9.8
CVE-2026-30625 - Remote Code Execution via MCP Task Creation in Upsonic 0.71.6
Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands (npm, npx) accept argument flags that enable eβ¦
8.8
CVE-2026-6306 - chromium-browser: Heap buffer overflow in PDFium
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High)
7.5
CVE-2026-30996 - Directory Traversal in SACβNFe v2.0.02 download.php Allows Arbitrary File Read
An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.
8.3
CVE-2026-30461 - Authenticated Remote Code Execution in FuelCMS via Git Submodule Function
Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.
7.5
CVE-2026-6319 - chromium-browser: Use after free in Payments
Use after free in Payments in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium)
8.4
CVE-2024-53412 - Command Injection via Port Field in NietThijmen ShoppingCart Leading to Remote Code Execution
Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field
8.8
CVE-2026-6358 - chromium-browser: Use after free in XR
Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical)
8.8
CVE-2026-6302 - chromium-browser: Use after free in Video
Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
8.8
CVE-2026-6360 - chromium-browser: Use after free in FileSystem
Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
5.1
CVE-2026-40096 - immich: Open Redirect via Shared Album name
immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a <meta> tag in api.service.ts. A registered attacker can create a sharedβ¦