7.5
CVE-2026-30994 - Unauthenticated Access to Config File Exposes Session Credentials in Slah v1.5.0 and Earlier
Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.
8.8
CVE-2026-6318 - chromium-browser: Use after free in Codecs
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
7.1
CVE-2026-6855 - Instructlab: instructlab: path traversal allows arbitrary directory creation and file write
A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the `logs_dir` parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to unauthβ¦
6.3
CVE-2026-6362 - chromium-browser: Use after free in Codecs
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted video file. (Chromium security severity: High)
8.8
CVE-2026-6859 - Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true`
A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially crafted maliciouβ¦
9.8
CVE-2026-30993 - Remote Code Execution via Session Function in Slah CMS
Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.
4.3
CVE-2026-6298 - chromium-browser: Heap buffer overflow in Skia
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Critical)
8.3
CVE-2026-30461 - Authenticated Remote Code Execution in FuelCMS via Git Submodule Function
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
8
CVE-2026-30615 - Prompt Injection in Windsurf Enables Remote Command Execution
A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration and automatic registraβ¦
8.8
CVE-2026-6306 - chromium-browser: Heap buffer overflow in PDFium
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)