CVE-2026-4698
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140
CVSS
9.8
Critical
EPSS
0.8%
p51
KEV
—
Exploit Today
15
0-100
Published: Mar 24, 2026 · Last modified: Jul 15, 2026 · CWE-843 · CWE-733
0.8%EPSS · 30 days0.8%
2026-06-302026-07-17
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- bugzilla.mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=2020906
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-20/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-21/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-22/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-23/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-24/
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5930
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5931
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5932
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6188
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6342
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6917
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7837
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7838
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7839
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7840
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7841
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7842
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7843
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7845
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-105859.8 CRI91.8%
KEV—78Google Chromium V8 Type Confusion Vulnerability3dCVE-2025-132238.8 HIG91.1%
KEV—77Google Chromium V8 Type Confusion Vulnerability3dCVE-2026-217107.5 HIG97.8%
——29A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**3dCVE-2026-59467.5 HIG76.2%
——23Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`.
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.3dCVE-2026-339379.8 CRI75.8%
——23Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.3dCVE-2026-571087.5 HIG61.9%
——19Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network.3d