🚨 CVE-2026-24699
An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
🎖@cveNotify
An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
🎖@cveNotify
GitHub
IoT-Vulnerability/cisco/RV130/4/wp-en.md at main · glkfc/IoT-Vulnerability
Some descriptions on IoT device vulnerabilities. Contribute to glkfc/IoT-Vulnerability development by creating an account on GitHub.
🚨 CVE-2026-24700
An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
🎖@cveNotify
An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
🎖@cveNotify
GitHub
IoT-Vulnerability/cisco/RV130/1/wp-en.md at main · glkfc/IoT-Vulnerability
Some descriptions on IoT device vulnerabilities. Contribute to glkfc/IoT-Vulnerability development by creating an account on GitHub.
🚨 CVE-2026-55761
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.
🎖@cveNotify
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.
🎖@cveNotify
GitHub
feat(security): require setup token for admin init and restore [BE-13… · portainer/portainer@49f1910
…029] (#2836)
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>
🚨 CVE-2026-55542
Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. Version 8.6.1 contains a patch.
🎖@cveNotify
Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. Version 8.6.1 contains a patch.
🎖@cveNotify
GitHub
Chekc auth before assigning S3 temporary link · grokability/snipe-it@ded6515
A free open source IT asset/license management system - Chekc auth before assigning S3 temporary link · grokability/snipe-it@ded6515
🚨 CVE-2026-58192
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.
🎖@cveNotify
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.join(storageRoot, name) and fs.rimraf() without path sanitization, allowing an unauthenticated remote client to escape the storage root with ../ sequences and recursively delete arbitrary writable files or directories. This issue is fixed in version 1.1.6.
🎖@cveNotify
GitHub
fix(storage-plugin): add fs.sanitizeName for the delete request as we… · appium/appium@5fee017
…ll (#22362)
* fix(storage-plugin): add fs.sanitizeName for the delete request
* move empty check as well
* fix: apply formatter
* return false for exception cases
* return false for exception...
* fix(storage-plugin): add fs.sanitizeName for the delete request
* move empty check as well
* fix: apply formatter
* return false for exception cases
* return false for exception...
🚨 CVE-2026-44024
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.
🎖@cveNotify
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.
🎖@cveNotify
GitHub
Backport(v1.19) output: enforce strict path boundary validation for t… · fluent/fluentd@45c87a8
…ag (#5391)
**Which issue(s) this PR fixes**:
Fixes #
**What this PR does / why we need it**:
This PR enhances the robustness of the `${tag}` placeholder expansion by
preventing unintended path b...
**Which issue(s) this PR fixes**:
Fixes #
**What this PR does / why we need it**:
This PR enhances the robustness of the `${tag}` placeholder expansion by
preventing unintended path b...
🚨 CVE-2026-44160
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.
🎖@cveNotify
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.
🎖@cveNotify
GitHub
Backport(v1.19) buffer, in_http: enforce size limits on decompressed … · fluent/fluentd@f5f2b7c
…payloads (#5393)
**Which issue(s) this PR fixes**:
Fixes #
**What this PR does / why we need it**:
This PR introduces a strict upper bound for decompressed payloads.
### Changes
1. Introduced ...
**Which issue(s) this PR fixes**:
Fixes #
**What this PR does / why we need it**:
This PR introduces a strict upper bound for decompressed payloads.
### Changes
1. Introduced ...
🚨 CVE-2026-44161
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.
🎖@cveNotify
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd out_http output plugin allows placeholders such as ${tag} in the endpoint configuration parameter, and if a placeholder value is derived from untrusted input an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services. This issue is fixed in version 1.19.3.
🎖@cveNotify
GitHub
Backport(v1.19) out_http: add strict host validation for dynamic endp… · fluent/fluentd@c6a01ea
…oints (#5394)
**Which issue(s) this PR fixes**:
Fixes #
**What this PR does / why we need it**:
This PR introduces strict host validation to ensure predictable and safe
routing when using dynami...
**Which issue(s) this PR fixes**:
Fixes #
**What this PR does / why we need it**:
This PR introduces strict host validation to ensure predictable and safe
routing when using dynami...
🚨 CVE-2026-48492
Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled. Version 8.6.1 contains a patch.
🎖@cveNotify
Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled. Version 8.6.1 contains a patch.
🎖@cveNotify
GitHub
Fixed FD-55580 - added selectlist gate and tests · grokability/snipe-it@4f943d4
A free open source IT asset/license management system - Fixed FD-55580 - added selectlist gate and tests · grokability/snipe-it@4f943d4
🚨 CVE-2026-60094
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
🎖@cveNotify
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
🎖@cveNotify
Code-White
CODE WHITE | Public Vulnerability List
Public list of vulnerabilities, found by CODE WHITE
🚨 CVE-2026-60095
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
🎖@cveNotify
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
🎖@cveNotify
Code-White
CODE WHITE | Public Vulnerability List
Public list of vulnerabilities, found by CODE WHITE
🚨 CVE-2026-51600
Tenda CP3 V3.0 firmware V31.1.9.91 does not validate the Content-Length header field in RTSP requests (including DESCRIBE, SETUP, and PLAY methods). When a request carrying a Content-Length header is received without a corresponding message body, the RTSP parser enters a persistent body-awaiting state, causing the affected TCP connection to become permanently non-functional. The device does not actively close the connection, resulting in a TCP resource leak. This issue can be exploited by an unauthenticated remote attacker to cause a denial-of-service condition.
🎖@cveNotify
Tenda CP3 V3.0 firmware V31.1.9.91 does not validate the Content-Length header field in RTSP requests (including DESCRIBE, SETUP, and PLAY methods). When a request carrying a Content-Length header is received without a corresponding message body, the RTSP parser enters a persistent body-awaiting state, causing the affected TCP connection to become permanently non-functional. The device does not actively close the connection, resulting in a TCP resource leak. This issue can be exploited by an unauthenticated remote attacker to cause a denial-of-service condition.
🎖@cveNotify
GitHub
cve_ID_report/Tenda_CP3_V3.0/Tenda_CP3_V3.0/Tenda_CP3_V3.0_1th/README.md at main · kkkk2222874/cve_ID_report
上报cve漏洞仓库. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
🚨 CVE-2026-51601
Tenda CP3 V3.0 firmware V31.1.9.91 contains a stack-based buffer overflow in the RTSP service. The device fails to validate the length of the clock= value in the Range header field when processing a PLAY request. An unauthenticated remote attacker who has completed a standard RTSP session handshake can send a PLAY request with an excessively long clock= value to cause the RTSP service to crash.
🎖@cveNotify
Tenda CP3 V3.0 firmware V31.1.9.91 contains a stack-based buffer overflow in the RTSP service. The device fails to validate the length of the clock= value in the Range header field when processing a PLAY request. An unauthenticated remote attacker who has completed a standard RTSP session handshake can send a PLAY request with an excessively long clock= value to cause the RTSP service to crash.
🎖@cveNotify
GitHub
cve_ID_report/Tenda_CP3_V3.0/Tenda_CP3_V3.0_2th/README.md at main · kkkk2222874/cve_ID_report
上报cve漏洞仓库. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
🚨 CVE-2026-51602
A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted SETUP request. The RTSP service's second-stage URL routing parser fails to validate the length of the URL field in the first SETUP request. By supplying a URL consisting of exactly four consecutive repetitions of a valid RTSP URL, an attacker can bypass first-stage format validation and trigger a stack buffer overflow, causing an immediate crash of the RTSP service process and rendering the device inaccessible to all clients on the local network.
🎖@cveNotify
A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted SETUP request. The RTSP service's second-stage URL routing parser fails to validate the length of the URL field in the first SETUP request. By supplying a URL consisting of exactly four consecutive repetitions of a valid RTSP URL, an attacker can bypass first-stage format validation and trigger a stack buffer overflow, causing an immediate crash of the RTSP service process and rendering the device inaccessible to all clients on the local network.
🎖@cveNotify
GitHub
cve_ID_report/Tenda_CP3_V3.0/Tenda_CP3_V3.0_3th/README.md at main · kkkk2222874/cve_ID_report
上报cve漏洞仓库. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
🚨 CVE-2026-51603
A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted second SETUP request. After completing the OPTIONS, DESCRIBE, and a legitimate first SETUP request to obtain a valid session ID, the RTSP service's second-stage URL routing parser fails to validate the length of the URL field in the subsequent SETUP request. By supplying a URL consisting of exactly four consecutive repetitions of a valid RTSP URL, an attacker can bypass first-stage format validation and trigger a stack buffer overflow, causing an immediate crash of the RTSP service process and rendering the device inaccessible to all clients on the local network.
🎖@cveNotify
A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted second SETUP request. After completing the OPTIONS, DESCRIBE, and a legitimate first SETUP request to obtain a valid session ID, the RTSP service's second-stage URL routing parser fails to validate the length of the URL field in the subsequent SETUP request. By supplying a URL consisting of exactly four consecutive repetitions of a valid RTSP URL, an attacker can bypass first-stage format validation and trigger a stack buffer overflow, causing an immediate crash of the RTSP service process and rendering the device inaccessible to all clients on the local network.
🎖@cveNotify
GitHub
cve_ID_report/Tenda_CP3_V3.0/Tenda_CP3_V3.0_4th/README.md at main · kkkk2222874/cve_ID_report
上报cve漏洞仓库. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
🚨 CVE-2026-51604
A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted PLAY request.
🎖@cveNotify
A stack-based buffer overflow vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) allows an unauthenticated remote attacker to cause a denial of service via a crafted PLAY request.
🎖@cveNotify
GitHub
cve_ID_report/Tenda_CP3_V3.0/Tenda_CP3_V3.0_6th/README.md at main · kkkk2222874/cve_ID_report
上报cve漏洞仓库. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
🚨 CVE-2026-51606
An improper input handling vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) causes the device to abruptly terminate the TCP connection with a RST packet when a request containing an oversized field value is received, without returning any RFC 2326-compliant error response. This behavior affects the request-line URL field and header field values across multiple RTSP request types.
🎖@cveNotify
An improper input handling vulnerability in the RTSP service of Tenda CP3 V3.0 (firmware V31.1.9.91) causes the device to abruptly terminate the TCP connection with a RST packet when a request containing an oversized field value is received, without returning any RFC 2326-compliant error response. This behavior affects the request-line URL field and header field values across multiple RTSP request types.
🎖@cveNotify
GitHub
cve_ID_report/Tenda_CP3_V3.0/Tenda_CP3_V3.0_5th/README.md at main · kkkk2222874/cve_ID_report
上报cve漏洞仓库. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
🚨 CVE-2026-59209
n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated headers exposed via the $request object inside an HTTP Request node's pagination expression and exfiltrate the secret through item data. This issue is fixed in versions 1.123.61, 2.27.4, and 2.28.1.
🎖@cveNotify
n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated member with use-only editor access to a shared workflow could read credential-populated headers exposed via the $request object inside an HTTP Request node's pagination expression and exfiltrate the secret through item data. This issue is fixed in versions 1.123.61, 2.27.4, and 2.28.1.
🎖@cveNotify
GitHub
Release n8n@2.27.4 · n8n-io/n8n
2.27.4 (2026-06-24)
Bug Fixes
core: Let allowlisted Python packages import their own submodules via relative imports (#32832) (62e876c)
Features
core: Fix building incorrect chained nodes (#3285...
Bug Fixes
core: Let allowlisted Python packages import their own submodules via relative imports (#32832) (62e876c)
Features
core: Fix building incorrect chained nodes (#3285...
🚨 CVE-2026-59222
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.
🎖@cveNotify
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers[].key and webhook configuration, allowing a normal channel participant to retrieve other users’ sensitive settings. This issue is fixed in version 0.10.0.
🎖@cveNotify
GitHub
refac · open-webui/open-webui@fbcdcf1
User-friendly AI Interface (Supports Ollama, OpenAI API, ...) - refac · open-webui/open-webui@fbcdcf1
🚨 CVE-2026-59223
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.
🎖@cveNotify
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL path and sibling-domain matches that did not reflect the intended hostname policy. This issue is fixed in version 0.10.0.
🎖@cveNotify
GitHub
Match WEB_FETCH_FILTER_LIST on hostnames with label boundaries, not U… · open-webui/open-webui@087878c
…RL suffix (CWE-693) (#25949)
is_string_allowed does endswith() matching and was called with the full URL
(retrieval/web/utils.py) against WEB_FETCH_FILTER_LIST, so a blocklisted host with any
pat...
is_string_allowed does endswith() matching and was called with the full URL
(retrieval/web/utils.py) against WEB_FETCH_FILTER_LIST, so a blocklisted host with any
pat...
🚨 CVE-2026-0275
A local privilege escalation vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated administrator with access to the macOS local filesystem to perform actions on the device with root privileges.
This issue only affects Prisma® Browser on macOS.
🎖@cveNotify
A local privilege escalation vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated administrator with access to the macOS local filesystem to perform actions on the device with root privileges.
This issue only affects Prisma® Browser on macOS.
🎖@cveNotify
Palo Alto Networks Product Security Assurance
PAN-SA-2026-0010 Chromium and Prisma Browser: Monthly Vulnerability Update (July 2026)
Palo Alto Networks incorporated the following Chromium security fixes into our products:
* https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html
* https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html