๐จ CVE-2026-57757
Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
๐@cveNotify
Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
๐@cveNotify
Patchstack
Cross Site Request Forgery (CSRF) in WordPress pCloud WP Backup Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57758
Unauthenticated Cross Site Request Forgery (CSRF) in Permalink Manager for WooCommerce <= 1.0.8.2 versions.
๐@cveNotify
Unauthenticated Cross Site Request Forgery (CSRF) in Permalink Manager for WooCommerce <= 1.0.8.2 versions.
๐@cveNotify
Patchstack
Cross Site Request Forgery (CSRF) in WordPress Permalink Manager for WooCommerce Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57759
Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.
๐@cveNotify
Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.
๐@cveNotify
Patchstack
Cross Site Request Forgery (CSRF) in WordPress ProfileGrid Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57760
Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Sendcloud Shipping: from n/a through 1.0.29.
๐@cveNotify
Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Sendcloud Shipping: from n/a through 1.0.29.
๐@cveNotify
Patchstack
Broken Access Control in WordPress Sendcloud Shipping Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57761
Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
๐@cveNotify
Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
๐@cveNotify
Patchstack
Cross Site Request Forgery (CSRF) in WordPress SEOWP Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57763
Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.
๐@cveNotify
Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Structured Content Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57764
Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
๐@cveNotify
Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Surbma | Yoast SEO Breadcrumb Shortcode Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57920
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
๐@cveNotify
Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/{orgId} endpoints.
๐@cveNotify
๐จ CVE-2026-12411
Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
๐@cveNotify
Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
๐@cveNotify
GitHub
Security fixes from the 6.9 release by tomponline ยท Pull Request #18585 ยท canonical/lxd
Covers fixes for:
GHSA-qx75-2p3r-pwm5
GHSA-7mr3-28h5-m5vx
GHSA-47w9-6r3f-938g
GHSA-9j25-mm2h-2f76
GHSA-jpf8-86f3-wp38
GHSA-vghh-5rfx-xhq8
GHSA-fmc8-p6q7-75cc
GHSA-pjff-c2wc-f6jm
GHSA-hhf9-qw4v-72xp
GHSA-qx75-2p3r-pwm5
GHSA-7mr3-28h5-m5vx
GHSA-47w9-6r3f-938g
GHSA-9j25-mm2h-2f76
GHSA-jpf8-86f3-wp38
GHSA-vghh-5rfx-xhq8
GHSA-fmc8-p6q7-75cc
GHSA-pjff-c2wc-f6jm
GHSA-hhf9-qw4v-72xp
๐จ CVE-2026-47214
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
๐@cveNotify
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
๐@cveNotify
GitHub
Release v2.94.0 ยท docling-project/docling
Feature
latex: Add optional Tectonic TikZ rendering (#3369) (eceedc2)
Add image_placeholder and use_markdown_images as fields in the BaseChunkerOptions (#3436) (5fadc6d)
extraction: Add Granite Vi...
latex: Add optional Tectonic TikZ rendering (#3369) (eceedc2)
Add image_placeholder and use_markdown_images as fields in the BaseChunkerOptions (#3436) (5fadc6d)
extraction: Add Granite Vi...
๐จ CVE-2026-9639
Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
๐@cveNotify
Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with can_create_storage_volumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expires_at snapshot field.
๐@cveNotify
GitHub
lxd/storage/backend/lxd: Validate snapshot.ExpiresAt is non-nil by tomponline ยท Pull Request #18320 ยท canonical/lxd
Powerful system container and virtual machine manager - lxd/storage/backend/lxd: Validate snapshot.ExpiresAt is non-nil by tomponline ยท Pull Request #18320 ยท canonical/lxd
๐จ CVE-2026-9640
A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
๐@cveNotify
A privilege escalation vulnerability exists in LXD from 6.0 before 6.9, 5.21.0 before 5.21.5, and 5.0.0 before 5.0.7 regarding the handling of project-restriction policies during snapshot restoration.. An authenticated project operator in a restricted multi-tenant environment can bypass policy restrictions by importing a maliciously crafted instance backup containing restricted configuration keys within a snapshot. When the snapshot is restored, these restricted keys are applied to the live instance without policy validation. Starting the modified instance grants the operator unauthorized host root access.
๐@cveNotify
GitHub
Instance: Improve snapshot config validation during import by tomponline ยท Pull Request #18301 ยท canonical/lxd
Powerful system container and virtual machine manager - Instance: Improve snapshot config validation during import by tomponline ยท Pull Request #18301 ยท canonical/lxd
๐จ CVE-2026-13802
Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out ov...
๐จ CVE-2026-13803
Type Confusion in Chrome Tabs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Type Confusion in Chrome Tabs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out ov...
๐จ CVE-2026-13804
Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Use after free in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out ov...
๐จ CVE-2026-13806
Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out ov...
๐จ CVE-2026-13814
Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Use after free in Views in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out ov...
๐จ CVE-2026-13816
Insufficient validation of untrusted input in File Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Insufficient validation of untrusted input in File Input in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out ov...
๐จ CVE-2026-13817
Insufficient validation of untrusted input in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Insufficient validation of untrusted input in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
๐@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out ov...