10
CVE-2026-25510 - CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and savβ¦
5.3
CVE-2026-25509 - CI4MS Vulnerable to User Email Enumeration via Password Reset Flow
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether aβ¦
9.3
CVE-2026-25150 - Prototype Pollution via FormData Processing in Qwik City
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but failβ¦
5.3
CVE-2026-25148 - Qwik SSR XSS via Unsafe Virtual Node Serialization
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful β¦
5.9
CVE-2026-25151 - Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik Cityβs server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Contenβ¦
5.9
CVE-2026-25155 - [qwik-city] CSRF protection middleware does not work properly for content type header with parameteβ¦
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
2.7
CVE-2026-25149 - Qwik City Open Redirect via fixTrailingSlash
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincingβ¦
8.8
CVE-2026-1862 - Type Confusion in V8 Leading to Heap Corruption via Crafted HTML Page
Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
8.8
CVE-2026-1861 - Heap Buffer Overflow in libvpx Allows Remote Exploitation via Crafted HTML
Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
9.3
CVE-2025-65078 - Untrusted search path vulnerability in Embedded Solutions Framework
An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code.