5.3
CVE-2026-21726 - Loki Path Traversal - CVE-2021-36156 Bypass
The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability.
9.1
CVE-2025-41118 - Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyβ¦
6.5
CVE-2026-6385 - Ffmpeg: ffmpeg: denial of service and potential arbitrary code execution via signed integer overfloβ¦
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checksβ¦
3.7
CVE-2026-33877 - ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, β¦
6.5
CVE-2026-6364 - Skia: Google Chrome: Chromium: Skia: Information disclosure via out-of-bounds read in Google Chrome
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)
8.8
CVE-2026-6317 - Google Chrome: Chromium: Google Chrome and Chromium: Arbitrary code execution via a crafted HTML paβ¦
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
8.8
CVE-2026-6363 - V8: Google Chrome: Chromium: Google Chrome V8: Out-of-bounds memory access via crafted HTML page
Type Confusion in V8 in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
8.3
CVE-2026-6361 - PDFium: Google Chrome: Chromium: PDFium in Google Chrome: Arbitrary code execution via crafted PDF β¦
Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
8.8
CVE-2026-6316 - Google Chrome: Chromium: Google Chrome/Chromium: Arbitrary code execution via use-after-free in Forβ¦
Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
8.3
CVE-2026-6314 - Google Chrome: Chromium: Google Chrome and Chromium: Sandbox escape via out-of-bounds write in GPU
Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)