Contact
Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
Home

Most Critical CVE List from the Last 3 Days

Below are the critical vulnerabilities published in recent days by the National Vulnerability Database (NVD). Exercise maximum caution to prevent potential exploitation.
Single vulnerability search

04/04/2026

Fortinet

CRITICAL (9.8)
CVE-2026-35616
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code...
Vendor/s: Fortinet

Full Description

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 04/04/2026 01:16:39
Last Modified: 04/04/2026 01:16:39

Sources and References

03/04/2026

Azure

CRITICAL (10.0)
CVE-2026-33105
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
Vendor/s: Microsoft, Kubernetes, Azure

Full Description

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 6

Additional Information

Published on: 03/04/2026 00:16:05
Last Modified: 03/04/2026 16:10:23

Sources and References

CRITICAL (10.0)
CVE-2026-33107
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
Vendor/s: Azure

Full Description

Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 6

Additional Information

Published on: 03/04/2026 00:16:05
Last Modified: 03/04/2026 16:10:23

Sources and References

CRITICAL (9.6)
CVE-2026-26135
Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a...
Vendor/s: Azure

Full Description

Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: NONE
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
  • Exploitability/Impact Score: 3.1 / 5.8

Additional Information

Published on: 03/04/2026 00:16:04
Last Modified: 03/04/2026 16:10:23

Sources and References

CRITICAL (10.0)
CVE-2026-32213
Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Vendor/s: Azure

Full Description

Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 6

Additional Information

Published on: 03/04/2026 00:16:04
Last Modified: 03/04/2026 16:10:23

Sources and References

Microsoft

CRITICAL (10.0)
CVE-2026-33105
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
Vendor/s: Microsoft, Kubernetes, Azure

Full Description

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 6

Additional Information

Published on: 03/04/2026 00:16:05
Last Modified: 03/04/2026 16:10:23

Sources and References

Kubernetes

CRITICAL (10.0)
CVE-2026-33105
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
Vendor/s: Microsoft, Kubernetes, Azure

Full Description

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 6

Additional Information

Published on: 03/04/2026 00:16:05
Last Modified: 03/04/2026 16:10:23

Sources and References

Docker

CRITICAL (9.9)
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability...
Vendor/s: Docker, Postgresql

Full Description

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6

Additional Information

Published on: 03/04/2026 23:17:04
Last Modified: 03/04/2026 23:17:04

Sources and References

Postgresql

CRITICAL (9.9)
CVE-2026-34612
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability...
Vendor/s: Docker, Postgresql

Full Description

Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra (default docker-compose deployment) contains a SQL Injection vulnerability that leads to Remote Code Execution (RCE) in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated, simply visiting a crafted link is enough to trigger the vulnerability. The injected payload is executed by PostgreSQL using COPY ... TO PROGRAM ..., which in turn runs arbitrary OS commands on the host. This issue has been patched in version 1.3.7.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6

Additional Information

Published on: 03/04/2026 23:17:04
Last Modified: 03/04/2026 23:17:04

Sources and References

02/04/2026

Percona

CRITICAL (9.9)
CVE-2026-25212
An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker...
Vendor/s: Percona

Full Description

An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / LOW
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.1 / 6

Additional Information

Published on: 02/04/2026 17:16:21
Last Modified: 03/04/2026 16:10:23

Sources and References

01/04/2026

Google

CRITICAL (9.6)
CVE-2026-5288
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised...
Vendor/s: Google, Apple, Linux, Microsoft, Android, Chrome

Full Description

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:41:09

Sources and References

CRITICAL (9.6)
CVE-2026-5289
Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:59

Sources and References

CRITICAL (9.6)
CVE-2026-5290
Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:52

Sources and References

Apple

CRITICAL (9.6)
CVE-2026-5288
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised...
Vendor/s: Google, Apple, Linux, Microsoft, Android, Chrome

Full Description

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:41:09

Sources and References

CRITICAL (9.6)
CVE-2026-5289
Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:59

Sources and References

CRITICAL (9.6)
CVE-2026-5290
Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:52

Sources and References

Linux

CRITICAL (9.6)
CVE-2026-5288
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised...
Vendor/s: Google, Apple, Linux, Microsoft, Android, Chrome

Full Description

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:41:09

Sources and References

CRITICAL (9.6)
CVE-2026-5289
Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:59

Sources and References

CRITICAL (9.6)
CVE-2026-5290
Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:52

Sources and References

Microsoft

CRITICAL (9.6)
CVE-2026-5288
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised...
Vendor/s: Google, Apple, Linux, Microsoft, Android, Chrome

Full Description

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:41:09

Sources and References

CRITICAL (9.6)
CVE-2026-5289
Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:59

Sources and References

CRITICAL (9.6)
CVE-2026-5290
Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:52

Sources and References

Android

CRITICAL (9.6)
CVE-2026-5288
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised...
Vendor/s: Google, Apple, Linux, Microsoft, Android, Chrome

Full Description

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:41:09

Sources and References

Chrome

CRITICAL (9.6)
CVE-2026-5288
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised...
Vendor/s: Google, Apple, Linux, Microsoft, Android, Chrome

Full Description

Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:41:09

Sources and References

CRITICAL (9.6)
CVE-2026-5289
Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:59

Sources and References

CRITICAL (9.6)
CVE-2026-5290
Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer...
Vendor/s: Google, Apple, Linux, Microsoft, Chrome

Full Description

Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: REQUIRED / NONE
  • Scope: CHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Exploitability/Impact Score: 2.8 / 6

Additional Information

Published on: 01/04/2026 05:16:02
Last Modified: 01/04/2026 16:40:52

Sources and References

php

CRITICAL (9.8)
CVE-2026-29014
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute...
Vendor/s: php

Full Description

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 01/04/2026 13:16:35
Last Modified: 03/04/2026 17:16:42

Sources and References

Cisco

CRITICAL (9.8)
CVE-2026-20160
A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands...
Vendor/s: Cisco

Full Description

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This vulnerability is due to the unintentional exposure of an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 01/04/2026 17:28:31
Last Modified: 03/04/2026 16:11:11

Sources and References

CRITICAL (9.8)
CVE-2026-20093
A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to...
Vendor/s: Cisco

Full Description

A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.

CVSS Metrics v3.1

  • Impact: Confid.: HIGH, Integ.: HIGH, Avail.: HIGH
  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Interaction/Privileges: NONE / NONE
  • Scope: UNCHANGED
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Exploitability/Impact Score: 3.9 / 5.9

Additional Information

Published on: 01/04/2026 17:28:29
Last Modified: 03/04/2026 16:11:11

Sources and References