π¨ CVE-2026-50521
Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.
π@cveNotify
Use after free in Microsoft Edge (Chromium-based) allows an authorized attacker to execute code over a network.
π@cveNotify
π¨ CVE-2026-54074
Tina is a headless content management system. @tinacms/cli versions prior to 2.4.3 contain a Remote Code Execution vulnerability in the Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "__TINA_INTERNAL__:::(.*?):::" inside the stringified collection JSON. User-supplied label and name fields from .forestry/**/*.yml are placed into that JSON without any sanitisation. An attacker who controls a Forestry-style project can therefore inject arbitrary JavaScript into the generated tina/templates.{ts,js} file. The injected code is written at module top level, so it executes the moment the developer runs tinacms dev or tinacms build, with the developer's privileges. This issue has been fixed in version 2.4.3.
π@cveNotify
Tina is a headless content management system. @tinacms/cli versions prior to 2.4.3 contain a Remote Code Execution vulnerability in the Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "__TINA_INTERNAL__:::(.*?):::" inside the stringified collection JSON. User-supplied label and name fields from .forestry/**/*.yml are placed into that JSON without any sanitisation. An attacker who controls a Forestry-style project can therefore inject arbitrary JavaScript into the generated tina/templates.{ts,js} file. The injected code is written at module top level, so it executes the moment the developer runs tinacms dev or tinacms build, with the developer's privileges. This issue has been fixed in version 2.4.3.
π@cveNotify
GitHub
Remote Code Execution in @tinacms/cli via Forestry migration β unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels
## Description
### Summary
`@tinacms/cli` contains a Remote Code Execution vulnerability in its
Forestry-to-Tina migration command. The internal helper `addVariablesToCode`
unquotes any v...
### Summary
`@tinacms/cli` contains a Remote Code Execution vulnerability in its
Forestry-to-Tina migration command. The internal helper `addVariablesToCode`
unquotes any v...
π¨ CVE-2026-54720
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In versions prior to 6.2.2, the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2/
π@cveNotify
Silverstripe Framework is a PHP framework which powers the Silverstripe CMS. In versions prior to 6.2.2, the "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed. This issue was fixed in version 6.2.2/
π@cveNotify
GitHub
XSS attack through media embed
### Impact
The "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed.
### References
- https://www.silverstripe.org/download/security-r...
The "Insert media from web" functionality in the CMS is vulnerable to XSS from a specially crafted embed.
### References
- https://www.silverstripe.org/download/security-r...
π¨ CVE-2026-54756
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) β and the internal ConfigMerge / ConfigProto helpers β merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.
π@cveNotify
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.18, Jodit.configure(options) β and the internal ConfigMerge / ConfigProto helpers β merged user-supplied options into the editor configuration without filtering prototype-mutating keys, potentially causing a Prototype Pollution vulnerability. A payload nested under an existing plain-object option such as controls could reach and mutate Object.prototype. Applications that pass user-controlled or partially user-controlled configuration into Jodit.configure() may be vulnerable. This issue was fixed in version 4.12.18.
π@cveNotify
GitHub
Prototype pollution in Jodit via Jodit.configure() / ConfigMerge
### Summary
`Jodit.configure(options)` β and the internal `ConfigMerge` / `ConfigProto` helpers β merged user-supplied options into the editor configuration without filtering prototype-mutating key...
`Jodit.configure(options)` β and the internal `ConfigMerge` / `ConfigProto` helpers β merged user-supplied options into the editor configuration without filtering prototype-mutating key...
π¨ CVE-2026-55886
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.set(chain, value, obj), which walks the dot-separated chain, creating and following each path segment without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype. Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable, causing unexpected property injection, logic bypass, denial of service, or secondary security issues. This issue has been fixed in version 4.12.26.
π@cveNotify
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. Versions prior to 4.12.26 are vulnerable to Prototype Pollution through Jodit.modules.Helpers.set(chain, value, obj), which walks the dot-separated chain, creating and following each path segment without filtering prototype-mutating keys. A chain that begins with (or contains) __proto__, constructor, or prototype lets the final assignment reach and mutate Object.prototype. Applications that pass a user-controlled or partially user-controlled key path into Jodit.modules.Helpers.set() could be vulnerable, causing unexpected property injection, logic bypass, denial of service, or secondary security issues. This issue has been fixed in version 4.12.26.
π@cveNotify
GitHub
Prototype pollution in Jodit via Jodit.modules.Helpers.set()
### Summary
`Jodit.modules.Helpers.set(chain, value, obj)` walks the dot-separated `chain`, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins ...
`Jodit.modules.Helpers.set(chain, value, obj)` walks the dot-separated `chain`, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins ...
π¨ CVE-2026-58263
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.
π@cveNotify
Jodit Editor is a WYSIWYG editor with written in pure TypeScript file and image editing capabilities. In versions prior to 4.12.28, the built-in clean-html sanitizer can be bypassed by a MathML/<style> carrier that hides a dangerous element from the sanitizer's element walk, so a no-interaction event handler survives into the editor value, potentially causing Mutation XSS. When an application supplies attacker-influenced HTML to the editor's value-set or insertion paths, the sanitized output still contains a live <img ... onload=...> (or another non-onerror handler such as onfocus). A consumer that renders that output (element.innerHTML = editor.value) executes the handler with no user interaction. This issue has been fixed in version 4.12.28.
π@cveNotify
GitHub
Mutation XSS in jodit clean-html via a MathML/style rawtext carrier
### Summary
jodit's built-in `clean-html` sanitizer can be bypassed by a MathML/`<style>` carrier that hides a dangerous element from the sanitizer's element walk, so a no-interactio...
jodit's built-in `clean-html` sanitizer can be bypassed by a MathML/`<style>` carrier that hides a dangerous element from the sanitizer's element walk, so a no-interactio...
π¨ CVE-2026-36909
A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
A NULL pointer dereference in the AP4_TkhdAtom::GetTrackId() function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
GitHub
We would like to report some critical issues from Bento4 Β· Issue #1062 Β· Aleksoid1978/MPC-BE
We found few more bugs that are still reproducible in Bento4 We are aware that it is a burden to fix the bugs from crafted files, but we found that few of them are critical in the security asepct S...
π¨ CVE-2026-36910
An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
GitHub
We would like to report some critical issues from Bento4 Β· Issue #1062 Β· Aleksoid1978/MPC-BE
We found few more bugs that are still reproducible in Bento4 We are aware that it is a burden to fix the bugs from crafted files, but we found that few of them are critical in the security asepct S...
π¨ CVE-2026-36911
A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
A division-by-zero vulnerability in the CStreamSwitcherOutputPin::DecideBufferSize function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
GitHub
We would like to report some critical issues from Bento4 Β· Issue #1062 Β· Aleksoid1978/MPC-BE
We found few more bugs that are still reproducible in Bento4 We are aware that it is a burden to fix the bugs from crafted files, but we found that few of them are critical in the security asepct S...
π¨ CVE-2026-54259
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
GitHub
Improper restriction handling on Documents and Images chosen endpoints
### Impact
The Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could ...
The Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could ...
π¨ CVE-2026-54260
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
GitHub
Denial of service via unbounded filter specs in the image preview
### Impact
An authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation.
The vulnerability is not...
An authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation.
The vulnerability is not...
π¨ CVE-2026-54261
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
GitHub
Improper permission handling in image preview
### Impact
Due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not expos...
Due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not expos...
π¨ CVE-2026-54263
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could craft a URL that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is present for all sites, even if they do not enable the dynamic image serve view. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could craft a URL that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is present for all sites, even if they do not enable the dynamic image serve view. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.
π@cveNotify
GitHub
Reflected XSS in dynamic image URL generator view
### Impact
A reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account...
A reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account...
π¨ CVE-2026-54712
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.
π@cveNotify
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.
π@cveNotify
GitHub
OpenTelemetry Javaagent RMI context propagation allows resource exhaustion
The RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream.
An attacker who can reach an RMI endpoi...
An attacker who can reach an RMI endpoi...
π¨ CVE-2026-55793
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victimβs session. The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping. To exploit, an attacker must have an existing control panel account (Author role minimum), the victim must perform a drag operation (not just visit the page), and the victimβs session needs to be elevated at trigger time. This issue has been fixed in version 5.9.23.
π@cveNotify
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the payload executes in the victimβs session. The issue is exploitable because the title is escaped into data-title by the server, decoded again by the browser, read with jQuery .data('title'), and then concatenated into a new HTML string without attribute escaping. To exploit, an attacker must have an existing control panel account (Author role minimum), the victim must perform a drag operation (not just visit the page), and the victimβs session needs to be elevated at trigger time. This issue has been fixed in version 5.9.23.
π@cveNotify
GitHub
Fixed GHSA-xrqc-p465-2xvg Β· craftcms/cms@162321e
Build bespoke content experiences with Craft. Contribute to craftcms/cms development by creating an account on GitHub.
π¨ CVE-2026-14381
Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Incorrect security UI in WebAppInstalls in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...
π¨ CVE-2026-14382
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...
π¨ CVE-2026-14383
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Inappropriate implementation in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...
π¨ CVE-2026-14384
Out of bounds read in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Out of bounds read in ANGLE in Google Chrome on Windows prior to 150.0.7871.46 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...
π¨ CVE-2026-14385
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 150.0.7871.46 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...
π¨ CVE-2026-14386
Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Out of bounds read in ANGLE in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
π@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...