Total
361460 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-8955 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 8.8 HIGH |
| Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-8954 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-8953 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 9.6 CRITICAL |
| Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-8952 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 8.8 HIGH |
| Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | |||||
| CVE-2026-8951 | 1 Mozilla | 1 Firefox | 2026-06-17 | N/A | 6.5 MEDIUM |
| Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151. | |||||
| CVE-2026-8950 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 9.3 CRITICAL |
| Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-8949 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 7.5 HIGH |
| Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-8948 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 9.1 CRITICAL |
| Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | |||||
| CVE-2026-8947 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 7.3 HIGH |
| Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-8946 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-06-17 | N/A | 7.5 HIGH |
| Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | |||||
| CVE-2026-8945 | 1 Mozilla | 2 Firefox, Firefox Focus | 2026-06-17 | N/A | 7.5 HIGH |
| Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151. | |||||
| CVE-2026-8943 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin's settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-8942 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metamagic_update_options function. This makes it possible for unauthenticated attackers to modify the plugin's SEO settings, including enabling or disabling the plugin and toggling description and keyword meta tag output via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-8941 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_options() function. This makes it possible for unauthenticated attackers to update the plugin's settings — including the CDN URL used to rewrite all static asset references on the site — via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-8940 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to change the plugin's msp_loop_file and msp_nav_location settings via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-8939 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin's settings — including post types to search in, custom fields, media fields and the custom media function name — via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2026-8938 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_certification function. This makes it possible for unauthenticated attackers to update the plugin's license key option, and subsequently trigger license validation and pro feature installation on the victim site without the administrator's consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation can trigger downstream calls to amJL_is_license_valid() and amJL_download_and_install_pro_features(), meaning the impact extends beyond a simple settings change to unauthorized installation of plugin components. | |||||
| CVE-2026-8936 | 2026-06-17 | N/A | N/A | ||
| Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event. This issue has been fixed in Docker Desktop 4.76.0. | |||||
| CVE-2026-8935 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access. | |||||
| CVE-2026-8931 | 2026-06-17 | N/A | N/A | ||
| A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3. | |||||