🚨 CVE-2026-11131
Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

🎖@cveNotify

🚨 CVE-2026-11132
Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium)

🎖@cveNotify

🚨 CVE-2025-2812
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection.

This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY).

🎖@cveNotify

🚨 CVE-2025-2421
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection.

This issue affects SambaBox: before 5.1.

🎖@cveNotify

🚨 CVE-2025-2488
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Profelis Informatics SambaBox allows Cross-Site Scripting (XSS).

This issue affects SambaBox: before 5.1.

🎖@cveNotify

🚨 CVE-2025-2414
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft OctoCloud allows Authentication Bypass.

This issue affects OctoCloud: from s1.09.03 before v1.11.01.

🎖@cveNotify

🚨 CVE-2025-2415
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass.

This issue affects MyRezzta: from s2.03.01 before v2.05.01.

🎖@cveNotify

🚨 CVE-2025-2416
Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft LimonDesk allows Authentication Bypass.

This issue affects LimonDesk: from s1.02.14 before v1.02.17.

🎖@cveNotify

🚨 CVE-2025-1035
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls.

This issue affects KLog Server: before 3.1.1.

🎖@cveNotify

🚨 CVE-2025-1269
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in HAVELSAN Liman MYS allows Cross-Site Flashing.

This issue affects Liman MYS: before 2.1.1 - 1010.

🎖@cveNotify

🚨 CVE-2025-0545
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tekrom Technology T-Soft E-Commerce allows Cross-Site Scripting (XSS).

This issue affects T-Soft E-Commerce: before v5.

🎖@cveNotify

🚨 CVE-2025-0877
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AtaksAPP Reservation Management System allows Cross-Site Scripting (XSS).

This issue affects Reservation Management System: before 4.2.3.

🎖@cveNotify

🚨 CVE-2025-2311
Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring.

This issue affects SecHard: before 3.3.0.20220411.

🎖@cveNotify

🚨 CVE-2025-1496
Improper Restriction of Excessive Authentication Attempts vulnerability in BG-TEK Coslat Hotspot allows Password Brute Forcing, Authentication Abuse.

This issue affects Coslat Hotspot: before 6.26.0.R.20250227.

🎖@cveNotify

🚨 CVE-2026-10725
Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb.

Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb").

The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded.

MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag.

🎖@cveNotify

🚨 CVE-2026-11406
A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: "This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files."

🎖@cveNotify