CVE-2024-56732 - HarfBuzz is a text shaping engine. Starting with 8.5.0 through 10.0.1, there is a heap-based buffer overflow in the hb_cairo_glyphs_from_buffer function.
Published: December 27, 2024; 3:15:23 PM -0500

CVE-2026-13034 - Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
Published: June 24, 2026; 3:17:09 PM -0400

CVE-2026-13035 - Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: High)
Published: June 24, 2026; 3:17:09 PM -0400

CVE-2026-13036 - Use after free in Blink in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: June 24, 2026; 3:17:09 PM -0400

CVE-2026-13037 - Use after free in WebView in Google Chrome on Android prior to 149.0.7827.197 allowed a local attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Published: June 24, 2026; 3:17:09 PM -0400

CVE-2026-13038 - Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.197 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Published: June 24, 2026; 3:17:10 PM -0400

CVE-2026-39948 - Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated ... read CVE-2026-39948
Published: June 24, 2026; 7:16:40 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-39955 - Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php. This issue has been fixed in version 1.2.31.
Published: June 24, 2026; 7:16:40 PM -0400

CVE-2026-39951 - Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a Stored SQL Injection vulnerability through graph_name_regexp in the Reports feature. This issue has been fixed in version 1.2.31.
Published: June 24, 2026; 8:17:47 PM -0400

V3.1: 8.8 HIGH

CVE-2026-40079 - Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escape_command() function. The escape_command() function at lib/rrd.php is a no-op... read CVE-2026-40079
Published: June 24, 2026; 8:17:47 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-39893 - Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication (graph viewi... read CVE-2026-39893
Published: June 24, 2026; 6:16:46 PM -0400

CVE-2026-39897 - Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the html_auth_footer. This issue has been fixed in version 1.2.31.
Published: June 24, 2026; 6:16:46 PM -0400

V3.1: 6.1 MEDIUM

CVE-2026-39899 - Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal via filename parameter in package_import.php. This issue has been fixed in version 1.2.31.
Published: June 24, 2026; 7:16:40 PM -0400

V3.1: 5.3 MEDIUM

CVE-2026-39900 - Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the auth_profile.php JavaScript context. This issue has been fixed in version 1.2.31.
Published: June 24, 2026; 7:16:40 PM -0400

V3.1: 6.1 MEDIUM

CVE-2026-39938 - Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graph_theme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31.
Published: June 24, 2026; 7:16:40 PM -0400

CVE-2026-34714 - Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.
Published: March 30, 2026; 3:16:26 PM -0400

V3.1: 8.6 HIGH

CVE-2026-49975 - Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
Published: June 08, 2026; 12:16:44 PM -0400

CVE-2026-48137 - There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requ... read CVE-2026-48137
Published: June 19, 2026; 10:16:22 AM -0400

V3.1: 9.8 CRITICAL

CVE-2026-48138 - There is an out-of-bounds read vulnerability in the NI grpc-device streaming API due to a missing bounds check that may result in a denial of service. Successful exploitation requires an attacker to supply a specially crafted write request. This a... read CVE-2026-48138
Published: June 19, 2026; 10:16:22 AM -0400

CVE-2026-48139 - There is a NULL pointer dereference vulnerability in NI grpc-device in the data moniker service that may allow an attacker to cause a denial of service by triggering a crash.  Successful exploitation requires an attacker to provide an unknown valu... read CVE-2026-48139
Published: June 19, 2026; 10:16:22 AM -0400