Total
358423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2660 | 1 Lily-lang | 1 Lily | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A vulnerability was identified in FascinatedBox lily up to 2.3. Affected by this issue is the function shorthash_for_name of the file src/lily_symtab.c. The manipulation leads to use after free. Local access is required to approach this attack. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2659 | 1 Squirrel-lang | 1 Squirrel | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A vulnerability was determined in Squirrel up to 3.2. Affected by this vulnerability is the function SQFuncState::PopTarget of the file src/squirrel/squirrel/sqfuncstate.cpp. Executing a manipulation of the argument _target_stack can lead to out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2658 | 2026-06-17 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was found in newbee-ltd newbee-mall up to a069069b07027613bf0e7f571736be86f431faee. Affected is an unknown function of the component Multiple Endpoints. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2657 | 1 Wren | 1 Wren | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A vulnerability has been found in wren-lang wren up to 0.4.0. This impacts the function printError of the file src/vm/wren_compiler.c of the component Error Message Handler. Such manipulation leads to stack-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2656 | 1 Chaiscript | 1 Chaiscript | 2026-06-17 | 1.0 LOW | 2.5 LOW |
| A flaw has been found in ChaiScript up to 6.1.0. This affects the function chaiscript::Type_Info::bare_equal of the file include/chaiscript/dispatchkit/type_info.hpp. This manipulation causes use after free. The attack requires local access. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2655 | 1 Chaiscript | 1 Chaiscript | 2026-06-17 | 1.0 LOW | 2.5 LOW |
| A vulnerability was detected in ChaiScript up to 6.1.0. The impacted element is the function chaiscript::str_less::operator of the file include/chaiscript/chaiscript_defines.hpp. The manipulation results in use after free. The attack requires a local approach. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2654 | 1 Huggingface | 1 Smolagents | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2653 | 1 Admesh Project | 1 Admesh | 2026-06-17 | 4.3 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. It looks like this product is not really maintained anymore. | |||||
| CVE-2026-2650 | 1 Google | 1 Chrome | 2026-06-17 | N/A | 8.8 HIGH |
| Heap buffer overflow in Media in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2026-2649 | 1 Google | 1 Chrome | 2026-06-17 | N/A | 8.8 HIGH |
| Integer overflow in V8 in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2026-2648 | 1 Google | 1 Chrome | 2026-06-17 | N/A | 8.8 HIGH |
| Heap buffer overflow in PDFium in Google Chrome prior to 145.0.7632.109 allowed a remote attacker to perform an out of bounds memory write via a crafted PDF file. (Chromium security severity: High) | |||||
| CVE-2026-2644 | 1 Minisat | 1 Minisat | 2026-06-17 | 1.7 LOW | 3.3 LOW |
| A weakness has been identified in niklasso minisat up to 2.2.0. This issue affects the function Solver::value in the library core/SolverTypes.h of the component DIMACS File Parser. This manipulation of the argument variable index with the input 2147483648 causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2642 | 2026-06-17 | 1.7 LOW | 3.3 LOW | ||
| A security vulnerability has been detected in ggreer the_silver_searcher up to 2.2.0. The impacted element is the function search_stream of the file src/search.c. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2641 | 2026-06-17 | 1.7 LOW | 3.3 LOW | ||
| A weakness has been identified in universal-ctags ctags up to 6.2.1. The affected element is the function parseExpression/parseExprList of the file parsers/v.c of the component V Language Parser. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2637 | 1 Iboysoft | 1 Ntfs For Mac | 2026-06-17 | N/A | 7.8 HIGH |
| iBoysoft NTFS for Mac contains a local privilege escalation vulnerability in its privileged helper daemon ntfshelperd. The daemon exposes an NSConnection service that runs as root without implementing any authentication or authorization checks. This issue affects iBoysoft NTFS: 8.0.0. | |||||
| CVE-2026-2636 | 2026-06-17 | N/A | 5.5 MEDIUM | ||
| This vulnerability is caused by a CWE‑159: "Improper Handling of Invalid Use of Special Elements" weakness, which leads to an unrecoverable inconsistency in the CLFS.sys driver. This condition forces a call to the KeBugCheckEx function, allowing an unprivileged user to trigger a system crash. Microsoft silently fixed this vulnerability in the September 2025 cumulative update for Windows 11 2024 LTSC and Windows Server 2025. Windows 25H2 (released in September) was released with the patch. Windows 1123h2 and earlier versions remain vulnerable. | |||||
| CVE-2026-2635 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256. | |||||
| CVE-2026-2634 | 1 Mozilla | 1 Firefox | 2026-06-17 | N/A | 9.8 CRITICAL |
| Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4. | |||||
| CVE-2026-2633 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJAX action. The function's authorization check via `verify_ajax_call()` only validates `edit_posts` capability but fails to check for the `upload_files` capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the standard WordPress capability restriction that prevents Contributors from uploading files. | |||||
| CVE-2026-2631 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator. | |||||