Severe

Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability

Ivanti Sentry OS Command Injection Vulnerability

Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability

Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability

Google Chromium V8 Out-of-Bounds Read and Write Vulnerability

Check Point Security Gateway Improper Authentication Vulnerability

BerriAI LiteLLM Command Injection Vulnerability

SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any n

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE E

Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severit

OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authori

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary va

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admi

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitr

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ALAS2DOCKER-2026-129 (important): docker

CVE-2026-25680 · CVE-2026-25681 · CVE-2026-27136 · CVE-2026-39821 +2

ALAS2NITRO-ENCLAVES-2026-110 (important): docker

CVE-2026-25680 · CVE-2026-25681 · CVE-2026-27136 · CVE-2026-39821 +2

Snappy: SSRF and local file read via the xsl-style-sheet option

CVE-2026-46683

Snappy: Binary path is never shell-escaped due to an inverted is_executable check

CVE-2026-46643

Linux kernel (Azure) vulnerabilities

CVE-2026-46333 · CVE-2026-43284 · CVE-2026-23274 · CVE-2026-46300 +14

lwIP vulnerabilities

CVE-2026-8836 · CVE-2020-22284 · CVE-2020-22283 · CVE-2020-8597

SUSE-SU-2026%3A2378-1

CVE-2026-28847 · CVE-2026-28883 · CVE-2026-28901 · CVE-2026-28902 +12

SUSE-SU-2026%3A2377-1

CVE-2026-41284 · CVE-2026-41293 · CVE-2026-42498 · CVE-2026-43512 +3

US Gov asks Anthropic to ban 'foreign national' access to Fable, Mythos

Getting the PID from random numbers in PHP

The Axios npm compromise was visible in registry metadata before anyone ran npm install

U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals

Weekly Metasploit Update: New Kerberos/Certificate tracing options, and multiple new modules

Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered

Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE) - watchTowr Labs

Maine disables data breach notification portal after fake disclosures