6.4
CVE-2026-5711 - Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyleโฆ
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes itโฆ
4.3
CVE-2026-5894 - Google Chrome: Chromium: Google Chrome/Chromium: Navigation restriction bypass via crafted HTML page
Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
9.6
CVE-2026-5874 - Google Chrome: Chromium: Google Chrome: Sandbox escape via use-after-free in PrivateAI
Use after free in PrivateAI in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
8.8
CVE-2026-5858 - Google Chrome: WebML: Chromium: Google Chrome: Arbitrary code execution via heap buffer overflow inโฆ
Heap buffer overflow in WebML in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
5.1
CVE-2026-5806 - code-projects Easy Blog Site update.php cross site scripting
A security vulnerability has been detected in code-projects Easy Blog Site 1.0. This affects an unknown function of the file /posts/update.php. The manipulation of the argument postTitle leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly andโฆ
5.7
CVE-2026-39901 - monetr: Protected Transactions Deletable via PUT
monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletionโฆ
9
CVE-2026-39860 - Nix sandbox escape: file write via symlink at FOD `.tmp` copy destination
Nix is a package manager for Linux and other Unix systems. A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-outโฆ
6.9
CVE-2026-39892 - cryptography has a buffer overflow if non-contiguous buffers were passed to APIs
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed inโฆ
8.8
CVE-2026-39891 - PraisonAI has a Template Injection in Agent Tool Definitions
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressionsโฆ
9.8
CVE-2026-39890 - PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, exโฆ