SingCERT Security Bulletin: Critical Vulnerabilities Week of 8 April 2026

SecurityBulletin08April2026

Generatedon08April2026

SingCERT'sSecurityBulletinsummarisesthelistofvulnerabilitiescollatedfromtheNationalInstituteofStandardsandTechnology(NIST)'sNationalVulnerability Database(NVD)inthepastweek. Thevulnerabilitiesaretabledbasedonseverity,inaccordancetotheirCVSSv3basescores: vulnerabilitieswithabasescoreof9.0toCritical 10.0 vulnerabilitieswithabasescoreof7.0toHigh 8.9 vulnerabilitieswithabasescoreof4.0toMedium 6.9 vulnerabilitieswithabasescoreof0.1toLow 3.9 None vulnerabilitieswithabasescoreof0.0 ForthosevulnerabilitieswithoutassignedCVSSscores,pleasevisitNVDfortheupdatedCVSSvulnerabilityentries.

CRITICALVULNERABILITIES

BaseCVENumber Description ReferenceScore

CVE-2026- Server-siderequestforgery(ssrf)inMicrosoftBingallowsanunauthorizedattackertoelevateprivilegesoveranetwork. 10.0 MoreDetails32186 CVE-2026- Server-siderequestforgery(ssrf)inAzureDatabricksallowsanunauthorizedattackertoelevateprivilegesoveranetwork. 10.0 MoreDetails33107 CVE-2026- ImproperauthorizationinMicrosoftAzureKubernetesServiceallowsanunauthorizedattackertoelevateprivilegesovera 10.0 MoreDetails33105 network. ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,criticalpre-authenticationremotecodeexecution CVE-2026- vulnerabilityinChurchCRM'ssetupwizardallowsunauthenticatedattackerstoinjectarbitraryPHPcodeduringtheinitial 10.0 MoreDetails39337 installationprocess,leadingtocompleteservercompromise.The"$dbPassword"variableisnotsanitized.Thisvulnerability existsduetoanincompletefixforCVE-2025-62521.Thisvulnerabilityisfixedin7.1.0. CVE-2026- ImproperauthorizationinAzureAIFoundryallowsanunauthorizedattackertoelevateprivilegesoveranetwork. 10.0 MoreDetails32213 DgraphisanopensourcedistributedGraphQLdatabase.Priorto25.3.1,therestoreTenantadminmutationismissingfromthe authorizationmiddlewareconfig(admin.go),makingitcompletelyunauthenticated.Unlikethesimilarrestoremutationwhich CVE-2026- requiresGuardian-of-Galaxyauthentication,restoreTenantexecuteswithzeromiddleware.Thismutationacceptsattacker- 10.0 MoreDetails34976 controlledbackupsourceURLs(includingfile://forlocalfilesystemaccess),S3/MinIOcredentials,encryptionkeyfilepaths,and Vaultcredentialfilepaths.Anunauthenticatedattackercanoverwritetheentiredatabase,readserver-sidefiles,andperform SSRF.Thisvulnerabilityisfixedin25.3.1. SandboxJSisaJavaScriptsandboxinglibrary.Priorto0.8.36,SandboxJSblocksdirectassignmenttoglobalobjects(forexample Math.random=...),butthisprotectioncanbebypassedthroughanexposedcallableconstructorpath:CVE-2026- this.constructor.call(target,attackerObject).Becausethis.constructorresolvestotheinternalSandboxGlobalfunctionand 10.0 MoreDetails34208 Function.prototype.callisallowed,attackercodecanwritearbitrarypropertiesintohostglobalobjectsandpersistthose mutationsacrosssandboxinstancesinthesameprocess.Thisvulnerabilityisfixedin0.8.36. AvulnerabilitywasidentifiedinJujufromversion3.2.0until3.6.19andfromversion4.0until4.0.4,wheretheinternalDqlite databaseclusterfailstoperformproperTLSclientandserverauthentication.Specifically,theJujucontroller'sdatabaseCVE-2026- endpointdoesnotvalidateclientcertificateswhenanewnodeattemptstojointhecluster.Anunauthenticatedattackerwith 10.0 MoreDetails4370 networkreachabilitytotheJujucontroller'sDqliteportcanexploitthisflawtojointhedatabasecluster.Oncejoined,the attackergainsfullreadandwriteaccesstotheunderlyingdatabase,allowingfortotaldatacompromise. AnissuewasdiscoveredinSMSinSamsungMobileProcessor,WearableProcessor,andModemExynos980,990,850,1080,CVE-2025- 2100,1280,2200,1330,1380,1480,2400,1580,2500,9110,W920,W930,W1000,Modem5123,Modem5300,andModem 10.0 MoreDetails54328 5400.AStack-basedBufferOverflowoccurswhileparsingSMSRP-DATAmessages. PraisonAIisamulti-agentteamssystem.Priortoversion1.5.90,executecode()inpraisonai-agentsrunsattacker-controlled CVE-2026- Pythoninsideathree-layersandboxthatcanbefullybypassedbypassingastrsubclasswithanoverriddenstartswith()method 10.0 MoreDetails34938 tothesafe_getattrwrapper,achievingarbitraryOScommandexecutiononthehost.Thisissuehasbeenpatchedinversion 1.5.90. Kestraisanopen-source,event-drivenorchestrationplatform.Priortoversion1.3.7,Kestra(defaultdocker-compose deployment)containsaSQLInjectionvulnerabilitythatleadstoRemoteCodeExecution(RCE)inthefollowingendpoint"GETCVE-2026- /api/v1/main/flows/search".Onceauserisauthenticated,simplyvisitingacraftedlinkisenoughtotriggerthevulnerability.The 9.9 MoreDetails34612 injectedpayloadisexecutedbyPostgreSQLusingCOPY...TOPROGRAM...,whichinturnrunsarbitraryOScommandsonthe host.Thisissuehasbeenpatchedinversion1.3.7.

CVE-2026- 9.9 MoreDetails editingblogcategories.AnattackercaninjectamaliciousJavaScriptpayloadintothecategorytitlefield,whichisthenstored34569 server-side.Thisstoredpayloadislaterrenderedunsafelyacrosspublic-facingblogcategorypages,administrativeinterfaces, andblogpostviewswithoutproperoutputencoding,leadingtostoredcross-sitescripting(XSS).Thisissuehasbeenpatchedin version0.31.0.0. WindmillCEandEEversions1.276.0through1.603.2containanSQLinjectionvulnerabilityinthefolderownership CVE-2026- managementfunctionalitythatallowsauthenticatedattackerstoinjectSQLthroughtheownerparameter.Anattackercanuse 9.9 MoreDetails23696 theinjectiontoreadsensitivedatasuchastheJWTsigningsecretandadministrativeuseridentifiers,forgeanadministrative token,andthenexecutearbitrarycodeviatheworkflowexecutionendpoints.

andthemesupport.Priortoversion0.31.0.0,aStoredCross-SiteScripting(StoredXSS)vulnerabilityexistsinthebackenduser CVE-2026-managementfunctionality.Theapplicationfailstoproperlysanitizeuser-controlledinputbeforerenderingitinthe 9.9 MoreDetails34571administrativeinterface,allowingattackerstoinjectpersistentJavaScriptcode.Thisresultsinautomaticexecutionwhenever backendusersaccesstheaffectedpage,enablingsessionhijacking,privilegeescalation,andfulladministrativeaccount compromise.Thisissuehasbeenpatchedinversion0.31.0.0. Group-Officeisanenterprisecustomerrelationshipmanagementandgroupwaretool.Priortoversions6.8.156,25.0.90,and 26.0.12,avulnerabilityintheAbstractSettingsCollectionmodelleadstoinsecuredeserializationwhenthesesettingsareCVE-2026-loaded.ByinjectingaserializedFileCookieJarobjectintoasettingstring,anauthenticatedattackercanachieveArbitraryFile 9.9 MoreDetails34838Write,leadingdirectlytoRemoteCodeExecution(RCE)ontheserver.Thisissuehasbeenpatchedinversions6.8.156,25.0.90, and26.0.12. GenealogyisafamilytreePHPapplication.Priorto5.9.1,acriticalbrokenaccesscontrolvulnerabilityinthegenealogy CVE-2026-applicationallowsanyauthenticatedusertotransferownershipofarbitrarynon-personalteamstothemselves.Thisenables 9.9 MoreDetails39355completetakeoverofotherusers'teamworkspacesandunrestrictedaccesstoallgenealogydataassociatedwiththe compromisedteam.Thisvulnerabilityisfixedin5.9.1. OpenProjectisanopen-source,web-basedprojectmanagementsoftware.Priortoversion17.2.3,the=noperatorinCVE-2026-modules/reporting/lib/report/operator.rb:177embedsuserinputdirectlyintoSQLWHEREclauseswithoutparameterization.This 9.9 MoreDetails34717issuehasbeenpatchedinversion17.2.3. AnissuewasdiscoveredinPerconaPMMbefore3.7.Becauseaninternaldatabaseuserretainsspecificsuperuserprivileges,anCVE-2026-attackerwithpmm-adminrightscanabusethe"Adddatasource"featuretobreakoutofthedatabasecontextandexecute 9.9 MoreDetails25212shellcommandsontheunderlyingoperatingsystem. CVE-2025-XenForobefore2.3.7containsasecurityissueaffectingPasskeysthathavebeenaddedtouseraccounts.Anattackermaybe 71279abletocompromisethesecurityofPasskey-basedauthentication. Kedroisatoolboxforproduction-readydatascience.Priorto1.3.0,Kedroallowstheloggingconfigurationfilepathtobesetvia theKEDROLOGGINGCONFIGenvironmentvariableandloadsitwithoutvalidation.TheloggingconfigurationschemasupportsCVE-2026-thespecial()key,whichenablesarbitrarycallableinstantiation.Anattackercanexploitthistoexecutearbitrarysystem35171commandsduringapplicationstartup.Thisisacriticalremotecodeexecution(RCE)vulnerabilitycausedbyunsafeuseof logging.config.dictConfig()withuser-controlledinput.Thisvulnerabilityisfixedin1.3.0. HirschmannHiEOSdevicesversionspriorto01.1.00containanauthenticationbypassvulnerabilityintheHTTP(S)management CVE-2024-modulethatallowsunauthenticatedremoteattackerstogainadministrativeaccessbysendingspeciallycraftedHTTP(S) 14034requests.Attackerscanexploitimproperauthenticationhandlingtoobtainelevatedprivilegesandperformunauthorized actionsincludingconfigurationdownloadoruploadandfirmwaremodification. HirschmannIndustrialHiVisionversionspriorto06.0.07and07.0.03containsanauthenticationbypassvulnerabilityinthe CVE-2017-masterservicethatallowsunauthenticatedremoteattackerstoexecutearbitrarycommandswithadministrativeprivileges. 20237Attackerscaninvokeexposedinterfacemethodsovertheremoteservicetobypassauthenticationandachieveremotecode executionontheunderlyingoperatingsystem. BrunoisanopensourceIDEforexploringandtestingAPIs.Priorto3.2.1,Brunowasaffectedbyasupplychainattackinvolving CVE-2026-compromisedversionsoftheaxiosnpmpackage,whichintroducedahiddendependencydeployingacross-platformRemote 34841AccessTrojan(RAT).Usersof@usebruno/cliwhorannpminstallbetween00:21UTCand~03:30UTConMarch31,2026may havebeenimpacted.Upgradeto3.2.1 CVE-2026-AnissueintheloginmechanismofKalerisYMSv7.2.2.1allowsattackerstobypassloginverificationtoaccesstheapplication's 31151resources. HirschmannHiSecOSdevicesversionspriorto05.3.03containabufferoverflowvulnerabilityintheHTTPSlogininterfacewhen CVE-2018-RADIUSauthenticationisenabledthatallowsremoteattackerstocrashthedeviceorexecutearbitrarycodebysubmittinga 25237passwordlongerthan128characters.Attackerscanexploitimproperboundscheckinginpasswordhandlingtooverflowafixed- sizebufferandachievedenialofserviceorremotecodeexecution. GarrettComMagnum6Kand10KmanagedswitchescontainanauthenticationbypassvulnerabilitythatallowsunauthenticatedCVE-2017-attackerstogainunauthorizedaccessbyexploitingahardcodedstringintheauthenticationmechanism.Attackerscanbypass20234logincontrolstoaccessadministrativefunctionsandsensitiveswitchconfigurationwithoutvalidcredentials. CVE-2026-Aremotecommandexecution(RCE)vulnerabilityinthe/goform/formDiacomponentofUTTAggressiveHiPER520Wv3v1.7.7- 31059180627allowsattackerstoexecutearbitrarycommandsviaacraftedstring. ProSoftTechnologyICX35-HWCversions1.3andpriorcellulargatewayscontainaninputvalidationvulnerabilityinthewebuser CVE-2017-interfacethatallowsremoteattackerstoinjectandexecutesystemcommandsbysubmittingmaliciousinputthrough 20236unvalidatedfields.Attackerscanexploitthisvulnerabilitytogainrootprivilegesandexecutearbitrarycommandsonthedevice throughtheaccessiblewebinterface. HirschmannHiOSandHiSecOSproductsRSP,RSPE,RSPS,RSPL,MSP,EES,EESX,GRS,OS,RED,EAGLEcontainan CVE-2018-authenticationbypassvulnerabilityintheHTTP(S)managementmodulethatallowsunauthenticatedremoteattackerstogain 25236administrativeaccessbycraftingspeciallyformedHTTPrequests.Attackerscanexploitimproperauthenticationhandlingto obtaintheauthenticationstatusandprivilegesofapreviouslyauthenticateduserwithoutprovidingvalidcredentials. PegasusCMS1.0containsaremotecodeexecutionvulnerabilityintheextra_fields.phppluginthatallowsunauthenticatedCVE-2019-

attackerstoexecutearbitrarycommandsbyexploitingunsafeevalfunctionality.AttackerscansendPOSTrequeststothe25687 submit.phpendpointwithmaliciousPHPcodeintheactionparametertoachievecodeexecutionandobtainaninteractiveshell. PraisonAIisamulti-agentteamssystem.Priortoversion4.5.90,thegetalluserthreadsfunctionconstructsrawSQLqueries CVE-2026-usingf-stringswithunescapedthreadIDsfetchedfromthedatabase.AnattackerstoresamaliciousthreadIDvia MoreDetails34934 9.8updatethread.Whentheapplicationloadsthethreadlist,theinjectedpayloadexecutesandgrantsfulldatabaseaccess.This issuehasbeenpatchedinversion4.5.90. PraisonAIisamulti-agentteamssystem.Fromversion4.5.15tobeforeversion4.5.69,the--mcpCLIargumentispassed CVE-2026-directlytoshlex.split()andforwardedthroughthecallchaintoanyio.openprocess()withnovalidation,allowlistcheck,or 34935sanitizationatanyhop,allowingarbitraryOScommandexecutionastheprocessuser.Thisissuehasbeenpatchedinversion 4.5.69. NICO-FTP3.0.1.19containsastructuredexceptionhandlerbufferoverflowvulnerabilitythatallowsremoteattackerstoexecuteCVE-2018-arbitrarycodebysendingcraftedFTPcommands.AttackerscanconnecttotheFTPserviceandsendoversizeddatainresponse25254handlerstooverwriteSEHpointersandredirectexecutiontoinjectedshellcode. AnissuewasdiscoveredinMbedTLSversionsfrom2.19.0upto3.6.5,MbedTLS4.0.0.InsufficientprotectionofserializedSSLCVE-2026-contextorsessionstructuresallowsanattackerwhocanmodifytheserializedstructurestoinducememorycorruption,leading34877toarbitrarycodeexecution.ThisiscausedbyIncorrectUseofPrivilegedAPIs. ConvoyisaKVMservermanagementpanelforhostingbusinesses.Fromversion3.9.0-betatobeforeversion4.5.1,the JWTService::decode()methoddidnotverifythecryptographicsignatureofJWTtokens.Whilethemethodconfigureda symmetricHMAC-SHA256signervialcobucci/jwt,itonlyvalidatedtime-basedclaims(exp,nbf,iat)usingtheStrictValidAt CVE-2026-constraint.TheSignedWithconstraintwasnotincludedinthevalidationstep.Thismeansanattackercouldforgeortamper 33746withJWTtokenpayloads--suchasmodifyingtheuseruuidclaim--andthetokenwouldbeacceptedasvalid,aslongasthe time-basedclaimsweresatisfied.ThisdirectlyimpactstheSSOauthenticationflow(LoginController::authorizeToken),allowing anattackertoauthenticateasanyuserbycraftingatokenwithanarbitraryuseruuid.Thisissuehasbeenpatchedinversion 4.5.1. CVE-2026-AimproperaccesscontrolvulnerabilityinFortinetFortiClientEMS7.4.5through7.4.6mayallowanunauthenticatedattackerto 35616executeunauthorizedcodeorcommandsviacraftedrequests. Aheap-basedbufferoverflowvulnerabilityexistsintheHuffTable::initvalfunctionalityofLibRawCommit0b56545andCommitCVE-2026-d20315b.Aspeciallycraftedmaliciousfilecanleadtoaheapbufferoverflow.Anattackercanprovideamaliciousfiletotrigger20911thisvulnerability. MetInfoCMSversions7.9,8.0,and8.1containanunauthenticatedPHPcodeinjectionvulnerabilitythatallowsremoteattackersCVE-2026-toexecutearbitrarycodebysendingcraftedrequestswithmaliciousPHPcode.Attackerscanexploitinsufficientinput29014neutralizationintheexecutionpathtoachieveremotecodeexecutionandgainfullcontrolovertheaffectedserver. TOTOlinkA3600Rv5.9c.4959containsabufferoverflowvulnerabilityinthesetAppEasyWizardConfiginterfaceofCVE-2026-/lib/cstemodules/app.so.ThevulnerabilityoccursbecausetherootSsidparameterisnotproperlyvalidatedforlength,allowing31027remoteattackerstotriggerabufferoverflow,potentiallyleadingtoarbitrarycodeexecutionordenialofservice. CVE-2024-Thereisaninjectionvulnerabilityinjeecgbootversions3.0.0to3.5.3duetolaxcharacterfiltering,whichallowsattackersto 40489executearbitrarycodeoncomponentsthroughspeciallycraftedHTTPrequests. CVE-2024-Acommandinjectionvulnerabilityinthecomponent/jmreport/showofjeecgbootv3.0.0tov3.5.3allowsattackerstoexecute 43028arbitrarycodeviaacraftedHTTPrequest. AvulnerabilityinthechangepasswordfunctionalityofCiscoIntegratedManagementController(IMC)couldallowan unauthenticated,remoteattackertobypassauthenticationandgainaccesstothesystemas Admin.ThisvulnerabilityisCVE-2026-duetoincorrecthandlingofpasswordchangerequests.AnattackercouldexploitthisvulnerabilitybysendingacraftedHTTP20093requesttoanaffecteddevice.Asuccessfulexploitcouldallowtheattackertobypassauthentication,alterthepasswordsofany useronthesystem,includingan Adminuser,andgainaccesstothesystemasthatuser. AvulnerabilityinCiscoSmartSoftwareManagerOn-Prem(SSMOn-Prem)couldallowanunauthenticated,remoteattackerto executearbitrarycommandsontheunderlyingoperatingsystemofanaffectedSSMOn-Premhost.ThisvulnerabilityisduetoCVE-2026-theunintentionalexposureofan internalservice.Anattackercouldexploitthisvulnerabilitybysendingacraftedrequest20160totheAPIoftheexposedservice.Asuccessfulexploitcouldallowtheattackertoexecutecommandsontheunderlying operatingsystemwithroot-levelprivileges. CVE-2026-AnissuewasdiscoveredinDedeCMS5.7.118allowingattackerstoexecutecodeviacraftedsetuptagvaluesinamodule 30643upload. llama.cppisaninferenceofseveralLLMmodelsinC/C++.Priortoversionb8492,theRPCbackend'sdeserializetensor()skips allboundsvalidationwhenatensor'sbufferfieldis0.AnunauthenticatedattackercanreadandwritearbitraryprocessmemoryCVE-2026-viacraftedGRAPHCOMPUTEmessages.CombinedwithpointerleaksfromALLOCBUFFER/BUFFERGETBASE,thisgivesfull34159ASLRbypassandremotecodeexecution.Noauthenticationrequired,justTCPaccesstotheRPCserverport.Thisissuehas beenpatchedinversionb8492. CVE-2026-AnissuewasdiscoveredinMbedTLSthrough3.6.5andTF-PSA-Crypto1.0.0.Abufferoverflowcanoccurinpublickeyexport 34875forFFDHkeys. Cockpit'sremoteloginfeaturepassesuser-suppliedhostnamesandusernamesfromthewebinterfacetotheSSHclientwithout validationorsanitization.AnattackerwithnetworkaccesstotheCockpitwebservicecancraftasingleHTTPrequesttotheCVE-2026-loginendpointthatinjectsmaliciousSSHoptionsorshellcommands,achievingcodeexecutionontheCockpithostwithoutvalid4631credentials.Theinjectionoccursduringtheauthenticationflowbeforeanycredentialverificationtakesplace,meaningnologin isrequiredtoexploitthevulnerability. changedetection.ioisafreeopensourcewebpagechangedetectiontool.Priorto0.54.8,the@loginoptionallyrequired decoratorisplacedbefore(outerto)@blueprint.route()insteadofafterit.InFlask,@route()mustbetheoutermostdecoratorCVE-2026-becauseitregistersthefunctionitreceives.Whentheorderisreversed,@route()registerstheoriginalundecoratedfunction,35490andtheauthwrapperisneverinthecallchain.Thissilentlydisablesauthenticationontheseroutes.Thisvulnerabilityisfixedin 0.54.8. Aheap-basedbufferoverflowvulnerabilityexistsinthelosslessjpegloadrawfunctionalityofLibRawCommit0b56545and

Commitd20315b.Aspeciallycraftedmaliciousfilecanleadtoaheapbufferoverflow.AnattackercanprovideamaliciousfileCVE-2026- 21413totriggerthisvulnerability. Weaver(Fanwei)E-cology10.0versionspriorto20260312containanunauthenticatedremotecodeexecutionvulnerabilityin the/papi/esearch/data/devops/dubboApi/debug/methodendpointthatallowsattackerstoexecutearbitrarycommandsbyCVE-2026-invokingexposeddebugfunctionality.AttackerscancraftPOSTrequestswithattacker-controlledinterfaceNameand22679methodNameparameterstoreachcommand-executionhelpersandachievearbitrarycommandexecutiononthe system.ExploitationevidencewasfirstobservedbytheShadowserverFoundationon2026-03-31(UTC). MemorysafetybugspresentinFirefoxESR115.34.0,FirefoxESR140.9.0,ThunderbirdESR140.9.0,Firefox149.0.1and CVE-2026-Thunderbird149.0.1.Someofthesebugsshowedevidenceofmemorycorruptionandwepresumethatwithenougheffort 5731someofthesecouldhavebeenexploitedtorunarbitrarycode.ThisvulnerabilityaffectsFirefox<149.0.2,FirefoxESR< 115.34.1,FirefoxESR<140.9.1,Thunderbird<149.0.2,andThunderbird<140.9.1. AnthropicClaudeCodeCLIandClaudeAgentSDKcontainanOScommandinjectionvulnerabilityinauthenticationhelper executionwherehelperconfigurationvaluesareexecutedusingshell=truewithoutinputvalidation.AttackerswhocanCVE-2026-influenceauthenticationsettingscaninjectshellmetacharactersthroughparameterslikeapiKeyHelper,awsAuthRefresh,35022awsCredentialExport,andgcpAuthRefreshtoexecutearbitrarycommandswiththeprivilegesoftheuserorautomation environment,enablingcredentialtheftandenvironmentvariableexfiltration. CVE-2026-CustomerManagedShareFileStorageZonesController(SZC)allowsanunauthenticatedattackertoaccessrestricted 2699configurationpages.Thisleadstochangingsystemconfigurationandpotentialremotecodeexecution. CVE-2026-EcclesiaCRMisCRMSoftwareforchurchmanagement.Priorto8.0.0,thereisaSQLinjectionvulnerabilityin 35184v2/templates/query/queryview.phpviathecustomandvalueparameters.Thisvulnerabilityisfixedin8.0.0. TheNinjaForms-FileUploadspluginforWordPressisvulnerabletoarbitraryfileuploadsduetomissingfiletypevalidationin CVE-2026-the'NFFUAJAXControllersUploads::handleupload'functioninallversionsupto,andincluding,3.3.26.Thismakesitpossible MoreDetails 9.80740forunauthenticatedattackerstouploadarbitraryfilesontheaffectedsite'sserverwhichmaymakeremotecodeexecution possible.Note:Thevulnerabilitywaspartiallypatchedinversion3.3.25andfullypatchedinversion3.3.27. TianxinInternetBehaviorManagementSystemcontainsacommandinjectionvulnerabilityintheReportercomponentendpoint thatallowsunauthenticatedattackerstoexecutearbitrarycommandsbysupplyingacraftedobjClassparametercontaining CVE-2021-shellmetacharactersandoutputredirection.AttackerscanexploitthisvulnerabilitytowritemaliciousPHPfilesintotheweb 4473rootandachieveremotecodeexecutionwiththeprivilegesofthewebserverprocess.Thisvulnerabilityhasbeenfixedin versionNACFirmware4.0.0.720210716.180815topsec0basic.bin.Exploitationevidencewasfirstobservedbythe ShadowserverFoundationon2024-06-01(UTC). SnewsCMS1.7containsanunrestrictedfileuploadvulnerabilitythatallowsunauthenticatedattackerstouploadarbitraryfilesCVE-2016-includingPHPexecutablestothesnewsfilesdirectory.AttackerscanuploadmaliciousPHPfilesthroughthemultipartform-data20052uploadendpointandexecutethembyaccessingtheuploadedfilepathtoachieveremotecodeexecution. MemorysafetybugspresentinFirefoxESR140.9.0,ThunderbirdESR140.9.0,Firefox149.0.1andThunderbird149.0.1.Some CVE-2026-ofthesebugsshowedevidenceofmemorycorruptionandwepresumethatwithenougheffortsomeofthesecouldhavebeen 5734exploitedtorunarbitrarycode.ThisvulnerabilityaffectsFirefox<149.0.2,FirefoxESR<140.9.1,Thunderbird<149.0.2,and Thunderbird<140.9.1. MemorysafetybugspresentinFirefox149.0.1andThunderbird149.0.1.SomeofthesebugsshowedevidenceofmemoryCVE-2026-corruptionandwepresumethatwithenougheffortsomeofthesecouldhavebeenexploitedtorunarbitrarycode.This5735vulnerabilityaffectsFirefox<149.0.2andThunderbird<149.0.2. CVE-2026-Aheap-basedbufferoverflowvulnerabilityexistsinthex3fthumbloaderfunctionalityofLibRawCommitd20315b.Aspecially 20889craftedmaliciousfilecanleadtoaheapbufferoverflow.Anattackercanprovideamaliciousfiletotriggerthisvulnerability. CVE-2026-Server-siderequestforgery(ssrf)inAzureCustomLocationsResourceProvider(RP)allowsanauthorizedattackertoelevate 9.6 MoreDetails26135privilegesoveranetwork. TheStackfieldDesktopAppbefore1.10.2formacOSandWindowscontainsapathtraversalvulnerabilityincertaindecryptionCVE-2026-functionalitywhenprocessingthefilePathproperty.Amaliciousexportcanwritearbitrarycontenttoanypathonthevictim's 9.6 MoreDetails28373filesystem. UseafterfreeinWebViewinGoogleChromeonAndroidpriorto146.0.7680.178allowedaremoteattackerwhohadCVE-2026-compromisedtherendererprocesstopotentiallyperformasandboxescapeviaacraftedHTMLpage.(Chromiumsecurity 9.6 MoreDetails5288severity:High) CVE-2026-UseafterfreeinCompositinginGoogleChromepriorto146.0.7680.178allowedaremoteattackerwhohadcompromisedthe 9.6 MoreDetails5290rendererprocesstopotentiallyperformasandboxescapeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) CVE-2026-UseafterfreeinNavigationinGoogleChromepriorto146.0.7680.178allowedaremoteattackerwhohadcompromisedthe 9.6 MoreDetails5289rendererprocesstopotentiallyperformasandboxescapeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Budibaseisanopen-sourcelow-codeplatform.Priortoversion3.33.4,aserver-siderequestforgery(SSRF)vulnerabilityexists inBudibase'sRESTdatasourceconnector.Theplatform'sSSRFprotectionmechanism(IPblacklist)isrenderedcompletelyCVE-2026-ineffectivebecausetheBLACKLISTIPSenvironmentvariableisnotsetbydefaultinanyoftheofficialdeployment 9.6 MoreDetails31818configurations.Whenthisvariableisempty,theblacklistfunctionunconditionallyreturnsfalse,allowingallrequeststhrough withoutrestriction.Thisissuehasbeenpatchedinversion3.33.4. SignalKServerisaserverapplicationthatrunsonacentralhubinaboat.Priortoversion2.24.0-beta.4,thereisaprivilege CVE-2026-escalationvulnerabilitybyAdminRoleInjectionvia/enableSecurity.AnunauthenticatedattackercangainfullAdministrator 9.4 MoreDetails33950accesstotheSignalKserveratanytime,allowingthemtomodifysensitivevesselroutingdata,alterserverconfigurations,and accessrestrictedendpoints.Thisissuehasbeenpatchedinversion2.24.0-beta.4. @delmaredigital/payload-puckisaPayloadCMSpluginforintegratingPuckvisualpagebuilder.Priorto0.6.23,all/api/puck/* CRUDendpointhandlersregisteredbycreatePuckPlugin()calledPayload'slocalAPIwiththedefaultoverrideAccess:true,CVE-2026- 9.4 MoreDetailsbypassingallcollection-levelaccesscontrol.TheaccessoptionpassedtocreatePuckPlugin()andanyaccessrulesdefinedon39397 Puck-registeredcollectionsweresilentlyignoredontheseendpoints.Thisvulnerabilityisfixedin0.6.23.

CVE-2026- AspecificendpointexposesalluseraccountinformationforregisteredGardynuserswithoutrequiringauthentication. 9.3 MoreDetails 28766 PraisonAIisamulti-agentteamssystem.Priortoversion4.5.97,OAuthManager.validate_token()returnsTrueforanytokennot CVE-2026- foundinitsinternalstore,whichisemptybydefault.AnyHTTPrequesttotheMCPserverwithanarbitraryBearertokenis 34953 treatedasauthenticated,grantingfullaccesstoallregisteredtoolsandagentcapabilities.Thisissuehasbeenpatchedin version4.5.97. AIOHTTPisanasynchronousHTTPclient/serverframeworkforasyncioandPython.Priortoversion3.13.4,theCparser(theCVE-2026- defaultformostinstalls)acceptednullbytesandcontrolcharactersinresponseheaders.Thisissuehasbeenpatchedinversion34520 3.13.4.

andthemesupport.Priortoversion0.31.0.0,theapplicationfailstoproperlysanitizeuser-controlledinputwithinthePage CVE-2026-Managementfunctionalitywhencreatingoreditingpages.Multipleinputfieldsacceptattacker-controlledJavaScriptpayloads 34566thatarestoredserver-side.Thesestoredvaluesarelaterrenderedwithoutproperoutputencodingacrossadministrativepage listsandpublic-facingpageviews,leadingtostoredDOM-basedcross-sitescripting(XSS).Thisissuehasbeenpatchedin version0.31.0.0.

andthemesupport.Priortoversion0.31.0.0,theapplicationfailstoproperlysanitizeuser-controlledinputwhenaddingPoststo CVE-2026-navigationmenusthroughtheMenuManagementfunctionality.Post-relateddataselectedviathePostssectionisstoredserver- 34565sideandrenderedwithoutproperoutputencoding.Thesestoredvaluesarelaterrenderedunsafelywithinadministrative dashboardsandpublic-facingnavigationmenus,resultinginstoredDOM-basedcross-sitescripting(XSS).Thisissuehasbeen patchedinversion0.31.0.0.

andthemesupport.Priortoversion0.31.0.0,theapplicationfailstoproperlysanitizeuser-controlledinputwhenaddingPages CVE-2026-tonavigationmenusthroughtheMenuManagementfunctionality.Page-relateddataselectedviathePagessectionisstored 34564server-sideandrenderedwithoutproperoutputencoding.Thisstoredpayloadislaterrenderedunsafelywithinadministrative interfacesandpublic-facingnavigationmenus,leadingtostoredDOM-basedcross-sitescripting(XSS).Thisissuehasbeen patchedinversion0.31.0.0.

andthemesupport.Priortoversion0.31.0.0,theapplicationfailstoproperlysanitizeuser-controlledinputwhenhandling CVE-2026-backupuploadsandprocessingbackupmetadata.AnattackercaninjectamaliciousJavaScriptpayloadintothebackup 34563filenameviatheuploadedxss.sql,whichusesSQLfunctionalitytoinserttheXSSpayloadserver-side.Thisstoredpayloadis laterrenderedunsafelyinmultiplebackupmanagementviewswithoutproperoutputencoding,leadingtostoredblindcross- sitescripting(BlindXSS).Thisissuehasbeenpatchedinversion0.31.0.0.

andthemesupport.Priortoversion0.31.0.0,theapplicationrendersuser-controlledinputunsafelywithinthelogsinterface.IfCVE-2026-anystoredXSSpayloadexistswithinloggeddata,itisrenderedwithoutproperoutputencoding.ThisissuebecomesaBlind34560XSSscenariobecausetheattackerdoesnotseeimmediateexecution.Instead,thepayloadisstoredwithinapplicationlogsand onlyexecuteslaterwhenanadministratorviewsthelogspage.Thisissuehasbeenpatchedinversion0.31.0.0.

CVE-2026- editingblogtags.AnattackercaninjectamaliciousJavaScriptpayloadintothetagnamefield,whichisthenstoredserver-side.34559 Thisstoredpayloadislaterrenderedunsafelyacrosspublictagpagesandadministrativeinterfaceswithoutproperoutput encoding,leadingtostoredcross-sitescripting(XSS).Thisissuehasbeenpatchedinversion0.31.0.0. CVE-2026- AnissuewasdiscoveredinMbedTLS3.5.0through4.0.0.ClientimpersonationcanoccurwhileresumingaTLS1.3session. 9.1 MoreDetails34873 AnissuewasdiscoveredinMbedTLS3.5.xand3.6.xthrough3.6.5andTF-PSA-Crypto1.0.Thereisalackofcontributory behaviorinFFDHduetoimproperinputvalidation.Usingfinite-fieldDiffie-Hellman,theotherpartycanforcethesharedsecretCVE-2026- intoasmallsetofvalues(lackofcontributorybehavior).Thisisaproblemforprotocolsthatdependoncontributorybehavior34872 (whichisnotthecaseforTLS).Theattackcanbecarriedbythepeer,ordependingontheprotocolbyanactivenetwork attacker(personinthemiddle). PraisonAIisamulti-agentteamssystem.Priortoversion4.5.97,thePraisonAIGatewayserveracceptsWebSocketconnectionsCVE-2026- at/wsandservesagenttopologyat/infowithnoauthentication.Anynetworkclientcanconnect,enumerateregisteredagents,34952 andsendarbitrarymessagestoagentsandtheirtoolsets.Thisissuehasbeenpatchedinversion4.5.97. EmissaryisaP2Pbaseddata-drivenworkflowengine.Priorto8.39.0,GitHubActionsworkflowfilescontainedshellinjection CVE-2026- pointswhereuser-controlledworkflowdispatchinputswereinterpolateddirectlyintoshellcommandsvia${{}}expression 35580 syntax.Anattackerwithrepositorywriteaccesscouldinjectarbitraryshellcommands,leadingtorepositorypoisoningand supplychaincompromiseaffectingalldownstreamusers.Thisvulnerabilityisfixedin8.39.0. Reviactylisanopen-sourcegameservermanagementpanelbuiltusingLaravel,React,FilamentPHP,Vite,andGo.Fromversion 26.2.0-beta.1tobeforeversion26.2.0-beta.5,avulnerabilityintheOAuthauthenticationflowallowedautomaticlinkingof CVE-2026- socialaccountsbasedsolelyonmatchingemailaddresses.Anattackercouldcreateorcontrolasocialaccount(e.g.,Google, 34456 GitHub,Discord)usingavictim'semailaddressandgainfullaccesstothevictim'saccountwithoutknowingtheirpassword. Thisresultsinafullaccounttakeoverwithnopriorauthenticationrequired.Thisissuehasbeenpatchedinversion26.2.0- beta.5. ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto6.5.3,apathtraversalvulnerabilityinChurchCRM'sbackup restorefunctionalityallowsauthenticatedadministratorstouploadarbitraryfilesandachieveremotecodeexecutionbyCVE-2026- overwritingApache.htaccessconfigurationfiles.Thevulnerabilityexistsinsrc/ChurchCRM/Backup/RestoreJob.php.The35573 $rawUploadedFile['name']parameterisuser-controlledandallowsuploadingfileswitharbitrarynamesto /var/www/html/tmpattach/ChurchCRMBackups/.Thisvulnerabilityisfixedin6.5.3. Payloadisafreeandopensourceheadlesscontentmanagementsystem.Priortoversion3.79.1in@payloadcms/graphqlandCVE-2026- payload,avulnerabilityinthepasswordrecoveryflowcouldallowanunauthenticatedattackertoperformactionsonbehalfofa34751 userwhoinitiatesapasswordreset.Thisissuehasbeenpatchedinversion3.79.1for@payloadcms/graphqlandpayload. ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,acriticalauthenticationbypassvulnerabilityin

CVE-2026- ChurchCRM'sAPImiddleware(ChurchCRM/Slim/Middleware/AuthMiddleware.php)allowsunauthenticatedattackerstoaccessall 39339 protectedAPIendpointsbyincluding"api/public"anywhereintherequestURL,leadingtocompleteexposureofchurchmember dataandsysteminformation.Thisvulnerabilityisfixedin7.1.0. DockerModelRunner(DMR)issoftwareusedtomanage,run,anddeployAImodelsusingDocker.Priortoversion1.1.25, DockerModelRunnercontainsanSSRFvulnerabilityinitsOCIregistrytokenexchangeflow.Whenpullingamodel,Model RunnerfollowstherealmURLfromtheregistry'sWWW-Authenticateheaderwithoutvalidatingthescheme,hostname,orIP range.AmaliciousOCIregistrycansettherealmtoaninternalURL(e.g.,http://127.0.0.1:3000/),causingModelRunnerCVE-2026- runningonthehosttomakearbitraryGETrequeststointernalservicesandreflectthefullresponsebodybacktothecaller.33990 Additionally,thetokenexchangemechanismcanrelaydatafrominternalservicesbacktotheattacker-controlledregistryvia theAuthorization:Bearerheader.Thisissuehasbeenpatchedinversion1.1.25.ForDockerDesktopusers,enablingEnhanced ContainerIsolation(ECI)blockscontaineraccesstoModelRunner,preventingexploitation.However,iftheDockerModel RunnerisexposedtolocalhostoverTCPinspecificconfigurations,thevulnerabilityisstillexploitable. TheOrderNotificationforWooCommerceWordPresspluginbefore3.6.3overridesWooCommerce'spermissioncheckstograntCVE-2025- fullaccesstoallunauthenticatedrequests,enablingcompleteread/writeaccesstostoreresourceslikeproducts,coupons,and15484 customers.

CVE-2026- editingblogpostswithintheCategoriessection.AnattackercaninjectamaliciousJavaScriptpayloadintotheCategories 34567 content,whichisthenstoredserver-side.ThisstoredpayloadislaterrenderedunsafelywhentheCategoriesareviewedvia blogposts,withoutproperoutputencoding,leadingtostoredcross-sitescripting(XSS).Thisissuehasbeenpatchedinversion 0.31.0.0.

CVE-2026- editingblogposts.AnattackercaninjectamaliciousJavaScriptpayloadintoblogpostcontent,whichisthenstoredserver-side.34568 Thisstoredpayloadislaterrenderedunsafelyinmultipleapplicationviewswithoutproperoutputencoding,leadingtostored cross-sitescripting(XSS).Thisissuehasbeenpatchedinversion0.31.0.0. pyLoadisafreeandopen-sourcedownloadmanagerwritteninPython.In0.5.0b3.dev96andearlier,pyLoadhasaserver-side requestforgery(SSRF)vulnerability.ThefixforCVE-2026-33992addedIPvalidationtoBaseDownloader.download()thatchecksCVE-2026- thehostnameoftheinitialdownloadURL.However,pycurlisconfiguredwithFOLLOWLOCATION=1andMAXREDIRS=10,35459 causingittoautomaticallyfollowHTTPredirects.RedirecttargetsarenevervalidatedagainsttheSSRFfilter.Anauthenticated userwithADDpermissioncanbypasstheSSRFfixbysubmittingaURLthatredirectstoaninternaladdress. LiteLLMisaproxyserver(AIGateway)tocallLLMAPIsinOpenAI(ornative)format.Priorto1.83.0,whenJWTauthenticationis enabled(enablejwtauth:true),theOIDCuserinfocacheusestoken[:20]asthecachekey.JWTheadersproducedbythesame CVE-2026- signingalgorithmgenerateidenticalfirst20characters.Thisconfigurationoptionisnotenabledbydefault.Mostinstancesare 35030 notaffected.Anunauthenticatedattackercancraftatokenwhosefirst20charactersmatchalegitimateuser'scachedtoken. Oncachehit,theattackerinheritsthelegitimateuser'sidentityandpermissions.ThisaffectsdeploymentswithJWT/OIDC authenticationenabled.Fixedinv1.83.0. HirschmannHiLCOSOpenBATandBAT450productscontainafirewallbypassvulnerabilityinIPv6IPsecdeploymentsthatallows CVE-2021- trafficfromVPNconnectionstobypassconfiguredfirewallrules.AttackerscanexploitthisvulnerabilitybyestablishingIPv6 4477 IPsecconnections(IKEv1orIKEv2)whilesimultaneouslyusinganIPv6Internetconnectiontocircumventfirewallpolicy enforcement. CVE-2026- GLPIisafreeassetandITmanagementsoftwarepackage.From11.0.0tobefore11.0.6,templateinjectionbyanadministrator 26026 leadtoRCE.Thisvulnerabilityisfixedin11.0.6. ProSoftTechnologyICX35-HWCversion1.3andpriorcellulargatewayscontainanauthenticationbypassvulnerabilityinthe CVE-2017- webuserinterfacethatallowsunauthenticatedattackerstogainaccesstoadministrativefunctionswithoutvalidcredentials. 20235 Attackerscanbypasstheauthenticationmechanisminaffectedfirmwareversionstoobtainfulladministrativeaccesstodevice configurationandsettings. CVE-2026- AspecificendpointallowsauthenticateduserstopivottootheruserprofilesbymodifyingtheidnumberintheAPIcall. 9.1 MoreDetails25197 fast-jwtprovidesfastJSONWebToken(JWT)implementation.In6.1.0andearlier,thepublicKeyPemMatcherregexinfast-CVE-2026- jwt/src/crypto.jsusesa^anchorthatisdefeatedbyanyleadingwhitespaceinthekeystring,re-enablingtheexactsameJWT34950 algorithmconfusionattackthatCVE-2023-48223patched. AnunauthenticatedremoteattackercanexploitanunauthenticatedSQLInjectionvulnerabilityinthesetinfoendpointduetoCVE-2026- improperneutralizationofspecialelementsinaSQLUPDATEcommand.Thiscanresultinatotallossofintegrityand33615 availability. CVE-2026- MissingauthenticationforcriticalfunctioninAzureMCPServerallowsanunauthorizedattackertodiscloseinformationovera 32211 network. fast-jwtprovidesfastJSONWebToken(JWT)implementation.From0.0.1tobefore6.1.0,settingupacustomcacheKeyBuilder CVE-2026- methodwhichdoesnotproperlycreateuniquekeysfordifferenttokenscanleadtocachecollisions.Thiscouldcausetokensto 35039 bemis-identifiedduringtheverificationprocessleadingtovalidtokensreturningclaimsfromdifferentvalidtokensandusers beingmis-identifiedasotherusersbasedonthewrongtoken. text-generation-webuiisanopen-sourcewebinterfaceforrunningLargeLanguageModels.Priorto4.1.1,userscansave CVE-2026- extentionsettingsin"py"formatandintheapprootdirectory.Thisallowstooverwritepythonfiles,forinstancethe"download- 35050 model.py"filecouldbeoverwritten.Then,thispythonfilecanbetriggeredtogetexecutedfrom"Model"menuwhenrequesting todownloadanewmodel.Thisvulnerabilityisfixedin4.1.1. OneUptimeisanopen-sourcemonitoringandobservabilityplatform.Priortoversion10.0.42,unauthenticatedaccesstoCVE-2026- NotificationtestandPhoneNumbermanagementendpointsallowsSMS/Call/Email/WhatsAppabuseandphonenumber34758 purchase.Thisissuehasbeenpatchedinversion10.0.42. ChyrpLiteisanultra-lightweightbloggingengine.Priorto2026.01,apathtraversalvulnerabilityexistsintheadministration CVE-2026- consolethatallowsanadministratororauserwithChangeSettingspermissiontochangetheuploadspathtoanyfolder.This 35174 vulnerabilityallowstheusertodownloadanyfileontheserver,includingconfig.json.phpwithdatabasecredentialsand

overwritecriticalsystemfiles,leadingtoremotecodeexecution.Thisvulnerabilityisfixedin2026.01. AnissuewasdiscoveredinL2inSamsungMobileProcessor,WearableProcessor,andModemExynos980,990,850,1080,CVE-2025-2100,1280,2200,1330,1380,1480,2400,1580,2500,9110,W920,W930,W1000,Modem5123,Modem5300,andModem583495400.IncorrecthandlingofLTEMACpacketscontainingmanyMACControlElements(CEs)leadstobasebandcrashes. Firesharefacilitatesself-hostedmediaandlinksharing.Priortoversion1.5.3,thefixforCVE-2026-33645wasappliedtothe CVE-2026-authenticated/api/uploadChunkedendpointbutwasnotappliedtotheunauthenticated/api/uploadChunked/publicendpointin 34745thesamefile(app/server/fireshare/api.py).AnunauthenticatedattackercanexploitthecheckSumparametertowritearbitrary fileswithattacker-controlledcontenttoanywritablepathontheserverfilesystem.Thisissuehasbeenpatchedinversion1.5.3. CVE-2026-Authenticatedusercanuploadamaliciousfiletotheserverandexecuteit,whichleadstoremotecodeexecution. 9.1 MoreDetails2701 Emmettisafull-stackPythonwebframeworkdesignedwithsimplicity.From2.5.0tobefore2.8.1,theRSGIstatichandlerforCVE-2026-Emmett'sinternalassets(/emmettpaths)isvulnerabletopathtraversalattacks.Anattackercanuse../sequences(eg39847/emmett/../rsgi/handlers.py)toreadarbitraryfilesoutsidetheassetsdirectory.Thisvulnerabilityisfixedin2.8.1. Budibaseisanopen-sourcelow-codeplatform.Priortoversion3.33.4,anunauthenticatedattackercanachieveRemoteCode CVE-2026-Execution(RCE)ontheBudibaseserverbytriggeringanautomationthatcontainsaBashstepviathepublicwebhookendpoint. 9.0 MoreDetails35216Noauthenticationisrequiredtotriggertheexploit.Theprocessexecutesasrootinsidethecontainer.Thisissuehasbeen patchedinversion3.33.4. PraisonAIisamulti-agentteamssystem.Priorto1.5.113,theActionOrchestratorfeaturecontainsaPathTraversalvulnerability CVE-2026-thatallowsanattacker(orcompromisedagent)towritetoarbitraryfilesoutsideoftheconfiguredworkspacedirectory.By 9.0 MoreDetails39305supplyingrelativepathsegments(../)inthetargetpath,maliciousactionscanoverwritesensitivesystemfilesordrop executablepayloadsonthehost.Thisvulnerabilityisfixedin1.5.113. ZimaOSisaforkofCasaOS,anoperatingsystemforZimadevicesandx86-64systemswithUEFI.Priortoversion1.5.3,aproxy endpoint(/v1/sys/proxy)exposedbyZimaOS'swebinterfacecanbeabused(viaanexternallyreachabledomainusingaCVE-2026-CloudflareTunnel)tomakerequeststointernallocalhostservices.Thisresultsinunauthenticatedaccesstointernal-only 9.0 MoreDetails28798endpointsandsensitivelocalserviceswhentheproductisreachablefromtheInternetthroughaCloudflareTunnel.Thisissue hasbeenpatchedinversion1.5.3. SiYuanisapersonalknowledgemanagementsystem.Priorto3.6.4,amaliciousnotesyncedtoanotherusercantriggerremote codeexecutionintheSiYuanElectrondesktopclient.Therootcauseisthattablecaptioncontentisstoredwithoutsafe escapingandlaterunescapedintorenderedHTML,creatingastoredXSSsink.BecausethedesktoprendererrunswithCVE-2026- 9.0 MoreDetailsnodeIntegrationenabledandcontextIsolationdisabled,attacker-controlledJavaScriptexecuteswithaccesstoNode.jsAPIs.In39846practice,anattackercanimportacraftednoteintoasyncedworkspace,waitforthevictimtosync,andachievecode executionwhenthevictimopensthenote.Thisvulnerabilityisfixedin3.6.4.

OTHERVULNERABILITIES

CVE DescriptionNumber

CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,astoredcross-sitescriptingvulnerabilityexistsinChurchCRM'spersonprofileeditingfunctionality.Non-administrativeuserswhohavetheEditSelfpermissioncaninject 2026- maliciousJavaScriptintotheirFacebook,LinkedIn,andXprofilefields.Duetoa50-characterfieldlimit,thepayloadisdistributedacrossallthreefieldsandchainstheironfocuseventhandlerstoexecuteinsequence.Whenanyuser,including 39328 administrators,viewstheattacker'sprofile,theirsessioncookiesareexfiltratedtoaremoteserver.Thisvulnerabilityisfixedin7.1.0. CVE- pyLoadisafreeandopen-sourcedownloadmanagerwritteninPython.In0.5.0b3.dev96andearlier,theADMINONLYOPTIONSprotectionmechanismrestrictssecurity-criticalconfigurationvalues(reconnectscripts,SSLcerts,proxycredentials)to 2026- admin-onlyaccess.However,thisprotectionisonlyappliedtocoreconfigoptions,nottopluginconfigoptions.TheAntiViruspluginstoresanexecutablepath(avfile)initsconfig,whichispasseddirectlytosubprocess.Popen().Anon-adminuserwith 35463 SETTINGSpermissioncanchangethispathtoachieveremotecodeexecution. CVE- 2025- Theissuewasaddressedwithimprovedmemoryhandling.ThisissueisfixedinmacOSSequoia15.6.Processingamaliciouslycraftedimagemaycorruptprocessmemory. 43219 CVE- AvulnerabilityhasbeenfoundinBelkinF9K10151.00.10.AffectedbythisissueisthefunctionformWISP5Gofthefile/goform/formWISP5G.Suchmanipulationoftheargumentwebpageleadstostack-basedbufferoverflow.Itispossibletolaunch2026- theattackremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5610 CI4MSisaCodeIgniter4-basedCMSskeletonthatdeliversaproduction-ready,modulararchitecturewithRBACauthorizationandthemesupport.Priortoversion0.31.0.0,theapplicationfailstoimmediatelyrevokeactiveusersessionswhenanCVE- accountisdeactivated.Duetoalogicflawinthebackenddesign,accountstatechangesareenforcedonlyduringauthentication(login),notforalready-establishedsessions.Thesystemimplicitlyassumesthatauthenticatedusersremaintrustedfor2026- thelifetimeoftheirsession.Thereisnosessionexpirationoraccountexpirationmechanisminplace,causingdeactivatedaccountstoretainindefiniteaccessuntiltheusermanuallylogsout.Thisbehaviorbreakstheintendedaccesscontrolpolicy34572 andresultsinpersistentunauthorizedaccess,representingacriticalsecurityflaw.Thisissuehasbeenpatchedinversion0.31.0.0. CVE- 2025- Thisissuewasaddressedwithimprovedmemoryhandling.ThisissueisfixediniOS18.6andiPadOS18.6,macOSSequoia15.6.Processingafilemayleadtomemorycorruption. 43202 CVE- UnsanitizedinputintheFileBrowserAPIinAWSResearchandEngineeringStudio(RES)version2024.10through2025.12.01mightallowaremoteauthenticatedactortoexecutearbitrarycommandsonthecluster-managerEC2instanceviacrafted2026- inputwhenusingtheFileBrowserfunctionality.Toremediatethisissue,usersareadvisedtoupgradetoRESversion2026.03orapplythecorrespondingmitigationpatchtotheirexistingenvironment.5709 CVE- Unsanitizedcontrolofuser-modifiableattributesinthesessioncreationcomponentinAWSResearchandEngineeringStudio(RES)priortoversion2026.03couldallowanauthenticatedremoteusertoescalateprivileges,assumethevirtualdesktop 2026- hostinstanceprofilepermissions,andinteractwithAWSresourcesandservicesviaacraftedAPIrequest.Toremediatethisissue,usersareadvisedtoupgradetoRESversion2026.03orapplythecorrespondingmitigationpatchtotheirexisting 5708 environment. CVE- UnsanitizedinputinanOScommandinthevirtualdesktopsessionnamehandlinginAWSResearchandEngineeringStudio(RES)version2025.03through2025.12.01mightallowaremoteauthenticatedactortoexecutearbitrarycommandsasroot2026- onthevirtualdesktophostviaacraftedsessionname.Toremediatethisissue,usersareadvisedtoupgradetoRESversion2026.03orapplythecorrespondingmitigationpatchtotheirexistingenvironment. CVE- AweaknesshasbeenidentifiedinTendaCX12L16.03.53.12.ThisissueaffectsthefunctionfromNatStaticSettingofthefile/goform/NatStaticSetting.Thismanipulationoftheargumentpagecausesstack-basedbufferoverflow.Theattackmaybe initiatedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.

CVE- AsecurityflawhasbeendiscoveredinTendaCX12L16.03.53.12.ThisvulnerabilityaffectsthefunctionfromRouteStaticofthefile/goform/RouteStatic.Themanipulationoftheargumentpageresultsinstack-basedbufferoverflow.Theattackcanbe launchedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks. CVE- AvulnerabilitywasidentifiedinTendaCX12L16.03.53.12.ThisaffectsthefunctionfromAddressNatofthefile/goform/addressNat.Themanipulationoftheargumentpageleadstostack-basedbufferoverflow.Theattackcanbeinitiatedremotely. Theexploitispubliclyavailableandmightbeused.5685 CVE- HiSecOSwebserverversions03.4.00priorto04.1.00containsaprivilegeescalationvulnerabilitythatallowsauthenticateduserswithoperatororauditorrolestoescalateprivilegestotheadministratorrolebysendingspeciallycraftedpacketstothe2023- webserver.Attackerscanexploitthisflawtogainfulladministrativeaccesstotheaffecteddevice.7342 CI4MSisaCodeIgniter4-basedCMSskeletonthatdeliversaproduction-ready,modulararchitecturewithRBACauthorizationandthemesupport.Priortoversion0.31.0.0,theapplicationfailstoimmediatelyrevokeactiveusersessionswhenanCVE- accountisdeleted.Duetoalogicflawinthebackenddesign,accountstatechangesareenforcedonlyduringauthentication(login),notforalready-establishedsessions.Thesystemimplicitlyassumesthatauthenticatedusersremaintrustedforthe2026- lifetimeoftheirsession.Thereisnosessionexpirationoraccountexpirationmechanisminplace,causingdeletedaccountstoretainindefiniteaccessuntiltheusermanuallylogsout.Thisbehaviorbreakstheintendedaccesscontrolpolicyand34570 resultsinpersistentunauthorizedaccess.Thisissuehasbeenpatchedinversion0.31.0.0. CVE- ByteDanceDeer-Flowversionspriortocommit92c7a20containasandboxescapevulnerabilityinbashtoolhandlingthatallowsattackerstoexecutearbitrarycommandsonthehostsystembybypassingregex-basedvalidationusingshellfeatures 2026- suchasdirectorychangesandrelativepaths.Attackerscanexploittheincompleteshellsemanticsmodelingtoreadandmodifyfilesoutsidethesandboxboundaryandachievearbitrarycommandexecutionthroughsubprocessinvocationwithshell 34430 interpretationenabled. CVE- Alocalfileinclusionvulnerabilityintheupload/downloadflowoftheVertiGISFMapplicationallowsauthenticatedattackerstoreadarbitraryfilesfromtheserverbymanipulatingafile'spathduringitsupload.Whenthefileissubsequently 2026- downloaded,thefileintheattackercontrolledpathisreturned.Duetotheapplication'sASP.NETarchitecture,thiscouldpotentiallyleadtoremotecodeexecutionwhenthe"web.config"fileisobtained.Furthermore,theapplicationresolvesUNC 0522 pathswhichmayenableNTLM-relayingattacks.ThisissueaffectsVertiGISFM:10.5.00119(0d29d428). CVE- AsecurityvulnerabilityhasbeendetectedinBelkinF9K10151.00.10.ImpactedisthefunctionformSetSystemSettingsofthefile/goform/formSetSystemSettingsofthecomponentSettingHandler.Themanipulationoftheargumentwebpageleadsto2026- stack-basedbufferoverflow.Remoteexploitationoftheattackispossible.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5628 CVE- AvulnerabilitywasdeterminedinBelkinF9K10151.00.10.ThisvulnerabilityaffectsthefunctionformWlEncryptofthefile/goform/formWlEncrypt.Executingamanipulationoftheargumentwebpagecanleadtostack-basedbufferoverflow.The2026- attackcanbelaunchedremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5612 CVE- ThewpForoForumpluginforWordPressisvulnerabletoarbitraryfiledeletioninallversionsupto,andincluding,2.4.16.Thisisduetoamissingfilename/pathvalidationagainstpathtraversalsequences.Thismakesitpossibleforauthenticated2026- attackers,withsubscriberlevelaccessandabove,todeletearbitraryfilesontheserverbyembeddingacraftedpathtraversalstringinaforumpostbodyandthendeletingthepost.3666 CVE- InsufficientpermissionvalidationonmultipleRESTAPIQuickSetupendpointsinCheckmk2.5.0(beta)beforeversion2.5.0b2and2.4.0beforeversion2.4.0p25allowslow-privilegeduserstoperformunauthorizedactionsorobtainsensitive2026- information24096 CVE- WeGIAisaWebmanagerforcharitableinstitutions.Priorto3.6.9,WeGIA(Webgerenciadorparainstituiçõesassistenciais)containsaSQLinjectionvulnerabilityindao/memorando/DespachoDAO.php.Theidmemorandoparameterisextractedfrom2026- $REQUESTwithoutvalidationanddirectlyinterpolatedintoSQLqueries,allowinganyauthenticatedusertoexecutearbitrarySQLcommandsagainstthedatabase.Thisvulnerabilityisfixedin3.6.9.35395 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,aSQLinjectionvulnerabilityexistsinChurchCRM'sSettingsIndividual.phpwhereuser-controlledarraykeysfromthetypePOSTparameterareuseddirectlyinSQLqueries2026- withoutsanitization.Thisallowsanyauthenticatedusertoextractsensitivedatafromthedatabase.Thisvulnerabilityisfixedin7.1.0.39317 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,theGroupPropsFormRowOps.phpfilecontainsaSQLinjectionvulnerability.UserinputintheFieldparameterisdirectlyinsertedintoSQLquerieswithoutpropersanitization.2026- Themysqlirealescapestring()functiondoesnotescapebacktickcharacters,allowingattackerstobreakoutofSQLidentifiercontextandexecutearbitrarySQLstatements.Thisvulnerabilityisfixedin7.1.0.39318 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,asecondorderSQLinjectionvulnerabilitywasfoundintheendpoint/FundRaiserEditor.phpinChurchCRM.Auserhastobeauthenticatedbutdoesn'tneedanyprivileges.2026- TheseuserscaninjectarbitrarySQLstatementsthroughtheiCurrentFundraiserPHPsessionparameterandthusextractandmodifyinformationfromthedatabase.Thisvulnerabilityisfixedin7.1.0.39319 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,acriticalSQLinjectionvulnerabilityexistsinChurchCRM'sPropertyTypeEditor.phpwheretheNameandDescriptionPOSTparametersaresanitizedonlywithstriptags()before 2026- directconcatenationintoSQLqueries.Thisallowsauthenticateduserswith"ManageProperties"permissiontoexecutearbitrarySQLcommandsincludingdataexfiltration,modification,anddeletion.Injecteddatapersistsinthedatabaseandis 39323 reflectedacrossmultipleapplicationpageswithoutoutputencoding.Thisvulnerabilityisfixedin7.1.0. CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,anSQLinjectionvulnerabilitywasfoundintheendpoint/PropertyTypeEditor.phpinChurchCRM.AuthenticateduserswiththeroleisMenuOptionsEnabledcaninjectarbitrary2026- SQLstatementsthroughtheNameandDescriptionparametersandthusextractandmodifyinformationfromthedatabase.Thisvulnerabilityisfixedin7.1.0.39326 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,anSQLinjectionvulnerabilitywasfoundintheendpoint/MemberRoleChange.phpinChurchCRM7.0.5.AuthenticateduserswiththeroleManageGroups&Roles2026- (ManageGroups)caninjectarbitrarySQLstatementsthroughtheNewRoleparameterandthusextractandmodifyinformationfromthedatabase.Thisvulnerabilityisfixedin7.1.0.39327 CVE- PraisonAIisamulti-agentteamssystem.Priortoversion4.5.97,SubprocessSandboxinallmodes(BASIC,STRICT,NETWORK_ISOLATED)callssubprocess.run()withshell=Trueandreliessolelyonstring-patternmatchingtoblockdangerous2026- commands.Theblocklistdoesnotincludeshorbashasstandaloneexecutables,allowingtrivialsandboxescapeinSTRICTmodeviash-c' '.Thisissuehasbeenpatchedinversion4.5.97.34955 CVE- AvulnerabilitywasidentifiedinBelkinF9K10151.00.10.ThisissueaffectsthefunctionformRebootofthefile/goform/formReboot.Themanipulationoftheargumentwebpageleadstostack-basedbufferoverflow.Theattackmaybeinitiated2026- remotely.Theexploitispubliclyavailableandmightbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5613 CVE- AsecurityflawhasbeendiscoveredinBelkinF9K10151.00.10.ImpactedisthefunctionformSetPasswordofthefile/goform/formSetPassword.Themanipulationoftheargumentwebpageresultsinstack-basedbufferoverflow.Theattackmaybe2026- launchedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5614 CVE- AsecurityflawhasbeendiscoveredinUTTHiPER1250GWupto3.2.7-210907-180535.Theimpactedelementisanunknownfunctionofthefile/goform/formRemoteControl.ThemanipulationoftheargumentProfileresultsinstack-basedbuffer2026- overflow.Theattackcanbeexecutedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks. CVE- Aflawwasfoundinlibinput.AlocalattackerwhocanplaceaspeciallycraftedLuabytecodefileincertainsystemoruserconfigurationdirectoriescanbypasssecurityrestrictions.Thisallowstheattackertorununauthorizedcodewiththesame permissionsastheprogramusinglibinput,suchasagraphicalcompositor.Thiscouldleadtotheattackermonitoringkeyboardinputandsendingthatinformationtoanexternallocation.35093

CVE- PolarLearnisafreeandopen-sourcelearningprogram.In0-PRERELEASE-14andearlier,setCustomPassword(userId,password)anddeleteUser(userId)intheaccount-managementmoduleusedaninvertedadmincheck.Becauseoftheinverted condition,authenticatednon-adminuserswereallowedtoexecutebothactions,whilerealadminswererejected.Thisisadirectprivilege-escalationissueintheapplication. 35610 CVE- AflawhasbeenfoundinTendai121.0.0.11(3862).AffectedbythisvulnerabilityisthefunctionformwrlSSIDsetofthefile/goform/wifiSSIDsetofthecomponentParameterHandler.Thismanipulationoftheargumentindex/wlradiocausesstack- basedbufferoverflow.Itispossibletoinitiatetheattackremotely.Theexploithasbeenpublishedandmaybeused.5609 CVE- phpBBcontainsanarbitraryfileuploadvulnerabilitythatallowsauthenticatedattackerstouploadmaliciousfilesbyexploitingthepluploadfunctionalityandphar://streamwrapper.AttackerscanuploadacraftedzipfilecontainingserializedPHP2019- objectsthatexecutearbitrarycodewhendeserializedthroughtheimagickparameterinattachmentsettings.25685 CVE- 2026- IncorrectboundaryconditionsintheGraphics:WebGPUcomponent.ThisvulnerabilityaffectsFirefox<149.0.2andThunderbird<149.0.2. 5733 CVE- 2026- Incorrectboundaryconditions,integeroverflowintheGraphics:Textcomponent.ThisvulnerabilityaffectsFirefox<149.0.2,FirefoxESR<140.9.1,Thunderbird<149.0.2,andThunderbird<140.9.1. 5732 CVE- Avulnerabilityhasbeenidentifiedinthegraphicaluserinterface(GUI)ofHPEArubaNetworkingPrivate5GCoreOn-PremthatcouldallowanattackertoabuseanopenredirectvulnerabilityintheloginflowusingacraftedURL.Successful 2026- exploitationmayredirectanauthenticatedusertoanattacker-controlledserverhostingaspoofedloginpagepromptingtheunsuspectingvictimtogiveawaytheircredentials,whichcouldthenbecapturedbytheattacker,beforebeingredirected 23818 backtothelegitimateloginpage. CVE- FTLDNS(pihole-FTL)providesaninteractiveAPIandalsogeneratesstatisticsforPi-hole'sWebinterface.From6.0tobefore6.6,thePi-holeFTLenginecontainsaRemoteCodeExecution(RCE)vulnerabilityintheupstreamDNSserversconfiguration 2026- parameter(dns.upstreams).Thisvulnerabilityallowsanauthenticatedattackertoinjectarbitrarydnsmasqconfigurationdirectivesthroughnewlinecharacters,ultimatelyachievingcommandexecutionontheunderlyingsystem.Thisvulnerabilityis 35517 fixedin6.6. CVE- FTLDNS(pihole-FTL)providesaninteractiveAPIandalsogeneratesstatisticsforPi-hole'sWebinterface.From6.0tobefore6.6,thePi-holeFTLenginecontainsaRemoteCodeExecution(RCE)vulnerabilityintheDNSCNAMErecordsconfiguration 2026- parameter(dns.cnameRecords).Thisvulnerabilityallowsanauthenticatedattackertoinjectarbitrarydnsmasqconfigurationdirectivesthroughnewlinecharacters,ultimatelyachievingcommandexecutionontheunderlyingsystem.Thisvulnerability 35518 isfixedin6.6. CVE- AsecurityflawhasbeendiscoveredinTendaCH221.0.0.1.TheimpactedelementisthefunctionformCertLocalPrecreateofthefile/goform/CertLocalPrecreateofthecomponentParameterHandler.Performingamanipulationoftheargument2026- standardresultsinstack-basedbufferoverflow.Remoteexploitationoftheattackispossible.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.5604 CVE- FTLDNS(pihole-FTL)providesaninteractiveAPIandalsogeneratesstatisticsforPi-hole'sWebinterface.From6.0tobefore6.6,thePi-holeFTLenginecontainsaRemoteCodeExecution(RCE)vulnerabilityintheDNShostrecordconfiguration 2026- parameter(dns.hostRecord).Thisvulnerabilityallowsanauthenticatedattackertoinjectarbitrarydnsmasqconfigurationdirectivesthroughnewlinecharacters,ultimatelyachievingcommandexecutionontheunderlyingsystem.Thisvulnerabilityis 35519 fixedin6.6. CVE- FTLDNS(pihole-FTL)providesaninteractiveAPIandalsogeneratesstatisticsforPi-hole'sWebinterface.From6.0tobefore6.6,thePi-holeFTLenginecontainsaRemoteCodeExecution(RCE)vulnerabilityintheDHCPleasetimeconfiguration 2026- parameter(dhcp.leaseTime).Thisvulnerabilityallowsanauthenticatedattackertoinjectarbitrarydnsmasqconfigurationdirectivesthroughnewlinecharacters,ultimatelyachievingcommandexecutionontheunderlyingsystem.Thisvulnerabilityis 35520 fixedin6.6. CVE- FTLDNS(pihole-FTL)providesaninteractiveAPIandalsogeneratesstatisticsforPi-hole'sWebinterface.From6.0tobefore6.6,thePi-holeFTLenginecontainsaRemoteCodeExecution(RCE)vulnerabilityintheDHCPhostsconfigurationparameter2026- (dhcp.hosts).Thisvulnerabilityallowsanauthenticatedattackertoinjectarbitrarydnsmasqconfigurationdirectivesthroughnewlinecharacters,ultimatelyachievingcommandexecutionontheunderlyingsystem.Thisvulnerabilityisfixedin6.6.35521 CVE- UniSharpLaravelFileManagerv2.0.0-alpha7andv2.0containanarbitraryfileuploadvulnerabilitythatallowsauthenticatedattackerstouploadmaliciousfilesbysendingmultipartformdatatotheuploadendpoint.AttackerscanuploadPHPfiles2019- withthetypeparametersettoFilesandexecutearbitrarycodebyaccessingtheuploadedfilethroughtheworkingdirectorypath.25673 ImproperInputValidation,ImproperControlofGenerationofCode('CodeInjection')vulnerabilityinApacheActiveMQBroker,ApacheActiveMQ.ApacheActiveMQClassicexposestheJolokiaJMX-HTTPbridgeat/api/jolokia/onthewebconsole.The CVE- defaultJolokiaaccesspolicypermitsexecoperationsonallActiveMQMBeans(org.apache.activemq:*),includingBrokerService.addNetworkConnector(String)andBrokerService.addConnector(String). 2026- operationswithacrafteddiscoveryURIthattriggerstheVMtransport'sbrokerConfigparametertoloadaremoteSpringXMLapplicationcontextusingResourceXmlApplicationContext. 34197 singletonbeansbeforetheBrokerServicevalidatestheconfiguration,arbitrarycodeexecutionoccursonthebroker'sJVMthroughbeanfactorymethodssuchasRuntime.exec().ThisissueaffectsApacheActiveMQBroker:before5.19.4,from6.0.0 before6.2.3;ApacheActiveMQ:.Usersarerecommendedtoupgradetoversion5.19.5or6.2.3,whichfixestheissue. CVE- TheBookingforAppointmentsandEventsCalendar-AmeliapluginforWordPressisvulnerabletoInsecureDirectObjectReferenceinallversionsupto,andincluding,2.1.3.ThisisduetotheUpdateProviderCommandHandlerfailingtovalidate 2026- changestotheexternalIdfieldwhenaProvider(Employee)userupdatestheirownprofile.TheexternalIdmapsdirectlytoaWordPressuserIDandispassedto`wpsetpassword()andwpupdateuser()withoutauthorizationchecks.This 5465 makesitpossibleforauthenticatedattackers,withProvider-level(Employee)accessandabove,totakeoveranyWordPressaccount--includingAdministrator--byinjectinganarbitraryexternalId`valuewhenupdatingtheirownproviderprofile. CVE- 2026- HCLBigFixPlatformisaffectedbyinsecurepermissionsonprivatecryptographickeys.TheprivatecryptographickeyslocatedonaWindowshostmachinemightbesubjecttooverlypermissivefilesystempermissions. 21765 CVE- AweaknesshasbeenidentifiedinTendaCH221.0.0.1.ThisaffectsthefunctionformWrlExtraSetofthefile/goform/WrlExtraSet.ExecutingamanipulationoftheargumentGOcanleadtostack-basedbufferoverflow.Theattackcanbeexecuted2026- remotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5605 CVE- VAMAX8.3.4containsaremotecodeexecutionvulnerabilitythatallowsauthenticatedattackerstoexecutearbitrarycommandsbyinjectingshellmetacharactersintothemtueth0parameter.AttackerscansendPOSTrequeststothechangeip.php2019- endpointwithmaliciouspayloadinthemtu_eth0fieldtoexecutecommandsastheapacheuser.25671 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,theNewRolePOSTparameterinsrc/MemberRoleChange.phpisusedinanSQLquerywithoutproperintegervalidation,allowingauthenticateduserstoinjectarbitrarySQL.2026- TheattackrequiresanauthenticatedsessionwithManageGroupsrole,knowledgeofavalidGroupIDandPersonID(obtainablefromGroupVieworPersonViewpages)Thisvulnerabilityisfixedin7.1.0.35567 RemoteCodeExecutionVulnerabilityinJP1/ITDesktopManagement2-ManageronWindows,JP1/ITDesktopManagement2-OperationsDirectoronWindows,JobManagementPartner1/ITDesktopManagement2-ManageronWindows,JP1/IT DesktopManagement-ManageronWindows,JobManagementPartner1/ITDesktopManagement-ManageronWindows,JP1/NETM/DMManageronWindows,JP1/NETM/DMClientonWindows,JobManagementPartner1/SoftwareDistribution CVE- ManageronWindows,JobManagementPartner1/SoftwareDistributionClientonWindows.ThisissueaffectsJP1/ITDesktopManagement2-Manager:from13-50before13-50-02,from13-11before13-11-04,from13-10before13-10-07,from13-01 2025- before13-01-07,from13-00before13-00-05,from12-60before12-60-12,from10-50through12-50-11;JP1/ITDesktopManagement2-OperationsDirector:from13-50before13-50-02,from13-11before13-11-04,from13-10before13-10-07, 65115 from13-01before13-01-07,from13-00before13-00-05,from12-60before12-60-12,from10-50through12-50-11;JobManagementPartner1/ITDesktopManagement2-Manager:from10-50through10-50-11;JP1/ITDesktopManagement- Manager:from09-50through10-10-16;JobManagementPartner1/ITDesktopManagement-Manager:from09-50through10-10-16;JP1/NETM/DMManager:from09-00through10-20-02;JP1/NETM/DMClient:from09-00through10-20-02;Job ManagementPartner1/SoftwareDistributionManager:from09-00through09-51-13;JobManagementPartner1/SoftwareDistributionClient:from09-00through09-51-13. CVE- InModem,thereisapossibleoutofboundswriteduetoamissingboundscheck.Thiscouldleadtoremoteescalationofprivilege,ifaUEhasconnectedtoaroguebasestationcontrolledbytheattacker,withnoadditionalexecutionprivileges needed.Userinteractionisneededforexploitation.PatchID:MOLY01088681;IssueID:MSV-4460.

20433 CVE- Theissuewasaddressedwithimprovedmemoryhandling.ThisissueisfixedinmacOSSequoia15.6.Processingamaliciouslycraftedimagemaycorruptprocessmemory. 43264 CVE- Avulnerabilityintheweb-basedmanagementinterfaceofCiscoIMCcouldallowanauthenticated,remoteattackerwithread-onlyprivilegestoperformcommandinjectionattacksonanaffectedsystemandexecutearbitrarycommandsastheroot 2026- user.Thisvulnerabilityisduetoimpropervalidationofuser-suppliedinput.Anattackercouldexploitthisvulnerabilitybysendingcraftedcommandstotheweb-basedmanagementinterfaceoftheaffectedsoftware.Asuccessfulexploitcouldallow 20094 theattackertoexecutearbitrarycommandsontheunderlyingoperatingsystemastherootuser. CVE- Windmillversions1.56.0through1.614.0containamissingauthorizationvulnerabilitythatallowsuserswiththeOperatorroletoperformprohibitedentitycreationandmodificationactionsviathebackendAPI.AlthoughOperatorsaredocumented 2026- andpricedasunabletocreateormodifyentities,theAPIdoesnotenforcetheOperatorrestrictiononworkspaceendpoints,allowinganOperatortocreateandupdatescripts,flows,apps,andrawapps.SinceOperatorscanalsoexecutescriptsvia 22683 thejobsAPI,thisallowsdirectprivilegeescalationtoremotecodeexecutionwithintheWindmilldeployment.ThisvulnerabilityhasexistedsincetheintroductionoftheOperatorroleinversion1.56.0. CVE- PrivilegeescalationinApacheCassandra5.0onanmTLSenvironmentusingMutualTlsAuthenticatorallowsauserwithonlyCREATEpermissiontoassociatetheirowncertificateidentitywithanarbitraryrole,includingasuperuserrole,and2026- authenticateasthatroleviaADDIDENTITY.Usersarerecommendedtoupgradetoversion5.0.7+,whichfixesthisissue.27314 CVE- AflawhasbeenfoundinTendaM31.0.0.10.ThisvulnerabilityaffectsthefunctionsetAdvPolicyDataofthefile/goform/setAdvPolicyDataofthecomponentDestinationHandler.ExecutingamanipulationoftheargumentpolicyTypecanleadtobuffer2026- overflow.Theattackcanbeexecutedremotely.Theexploithasbeenpublishedandmaybeused.5567 CVE- AvulnerabilitywasdetectedinUTTHiPER1250GWupto3.2.7-210907-180535.Thisaffectsthefunctionstrcpyofthefile/goform/formNatStaticMap.PerformingamanipulationoftheargumentNatBindresultsinbufferoverflow.Remoteexploitation2026- oftheattackispossible.Theexploitisnowpublicandmaybeused.5566 CVE- AvulnerabilitywasdetectedinBelkinF9K11221.00.33.AffectedisthefunctionformWlanSetupofthefile/goform/formWlanSetup.Themanipulationoftheargumentwebpageresultsinstack-basedbufferoverflow.Theattackmaybeperformedfrom2026- remote.Theexploitisnowpublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5608 CVE- AvulnerabilitywasidentifiedinTendaAC1016.03.10.10multiTDE01.ThisaffectsthefunctionfromSysToolChangePwdofthefile/bin/httpd.Themanipulationleadstostack-basedbufferoverflow.Theattackmaybeinitiatedremotely.Multiple2026- endpointsmightbeaffected.5550 CVE- AvulnerabilitywasfoundinTendaAC1016.03.10.10multiTDE01.AffectedbythisvulnerabilityisthefunctionfromSysToolChangePwdofthefile/bin/httpd.Performingamanipulationoftheargumentsys.userpassresultsinstack-basedbuffer2026- overflow.Theattackcanbeinitiatedremotely.5548 CVE- AvulnerabilitywasfoundinBelkinF9K10151.00.10.ThisaffectsthefunctionformCrossBandSwitchofthefile/goform/formCrossBandSwitch.Performingamanipulationoftheargumentwebpageresultsinstack-basedbufferoverflow.Theattackcan2026- beinitiatedremotely.Theexploithasbeenmadepublicandcouldbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5611 CVE- AvulnerabilitywasdetectedinBelkinF9K10151.00.10.TheaffectedelementisthefunctionformSetFirewallofthefile/goform/formSetFirewall.Themanipulationoftheargumentwebpageresultsinstack-basedbufferoverflow.Theattackcanbe2026- executedremotely.Theexploitisnowpublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5629 CVE- 2025- Memorycorruptionwhendecodingcorruptedsatellitedatafileswithinvalidsignatureoffsets. 47392 CVE- 2026- UseafterfreeinDawninGoogleChromepriorto146.0.7680.178allowedaremoteattackerwhohadcompromisedtherendererprocesstoexecutearbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5281 CVE- 2026- UseafterfreeinWebCodecsinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5280 CVE- 2026- ObjectcorruptioninV8inGoogleChromepriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5279 CVE- 2026- UseafterfreeinWebMIDIinGoogleChromeonAndroidpriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5278 CVE- OAuthenticatorissoftwarethatallowsOAuth2identityproviderstobepluggedinandusedwithJupyterHub.Priortoversion17.4.0,anauthenticationbypassvulnerabilityinoauthenticatorallowsanattackerwithanunverifiedemailaddressonan2026- Auth0tenanttologintoJupyterHub.Whenemailisusedastheusrnameclaim,thisgivesuserscontrolovertheirusernameandthepossibilityofaccounttakeover.Thisissuehasbeenpatchedinversion17.4.0.33175 CVE- RAGFlowisanopen-sourceRAG(Retrieval-AugmentedGeneration)engine.Inversions0.24.0andprior,aServer-SideTemplateInjection(SSTI)vulnerabilityexistsinRAGFlow'sAgentworkflowTextProcessing(StringTransform)andMessage 2026- components.ThesecomponentsusePython'sjinja2.Template(unsandboxed)torenderuser-suppliedtemplates,allowinganyauthenticatedusertoexecutearbitraryoperatingsystemcommandsontheserver.Attimeofpublication,thereareno 28797 publiclyavailablepatches. CVE- 2026- HeapbufferoverflowinANGLEinGoogleChromeonMacpriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5275 CVE- 2026- IntegeroverflowinCodecsinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoperformarbitraryread/writeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5274 CVE- OpenSTAManagerisanopensourcemanagementsoftwarefortechnicalassistanceandinvoicing.Priorto2.10.2,confrontarighe.phpfilesacrossdifferentmodulesinOpenSTAManagercontainanSQLInjectionvulnerability.Therigheparameter receivedvia$GET['righe']isdirectlyconcatenatedintoanSQLquerywithoutanysanitization,parameterizationorvalidation.AnauthenticatedattackercaninjectarbitrarySQLstatementstoextractsensitivedatafromthedatabase,includinguser 35470 credentials,customerinformation,invoicedataandanyotherstoreddata.Thisvulnerabilityisfixedin2.10.2. CVE- HeapbufferoverflowinGPUinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity:High)

OpenSTAManagerisanopensourcemanagementsoftwarefortechnicalassistanceandinvoicing.Priortoversion2.10.2,theAggiornamenti(Updates)moduleinOpenSTAManagercontainsadatabaseconflictresolutionfeature(op=risolvi-conflitti-CVE-database)thatacceptsaJSONarrayofSQLstatementsviaPOSTandexecutesthemdirectlyagainstthedatabasewithoutanyvalidation,allowlist,orsanitization.AnauthenticatedattackerwithaccesstotheAggiornamentimodulecanexecute arbitrarySQLstatementsincludingCREATE,DROP,ALTER,INSERT,UPDATE,DELETE,SELECTINTOOUTFILE,andanyotherSQLcommandsupportedbytheMySQLserver.Foreignkeychecksareexplicitlydisabledbeforeexecution(SET35168FOREIGNKEYCHECKS=0),furtherreducingdatabaseintegrityprotections.Thisissuehasbeenpatchedinversion2.10.2. CVE- 2026-InProgressFlowmonversionspriorto12.5.8,avulnerabilityexistswherebyanauthenticatedlow-privilegedusermaycraftarequestduringthereportgenerationprocessthatresultsinunintendedcommandsbeingexecutedontheserver. 3692 CVE-BraveCMSisanopen-sourceCMS.Priorto2.0.6,anunrestrictedfileuploadvulnerabilityexistsintheCKEditoruploadfunctionality.Itisfoundinapp/Http/Controllers/Dashboard/CkEditorController.phpwithintheckuploadmethod.Themethodfailsto2026-validateuploadedfiletypesandreliesentirelyonuserinput.ThisallowsanauthenticatedusertouploadexecutablePHPscriptsandgainRemoteCodeExecution.Thisvulnerabilityisfixedin2.0.6.35164 CVE-Homarrisanopen-sourcedashboard.Priorto1.57.0,aDOM-basedCross-SiteScripting(XSS)vulnerabilityhasbeendiscoveredinHomarr's/auth/loginpage.TheapplicationimproperlytrustsaURLparameter(callbackUrl),whichispassedtoredirect 2026-androuter.push.Anattackercancraftamaliciouslinkthat,whenopenedbyanauthenticateduser,performsaclient-sideredirectandexecutesarbitraryJavaScriptinthecontextoftheirbrowser.Thiscouldleadtocredentialtheft,internalnetwork 33510pivoting,andunauthorizedactionsperformedonbehalfofthevictim.Thisvulnerabilityisfixedin1.57.0. AvulnerabilitywasidentifiedinTrendnetTEW-657BRM1.00.1.Theaffectedelementisthefunctionaddapcdbofthefile/setup.cgi.Themanipulationoftheargumentmacpcdbaleadstostack-basedbufferoverflow.TheattackcanbeinitiatedCVE-remotely.Theexploitispubliclyavailableandmightbeused.Thevendorconfirms,that"[t]heproductinquestion(...)hasbeendiscontinuedandendoflifesinceJune23,2011,thatismorethan14yearsago.Wenolongerprovidesupportforthis2026-product,sowearenotabletoconfirmthevulnerabilities.Wewillmakeanannouncementonourwebsite'sproductsupportpageandnotifycustomerswhoregisteredtheirproductswithus."Thisvulnerabilityonlyaffectsproductsthatarenolonger5349supportedbythemaintainer. CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstoexecutearbitraryOScommandsviatheDATEparameterto/cgi-bin/logsproxy.cgi.TheDATEparametervalueisusedtoconstructafilepaththatispassedtoaPerlopen()call,2026-whichallowscommandinjectionduetoanincompleteregularexpressionvalidation.34791 CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstoexecutearbitraryOScommandsviatheDATEparameterto/cgi-bin/logsclamav.cgi.TheDATEparametervalueisusedtoconstructafilepaththatispassedtoaPerlopen()call,2026-whichallowscommandinjectionduetoanincompleteregularexpressionvalidation.34792 CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstoexecutearbitraryOScommandsviatheDATEparameterto/cgi-bin/logsfirewall.cgi.TheDATEparametervalueisusedtoconstructafilepaththatispassedtoaPerlopen()call,2026-whichallowscommandinjectionduetoanincompleteregularexpressionvalidation.34793 CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstoexecutearbitraryOScommandsviatheDATEparameterto/cgi-bin/logsids.cgi.TheDATEparametervalueisusedtoconstructafilepaththatispassedtoaPerlopen()call,which2026-allowscommandinjectionduetoanincompleteregularexpressionvalidation.34794 CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstoexecutearbitraryOScommandsviatheDATEparameterto/cgi-bin/logslog.cgi.TheDATEparametervalueisusedtoconstructafilepaththatispassedtoaPerlopen()call,which2026-allowscommandinjectionduetoanincompleteregularexpressionvalidation.34795 CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstoexecutearbitraryOScommandsviatheDATEparameterto/cgi-bin/logsopenvpn.cgi.TheDATEparametervalueisusedtoconstructafilepaththatispassedtoaPerlopen()call,2026-whichallowscommandinjectionduetoanincompleteregularexpressionvalidation.34796 CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstoexecutearbitraryOScommandsviatheDATEparameterto/cgi-bin/logssmtp.cgi.TheDATEparametervalueisusedtoconstructafilepaththatispassedtoaPerlopen()call,2026-whichallowscommandinjectionduetoanincompleteregularexpressionvalidation.34797 CVE-BentoMLisaPythonlibraryforbuildingonlineservingsystemsoptimizedforAIappsandmodelinference.Priorto1.4.38,theDockerfilegenerationfunctiongeneratecontainerfile()insrc/bentoml/internal/container/generate.pyusesan 2026-unsandboxedjinja2.Environmentwiththejinja2.ext.doextensiontorenderuser-provideddockerfiletemplatefiles.Whenavictimimportsamaliciousbentoarchiveandrunsbentomlcontainerize,attacker-controlledJinja2templatecodeexecutes 35044arbitraryPythondirectlyonthehostmachine,bypassingallcontainerisolation.Thisvulnerabilityisfixedin1.4.38. CVE-LiteLLMisaproxyserver(AIGateway)tocallLLMAPIsinOpenAI(ornative)format.Priorto1.83.0,the/config/updateendpointdoesnotenforceadminroleauthorization.Auserwhoisalreadyauthenticatedintotheplatformcanthenusethis 2026-endpointtomodifyproxyconfigurationandenvironmentvariables,registercustompass-throughendpointhandlerspointingtoattacker-controlledPythoncode,achievingremotecodeexecution,readarbitraryserverfilesbysettingUILOGOPATH 35029andfetchingvia/getimage,andtakeoverotherprivilegedaccountsbyoverwritingUIUSERNAMEandUIPASSWORDenvironmentvariables.Fixedinv1.83.0. CVE-XenForobefore2.3.7doesnotproperlyrestrictmethodscallablefromwithintemplates.Alooseprefixmatchwasusedinsteadofastricterfirst-wordmatchformethodsaccessiblethroughcallbacksandvariablemethodcallsintemplates,potentially2025-allowingunauthorizedmethodinvocations.71281 CVE-XenForobefore2.3.5allowsOAuth2clientapplicationstorequestunauthorizedscopes.ThisaffectsanycustomerusingOAuth2clientsonanyversionofXenForo2.3priorto2.3.5,potentiallyallowingclientapplicationstogainaccessbeyondtheir2025-intendedauthorizationlevel.71278 CVE-OpenSTAManagerisanopensourcemanagementsoftwarefortechnicalassistanceandinvoicing.Priortoversion2.10.2,multipleAJAXselecthandlersinOpenSTAManagerarevulnerabletoTime-BasedBlindSQLInjectionthroughtheoptions[stato] 2026-GETparameter.Theuser-suppliedvalueisreadfrom$superselect['stato']andconcatenateddirectlyintoSQLWHEREclausesasabareexpression,withoutanysanitization,parameterization,orallowlistvalidation.Anauthenticatedattackercan 28805injectarbitrarySQLstatementstoextractsensitivedatafromthedatabase,includingusernames,passwordhashes,financialrecords,andanyotherinformationstoredintheMySQLdatabase.Thisissuehasbeenpatchedinversion2.10.2. AsecurityflawhasbeendiscoveredinTrendnetTEW-657BRM1.00.1.Theimpactedelementisthefunctionupdatepcdbofthefile/setup.cgi.Themanipulationoftheargumentmacpc_dbaresultsinstack-basedbufferoverflow.TheattackcanbeCVE-launchedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.Thevendorconfirms,that"[t]heproductinquestion(...)hasbeendiscontinuedandendoflifesinceJune23,2011,thatismorethan14yearsago.Weno2026-longerprovidesupportforthisproduct,sowearenotabletoconfirmthevulnerabilities.Wewillmakeanannouncementonourwebsite'sproductsupportpageandnotifycustomerswhoregisteredtheirproductswithus."Thisvulnerabilityonly5350affectsproductsthatarenolongersupportedbythemaintainer. CVE-ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,anSQLinjectionvulnerabilitywasidentifiedin/EventNames.phpinChurchCRM.AuthenticateduserswithAddEventprivilegescaninjectSQLviathenewEvtTypeCntLst2026-parameterduringeventtypecreation.ThevulnerableflowreachesanONDUPLICATEKEYUPDATEclausewhereunescapeduserinputisinterpolateddirectly.Thisvulnerabilityisfixedin7.1.0.39329 CVE-BraveCMSisanopen-sourceCMS.Priorto2.0.6,thisvulnerabilityisamissingauthorizationcheckfoundintheupdateroleendpointatroutes/web.php.ThePOSTroutefor/rights/update-role/{id}lacksthecheckUserPermissions:assign-user-roles2026-middleware.ThisallowsanyauthenticatedusertochangeaccountrolesandpromotethemselvestoSuperAdmin.Thisvulnerabilityisfixedin2.0.6.35182 CVE-AnauthenticationbypassvulnerabilitywithintheHTTPhandlingoftheDSconfigurationserviceinTP-LinkTapoC520WSv2.6wasidentified,duetoinconsistentparsingandauthorizationlogicinJSONrequestsduringauthenticationcheck. unauthenticatedattackercanappendanauthentication-exemptactiontoarequestcontainingprivilegedDSdoactions,bypassingauthorizationchecks.Successfulexploitationallowsunauthenticatedexecutionofrestrictedconfigurationactions, 34121whichmayresultinunauthorizedmodificationofdevicestate.

CVE- MattermostPluginLegalHoldversions<=1.1.4failtohaltrequestprocessingafterafailedauthorizationcheckinServeHTTPwhichallowsanauthenticatedattackertoaccess,create,download,anddeletelegalholddataviacraftedAPIrequeststo theplugin'sendpoints.MattermostAdvisoryID:MMSA-2026-00621

CVE- OutofboundsreadinWebCodecsinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoperformanoutofboundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) 5292 CVE- 2026- UseafterfreeinPDFinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeinsideasandboxviaacraftedPDFfile.(Chromiumsecurityseverity:High) 5287 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,anSQLinjectionvulnerabilitywasfoundintheendpoint/PropertyAssign.phpinChurchCRM.AuthenticateduserswiththeroleManageGroups&Roles(ManageGroups)and2026- EditRecords(isEditRecordsEnabled)caninjectarbitrarySQLstatementsthroughtheValueparameterandthusextractandmodifyinformationfromthedatabase.Thisvulnerabilityisfixedin7.1.0.39330 CVE- 2026- UseafterfreeinDawninGoogleChromepriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5286 CVE- 2026- UseafterfreeinWebGLinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5285 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,anSQLinjectionvulnerabilitywasfoundintheendpoint/SettingsIndividual.phpinChurchCRM7.0.5.Authenticateduserswithoutanyspecificprivilegescaninjectarbitrary2026- SQLstatementsthroughthetypearrayparameterviatheindexandthusextractandmodifyinformationfromthedatabase.Thisvulnerabilityisfixedin7.1.0.39334 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,areflectedCross-SiteScripting(XSS)vulnerabilityinGeoPage.phpallowsanyauthenticatedusertoinjectarbitraryJavaScriptintothebrowserofanotherauthenticateduser. 2026- Becausethepayloadfiresautomaticallyviaautofocuswithnouserinteractionrequired,anattackercanstealsessioncookiesandfullytakeoveranyvictimaccount,includingadministratoraccounts,bytrickingthemintosubmittingacraftedform. 39332 Thisvulnerabilityisfixedin7.1.0. CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.0.0,astoredcross-sitescripting(XSS)vulnerabilityexistsinChurchCRMwithinthePersonPropertyManagementsubsystem.ThisissuepersistsinversionspatchedforCVE-2023- 2026- 38766andallowsanauthenticatedusertoinjectarbitraryJavaScriptcodeviadynamicallyassignedpersonproperties.Themaliciouspayloadispersistentlystoredandexecutedwhenotherusersviewtheaffectedpersonprofileoraccessthe 35576 printableview,potentiallyleadingtosessionhijackingorfullaccountcompromise.Thisvulnerabilityisfixedin7.0.0. CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,heFindFundRaiser.phpendpointreflectsuser-suppliedinput(DateStartandDateEnd)intoHTMLinputfieldattributeswithoutproperoutputencodingfortheHTMLattribute2026- context.AnauthenticatedattackercancraftamaliciousURLthatexecutesarbitraryJavaScriptwhenvisitedbyanotherauthenticateduser.ThisconstitutesareflectedXSSvulnerability.Thisvulnerabilityisfixedin7.1.0.39333 CVE- Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.17.0,Directus'sSingleSign-On(SSO)loginpageslackedaCross-Origin-Opener-Policy(COOP)HTTPresponseheader.Withoutthisheader,amalicious 2026- cross-originwindowthatopenstheDirectusloginpageretainstheabilitytoaccessandmanipulatethewindowobjectofthatpage.AnattackercanexploitthistointerceptandredirecttheOAuthauthorizationflowtoanattacker-controlledOAuth 35408 client,causingthevictimtounknowinglygrantaccesstotheirauthenticationprovideraccount(e.g.Google,Discord).Thisvulnerabilityisfixedin11.17.0. AraceconditionintheApacheKafkaJavaproducerclient'sbufferpoolmanagementcancausemessagestobesilentlydeliveredtoincorrecttopics.Whenaproducebatchexpiresduetodelivery.timeout.mswhileanetworkrequestcontainingthat CVE- batchisstillinflight,thebatch'sByteBufferisprematurelydeallocatedandreturnedtothebufferpool.Ifasubsequentproducerbatch--potentiallydestinedforadifferenttopic--reusesthisfreedbufferbeforetheoriginalnetworkrequestcompletes, 2026- thebuffercontentsmaybecomecorrupted.Thiscanresultinmessagesbeingdeliveredtounintendedtopicswithoutanyerrorbeingreportedtotheproducer.DataConfidentiality:Messagesintendedforonetopicmaybedeliveredtoadifferent 35554 topic,potentiallyexposingsensitivedatatoconsumerswhohaveaccesstothedestinationtopicbutnottheintendedsourcetopic.DataIntegrity:Consumersonthereceivingtopicmayencounterunexpectedorincompatiblemessages,leadingto deserializationfailures,processingerrors,andcorrupteddownstreamdata.ThisissueaffectsApacheKafkaversions≤3.9.1,≤4.0.1,and≤4.1.1.Kafkausersareadvisedtoupgradeto3.9.2,4.0.2,4.1.2,4.2.0,orlatertoaddressthisvulnerability. CVE- Budibaseisanopen-sourcelow-codeplatform.Priortoversion3.32.5,Budibase'sBuilderCommandPaletterendersentitynames(tables,views,queries,automations)usingSvelte's{@html}directivewithoutanysanitization.Anauthenticateduser 2026- withBuilderaccesscancreateatable,automation,view,orquerywhosenamecontainsanHTMLpayload(e.g.

).WhenanyBuilder-roleuserinthesameworkspaceopenstheCommandPalette 35218 (Ctrl+K),thepayloadexecutesintheirbrowser,stealingtheirsessioncookieandenablingfullaccounttakeover.Thisissuehasbeenpatchedinversion3.32.5. CVE- Budibaseisanopen-sourcelow-codeplatform.Priortoversion3.33.4,thepluginfileuploadendpoint(POST/api/plugin/upload)passestheuser-suppliedfilenamedirectlytocreateTempFolder()withoutsanitizingpathtraversalsequences.Anattacker 2026- withGlobalBuilderprivilegescancraftamultipartuploadwithafilenamecontaining../todeletearbitrarydirectoriesviarmSyncandwritearbitraryfilesviatarballextractiontoanyfilesystempaththeNode.jsprocesscanaccess.Thisissuehasbeen 35214 patchedinversion3.33.4. CVE- Payloadisafreeandopensourceheadlesscontentmanagementsystem.Priortoversion3.78.0in@payloadcms/next,astoredCross-SiteScripting(XSS)vulnerabilityexistedintheadminpanel.Anauthenticateduserwithwriteaccesstoa2026- collectioncouldsavecontentthat,whenviewedbyanotheruser,wouldexecuteintheirbrowser.Thisissuehasbeenpatchedinversion3.78.0.34748 CVE- phpMyFAQisanopensourceFAQwebapplication.Priortoversion4.1.1,theMediaBrowserController::index()methodhandlesfiledeletionforthemediabrowser.WhenthefileRemoveactionistriggered,theuser-suppliednameparameteris 2026- concatenatedwiththebaseuploaddirectorypathwithoutanypathtraversalvalidation.TheFILTERSANITIZESPECIALCHARSfilteronlyencodesHTMLspecialcharacters(&,',",<,>)andcharacterswithASCIIvalue<32,anddoesnotprevent 34728 directorytraversalsequenceslike../.Additionally,theendpointdoesnotvalidateCSRFtokens,makingitexploitableviaCSRFattacks.Thisissuehasbeenpatchedinversion4.1.1. CVE- 2025- Thisissuewasaddressedwithimprovedhandlingofsymlinks.ThisissueisfixedinmacOSSequoia15.6.Anappmaybeabletobreakoutofitssandbox. 43257 CVE- HiOSSwitchPlatformversions09.1.00priorto09.4.05and10.3.01containsadenial-of-servicevulnerabilityinthewebinterfacethatallowsremoteattackerstoreboottheaffecteddevicebysendingamaliciousHTTPGETrequesttoaspecific2025- endpoint.AttackerscantriggeranuncontrolledrebootconditionthroughcraftedHTTPrequeststocauseservicedisruptionandunavailabilityoftheswitch.15620 CVE- Storagecredentialsarehardcodedinthemobileappanddevicefirmware.Thesecredentialsdonotadequatelylimitenduserpermissionsanddonotexpirewithinareasonableamountoftime.Thisvulnerabilitymaygrantunauthorizedaccessto2025- productionstoragecontainers.10681 CVE- OpenNeuralNetworkExchange(ONNX)isanopenstandardformachinelearninginteroperability.Priortoversion1.21.0,theExternalDataInfoclassinONNXwasusingPython'ssetattr()functiontoloadmetadata(likefilepathsordatalengths)2026- directlyfromanONNXmodelfile.Itdidn'tcheckifthe"keys"inthefilewerevalid.Duetothis,anattackercouldcraftamaliciousmodelthatoverwritesinternalobjectproperties.Thisissuehasbeenpatchedinversion1.21.0.34445 CVE- PostizisanAIsocialmediaschedulingtool.Priortoversion2.21.3,theGET/public/streamendpointinPublicControlleracceptsauser-suppliedurlqueryparameterandproxiesthefullHTTPresponsebacktothecaller.Theonlyvalidationis url.endsWith('mp4'),whichistriviallybypassablebyappending.mp4asaqueryparametervalueorURLfragment.TheendpointrequiresnoauthenticationandhasnoSSRFprotections,allowinganunauthenticatedattackertoreadresponsesfrom 34577 internalservices,cloudmetadataendpoints,andothernetwork-internalresources.Thisissuehasbeenpatchedinversion2.21.3. CVE- PraisonAIisamulti-agentteamssystem.Priortoversion1.5.95,FileTools.downloadfile()inpraisonaiagentsvalidatesthedestinationpathbutperformsnovalidationontheurlparameter,passingitdirectlytohttpx.stream()with follow_redirects=True.AnattackerwhocontrolstheURLcanreachanyhostaccessiblefromtheserverincludingcloudmetadataservicesandinternalnetworkservices.Thisissuehasbeenpatchedinversion1.5.95.34954

CVE- ImproperauthenticationinAzureSREAgentallowsanunauthorizedattackertodiscloseinformationoveranetwork. 32173 CVE- Commandinjectionvulnerabilityinconsole.runmodulewithoutput()inpymetasploit3throughversion1.0.6allowsattackerstoinjectnewlinecharactersintomoduleoptionssuchasRHOSTS.Thisbreakstheintendedcommandstructureandcauses2026- theMetasploitconsoletoexecuteadditionalunintendedcommands,potentiallyleadingtoarbitrarycommandexecutionandmanipulationofMetasploitsessions.5463 CVE- curlcffiistheaPythonbindingforcurl.Priorto0.15.0,curlcffidoesnotrestrictrequeststointernalIPranges,andfollowsredirectsautomaticallyviatheunderlyinglibcurl.Becauseofthis,anattacker-controlledURLcanredirectrequeststointernal2026- servicessuchascloudmetadataendpoints.Inaddition,curlcffi'sTLSimpersonationfeaturecanmaketheserequestsappearaslegitimatebrowsertraffic,whichmaybypasscertainnetworkcontrols.Thisvulnerabilityisfixedin0.15.0.33752 Plunkisanopen-sourceemailplatformbuiltontopofAWSSES.Priorto0.8.0,aCRLFheaderinjectionvulnerabilitywasdiscoveredinSESService.ts,whereuser-suppliedvaluesforfrom.name,subject,customheaderkeys/values,andattachmentCVE- filenameswereinterpolateddirectlyintorawMIMEmessageswithoutsanitization.AnauthenticatedAPIusercouldinjectarbitraryemailheaders(e.g.Bcc,Reply-To)byembeddingcarriagereturn/linefeedcharactersinthesefields,enablingsilent2026- emailforwarding,replyredirection,orsenderspoofing.Thefixaddsinputvalidationattheschemaleveltorejectanyofthesefieldscontaining\ror\ncharacters,consistentwiththeexistingvalidationalreadyappliedtothecontentIdfield.This34975 vulnerabilityisfixedin0.8.0. CVE- Payloadisafreeandopensourceheadlesscontentmanagementsystem.Priortoversion3.79.1,certainrequestinputswerenotproperlyvalidated.AnattackercouldcraftrequeststhatinfluenceSQLqueryexecution,potentiallyexposingor2026- modifyingdataincollections.Thisissuehasbeenpatchedinversion3.79.1.34747 CVE- 2026- ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinDavidLingrenMediaLIbraryAssistantallowsSQLInjection.ThisissueaffectsMediaLIbraryAssistant:fromn/athrough3.34. 34885 CVE- 2026- AnarbitraryfileoverwritevulnerabilityinTinybeansPrivateFamilyAlbumAppv5.9.5-prodallowsattackerstooverwritecriticalinternalfilesviathefileimportprocess,leadingtoarbitrarycodeexecutionorinformationexposure. 30289 CVE- XlightFTPServer3.9.1containsastructuredexceptionhandler(SEH)overwritevulnerabilitythatallowslocalattackerstocrashtheapplicationandoverwriteSEHpointersbysupplyingacraftedbufferstring.Attackerscaninjecta428-bytepayload2019- throughtheprogramexecutionfieldinvirtualserverconfigurationtotriggerabufferoverflowthatcorruptstheSEHchainandenablespotentialcodeexecution.25681 CVE- Ri3863.5.0containsalocalbufferoverflowvulnerabilityintheGUIPreferencesdialogthatallowslocalattackerstotriggerastructuredexceptionhandler(SEH)overwritebysupplyingmaliciousinput.Attackerscancraftapayloadstringinthe2019- 'Languageformenusandmessages'fieldtooverwriteSEHrecordsandachievecodeexecutionwithcalculatororarbitraryshellcode.25656 CVE- 2026- AnarbitraryfileoverwritevulnerabilityinDeepThoughtIndustriesACEScannerPDFScannerv1.4.5allowsattackerstooverwritecriticalinternalfilesviathefileimportprocess,leadingtoarbitrarycodeexecutionorinformationexposure. 30287 CVE- RiverPastVideoCleaner7.6.3containsastructuredexceptionhandlerbufferoverflowvulnerabilitythatallowslocalattackerstoexecutearbitrarycodebysupplyingamaliciousstringintheLameenc.dllfield.Attackerscancraftapayloadwith2802019- bytesofpadding,anextstructuredexceptionhandleroverride,andshellcodetotriggercodeexecutionwhentheapplicationprocessestheinput.25670 CVE- AnthropicClaudeCodeCLIandClaudeAgentSDKcontainanOScommandinjectionvulnerabilityinthecommandlookuphelperanddeep-linkterminallauncherthatallowslocalattackerstoexecutearbitrarycommandsbymanipulatingthe 2026- TERMINALenvironmentvariable.AttackerscaninjectshellmetacharactersintotheTERMINALvariablewhichareinterpretedby/bin/shwhenthecommandlookuphelperconstructsandexecutesshellcommandswithshell=true.Thevulnerabilitycan 35020 betriggeredduringnormalCLIexecutionaswellasviathedeep-linkhandlerpath,resultinginarbitrarycommandexecutionwiththeprivilegesoftheuserrunningtheCLI. CVE- Snes9K0.0.9zcontainsabufferoverflowvulnerabilityintheNetplaySocketPortNumberfieldthatallowslocalattackerstotriggerastructuredexceptionhandler(SEH)overwrite.AttackerscancraftamaliciouspayloadandpasteitintotheSocket2018- PortNumberfieldviatheNetplayOptionsmenutoachievecodeexecutionthroughSEHchainexploitation.25251 CVE- 2026- AnarbitraryfileoverwritevulnerabilityinDocudepotPDFReader:PDFViewerAPPv1.0.34allowsattackerstooverwritecriticalinternalfilesviathefileimportprocess,leadingtoarbitrarycodeexecutionorinformationexposure. 30292 CVE- 2026- AnarbitraryfileoverwritevulnerabilityinOraToolsPDFReader'Reader&EditorAPPv4.3.5allowsattackerstooverwritecriticalinternalfilesviathefileimportprocess,leadingtoarbitrarycodeexecutionorinformationexposure. 30291 CVE- 10-StrikeLANState8.8containsalocalbufferoverflowvulnerabilityinstructuredexceptionhandlingthatallowslocalattackerstoexecutearbitrarycodebycraftingmaliciousLSMmapfiles.AttackerscancreateaspeciallyformattedLSMfilewitha2018- payloadintheObjCaptionparameterthatoverflowsthebuffer,overwritestheSEHchain,andexecutesshellcodewhenthefileisopenedintheapplication.25255 Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Fromversions39.0.0-alpha.1tobefore39.8.0,40.0.0-alpha.1tobefore40.7.0,and41.0.0-alpha.1tobefore41.0.0-beta.8,appsthatpassCVE- VideoFrameobjects(fromtheWebCodecsAPI)acrossthecontextBridgearevulnerabletoacontextisolationbypass.AnattackerwhocanexecuteJavaScriptinthemainworld(forexample,viaXSS)canuseabridgedVideoFrametogainaccessto2026- theisolatedworld,includinganyNode.jsAPIsexposedtothepreloadscript.Appsareonlyaffectedifapreloadscriptreturns,resolves,orpassesaVideoFrameobjecttothemainworldviacontextBridge.exposeInMainWorld().Appsthatdonotbridge34780 VideoFrameobjectsarenotaffected.Thisissuehasbeenpatchedinversions39.8.0,40.7.0,and41.0.0-beta.8. CVE- Cr*nMaster(cronmaster)isaCronjobmanagementUIwithhumanreadablesyntax,liveloggingandloghistoryforcronjobs.Priortoversion2.2.0,anauthenticationbypassinmiddlewareallowsunauthenticatedrequestswithaninvalidsession 2026- cookietobetreatedasauthenticatedwhenthemiddleware'ssession-validationfetchfails.ThiscanresultinunauthorizedaccesstoprotectedpagesandunauthorizedexecutionofprivilegedNext.jsServerActions.Thisissuehasbeenpatchedin 34072 version2.2.0. CVE- MobileNextisanMCPserverformobiledevelopmentandautomation.Priorto0.0.50,themobileopenurltoolinmobile-mcppassesuser-suppliedURLsdirectlytoAndroid'sintentsystemwithoutanyschemevalidation,allowingexecutionof2026- arbitraryAndroidintents,includingUSSDcodes,phonecalls,SMSmessages,andcontentprovideraccess.Thisvulnerabilityisfixedin0.0.50.35394 CVE- SillyTavernisalocallyinstalleduserinterfacethatallowsuserstointeractwithtextgenerationlargelanguagemodels,imagegenerationengines,andtext-to-speechvoicemodels.Priortoversion1.17.0,apathtraversalvulnerabilityinchat2026- endpointsallowsanauthenticatedattackertoreadanddeletearbitraryfilesundertheiruserdataroot(forexamplesecrets.jsonandsettings.json)bysupplyingavatarurl="..".Thisissuehasbeenpatchedinversion1.17.0.34524 CVE- AnissuewasdiscoveredinBiztalk360before11.5.Becauseofmishandlingofuser-providedinputinanuploadmechanism,anauthenticatedattackerisabletowritefilesoutsideofthedestinationdirectoryand/orcoerceanauthenticationfromthe service,akaDirectoryTraversal.59711

CVE- PilusCart1.4.1containsaSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthe'send'parameter.AttackerscansubmitPOSTrequeststothecommentsubmission

endpointwithRLIKE-basedbooleanSQLinjectionpayloadstoextractsensitivedatabaseinformation. 25672 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughtheidprojectparameter.AttackerscansendcraftedrequestswithmaliciousSQLstatementsinthe idprojectparametertoextractsensitivedatabaseinformationormodifydata.25702 CVE-C4GBasicLaboratoryInformationSystem3.4containsmultipleSQLinjectionvulnerabilitiesthatallowunauthenticatedattackerstoexecutearbitrarySQLcommandsbyinjectingmaliciouscodethroughthesiteparameter.AttackerscansendGET2019-requeststotheusersselect.phpendpointwithcraftedSQLpayloadstoextractsensitivedatabaseinformationincludingpatientrecordsandsystemcredentials.25678 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthefilterusermailparameter.AttackerscansendcraftedrequestswithmaliciousSQLstatementsto2019-extractsensitivedatabaseinformationormodifydata.25704 CVE-AdvanceGiftShopProScript2.0.3containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstoexecutearbitrarySQLqueriesbyinjectingmaliciouscodethroughthesearchparameter.AttackerscansubmitcraftedSQLpayloadsin2019-the's'parameterofsearchrequeststoextractsensitivedatabaseinformationincludingversiondetailsandotherdata.25680 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthelanguagetagparameter.AttackerscansubmitmaliciousSQLstatementsinthelanguagetag2019-parametertoextractsensitivedatabaseinformationormodifydata.25696 CVE-OpenDocMan1.3.4containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthe'where'parameter.AttackerscansendGETrequeststosearch.phpwithmalicious2019-SQLpayloadsinthe'where'parametertoextractsensitivedatabaseinformation.25684 CVE-Vimisanopensource,commandlinetexteditor.Priortoversion9.2.0276,amodelinesandboxbypassinVimallowsarbitraryOScommandexecutionwhenauseropensacraftedfile.Thecomplete,guitabtooltipandprintheaderoptionsare2026-missingthe`PMLEflag,allowingamodelinetobeexecuted.Additionally,themapset()functionlacksachecksecure()`call,allowingittobeabusedfromsandboxedexpressions.Commit9.2.0276fixestheissue.34982 CVE-Improperauthenticationinthetwo-factorauthentication(2FA)featureinDevolutionsServer2026.1.11andearlierallowsaremoteattackerwithvalidcredentialstobypassmultifactorauthenticationandgainunauthorized2026-accountviareuseofapartiallyauthenticatedsessiontoken.4924 CVE-PodmanDesktopisagraphicaltoolfordevelopingoncontainersandKubernetes.Priorto1.26.2,anunauthenticatedHTTPserverexposedbyPodmanDesktopallowsanynetworkattackertoremotelytriggerdenial-of-serviceconditionsandextract 2026-sensitiveinformation.Byabusingmissingconnectionlimitsandtimeouts,anattackercanexhaustfiledescriptorsandkernelmemory,leadingtoapplicationcrashorfullhostfreeze.Additionally,verboseerrorresponsesdiscloseinternalpathsand 34045systemdetails(includingusernamesonWindows),aidingfurtherexploitation.Theissuerequiresnoauthenticationoruserinteractionandisexploitableoverthenetwork.Thisvulnerabilityisfixedin1.26.2. CVE- 2024-Apermissionsissuewasaddressedwithadditionalrestrictions.ThisissueisfixedinmacOSSequoia15.1.Anappmaybeabletoexecutearbitrarycodeoutofitssandboxorwithcertainelevatedprivileges. 44250 CVE-AflawwasfoundinOpenClusterManagement(OCM),thetechnologyunderlyingRedHatAdvancedClusterManagement(ACM).ImpropervalidationofKubernetesclientcertificaterenewalallowsamanagedclusteradministratortoforgeaclient2026-certificatethatcanbeapprovedbytheOCMcontroller.Thisenablescross-clusterprivilegeescalationandmayallowanattackertogaincontroloverothermanagedclusters,includingthehubcluster.4740 CVE-AflawwasfoundinCorosync.AremoteunauthenticatedattackercanexploitawrongreturnvaluevulnerabilityintheCorosyncmembershipcommittokensanitycheckbysendingaspeciallycraftedUserDatagramProtocol(UDP)packet.Thiscan2026-leadtoanout-of-boundsread,causingadenialofservice(DoS)andpotentiallydisclosinglimitedmemorycontents.ThisvulnerabilityaffectsCorosyncwhenrunningintotemudp/totemudpumode,whichisthedefaultconfiguration.35091 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthemenulev1parameter.AttackerscansendcraftedrequestswithmaliciousSQL2019-payloadsinthemenulev1parametertoextractsensitivedatabaseinformationormodifydatabasecontents.25688 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthemngprofileidparameter.AttackerscansendcraftedrequestswithmaliciousSQLpayloadsinthe2019-mngprofileidparametertoextractsensitivedatabaseinformation.25690 CVE- 2026-ImproperauthenticationintheOAuthloginfunctionalityinDevolutionsServer2026.1.11andearlierallowsaremoteattackerwithvalidcredentialstobypassmulti-factorauthenticationviaacraftedloginrequest. 4828 CVE-libp2p-rustistheofficialrustlanguageImplementationofthelibp2pnetworkingstack.Priorto0.17.1,therendezvousserverstorespaginationcookieswithoutbounds.AnunauthenticatedpeercanrepeatedlyissueDISCOVERrequestsandforce2026-unboundedmemorygrowth.Thisvulnerabilityisfixedin0.17.1.35457 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthesortdirectionparameter.AttackerscansubmitmaliciousSQLstatementsinthesortdirection2019-parametertoextractsensitivedatabaseinformationormodifydata.25700 CVE-DbGateiscross-platformdatabasemanager.Fromversion7.0.0tobeforeversion7.1.5,astoredXSSvulnerabilityexistsinDbGatebecauseattacker-controlledSVGiconstringsarerenderedasrawHTMLwithoutsanitization.InthewebUIthisallows2026-scriptexecutioninanotheruser'sbrowser;intheElectrondesktopappthiscanescalatetolocalcodeexecutionbecauseElectronisconfiguredwithnodeIntegration:trueandcontextIsolation:false.Thisissuehasbeenpatchedinversion7.1.5.34725 CVE-AskExpertScript3.0.5containscross-sitescriptingandSQLinjectionvulnerabilitiesthatallowunauthenticatedattackerstoinjectmaliciouscodebymanipulatingURLparameters.Attackerscaninjectscripttagsthroughthecateidparameterin2019-categorysearch.phporSQLcodethroughtheviewparameterinlist-details.phptoexecutearbitrarycodeorextractdatabaseinformation.25676 CVE-HirschmannHiLCOSdevicesOpenBAT,WLC,BAT300,BAT54priorto8.80andOpenBATpriorto9.10areshippedwithidenticaldefaultSSHandSSLkeysthatcannotbechanged,allowingunauthenticatedremoteattackerstodecryptorintercept2015-encryptedmanagementcommunications.Attackerscanperformman-in-the-middleattacks,impersonatedevices,andexposesensitiveinformationbyleveragingtheshareddefaultcryptographickeysacrossmultipledevices.10148 CVE- KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughtheidtodeleteparameter.AttackerscansendcraftedrequestswithmaliciousSQLstatementsinthe idto_deletefieldtoextractormodifysensitivedatabaseinformation.25698 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughtheuser2resetparameter.AttackerscansendcraftedrequestswithmaliciousSQL

payloadstoextractsensitivedatabaseinformationormodifydata. 25694 CVE-eDirectorycontainsmultipleSQLinjectionvulnerabilitiesthatallowunauthenticatedattackerstobypassadministratorauthenticationanddisclosesensitivefilesbyinjectingSQLcodeintoparameters.Attackerscanexploitthekeyparameterinthe loginendpointwithunion-basedSQLinjectiontoauthenticateasadministrator,thenleverageauthenticatedfiledisclosurevulnerabilitiesinlanguagefile.phptoreadarbitraryPHPfilesfromtheserver.25675 CVE-ResourceSpace8.6containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstoexecutearbitrarySQLqueriesbyinjectingmaliciouscodethroughthe'ref'parameter.AttackerscansendGETrequeststothewatchedsearches.php2019-endpointwithcraftedSQLpayloadstoextractsensitivedatabaseinformationincludingusernamesandcredentials.25662 CVE-NewsWebsiteScript2.0.5containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthenewsIDparameter.AttackerscansendGETrequeststoindex.php/show/news/2019-withmaliciousSQLstatementstoextractsensitivedatabaseinformation.25668 CVE-qdPM9.1containsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthesearchbyextrafields[]parameter.AttackerscansendPOSTrequeststotheusersendpointwithmalicious2019-searchbyextrafields[]valuestotriggerSQLsyntaxerrorsandextractdatabaseinformation.25669 CVE-CMSsite1.0containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthe'post'parameter.AttackerscansendGETrequeststopost.phpwithmalicious'post'valuesto2019-extractsensitivedatabaseinformationorperformtime-basedblindSQLinjectionattacks.25674 CVE-Auth0-PHPisaPHPSDKforAuth0AuthenticationandManagementAPIs.Fromversion8.0.0tobeforeversion8.19.0,inapplicationsbuiltwiththeAuth0PHPSDK,cookiesareencryptedwithinsufficiententropy,whichmayresultinthreatactors2026-brute-forcingtheencryptionkeyandforgingsessioncookies.Thisissuehasbeenpatchedinversion8.19.0.34236 CVE-KadosR10GreenBeecontainsanSQLinjectionvulnerabilitythatallowsattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthe'idtomodify'parameter.AttackerscansendcraftedrequestswithmaliciousSQLstatementsinthe2019-idtomodifyfieldtoextractsensitivedatabaseinformationormodifydata.25692 CVE-AnintegeroverflowvulnerabilityexistsintheuncompressedfpdngloadrawfunctionalityofLibRawCommit8dc68e2.Aspeciallycraftedmaliciousfilecanleadtoaheapbufferoverflow.Anattackercanprovideamaliciousfiletotriggerthis2026-vulnerability.24450 CVE-Aheap-basedbufferoverflowvulnerabilityexistsinthex3floadhuffmanfunctionalityofLibRawCommitd20315b.Aspeciallycraftedmaliciousfilecanleadtoaheapbufferoverflow.Anattackercanprovideamaliciousfiletotriggerthis2026-vulnerability.24660 CVE- 2026-AnintegeroverflowvulnerabilityexistsinthedeflatedngloadrawfunctionalityofLibRawCommit8dc68e2.Aspeciallycraftedmaliciousfilecanleadtoaheapbufferoverflow.Anattackercanprovideamaliciousfiletotriggerthisvulnerability. 20884 CVE-TandoorRecipesisanapplicationformanagingrecipes,planningmeals,andbuildingshoppinglists.Priorto2.6.4,thePUT/api/recipe/batchupdate/endpointinTandoorRecipesallowsanyauthenticateduserwithinaSpacetomodifyanyrecipein 2026-thatSpace,includingrecipesmarkedasprivatebyotherusers.Thisbypassesallobject-levelauthorizationchecksenforcedonstandardsingle-recipeendpoints(PUT/api/recipe/{id}/),enablingforcedexposureofprivaterecipes,unauthorizedself- 35045grantofaccessviathesharedlist,andmetadatatampering.Thisvulnerabilityisfixedin2.6.4. MissingAuthenticationforCriticalFunctionvulnerabilityinHoneywellHandheldScannersallowsAuthenticationAbuse.ThisissueaffectsHandheldScanners:fromC1Base(Ingenicx1000)beforeGK000432BAA,fromD1Base(Ingenicx1600)beforeCVE-HE000085BAA,fromA1/B1Base(IMX25)beforeBK000763BAABK000765BAACU000101BAA.ThisvulnerabilitycouldallowaremoteattackerwithinBluetoothrangeofthescanner'sbasestationhasthecapabilitytoremotelyexecutesystem2026-commandsonthehostconnectedtothebasestationwithoutauthentication.ThisissuehasbeenassignedCVE-2026-4272https://nvd.nist.gov/vuln/detail/CVE-2026-42724272upgradetothelatestversionidentifiedtoresolvethevulnerability. CVE-goshsisaSimpleHTTPServerwritteninGo.Fromversion1.1.0tobeforeversion2.0.0-beta.2,whenusingtheShareTokenitispossibletobypassthelimitedselectedfiledownloadwithallthegoshfunctionalities,includingcodeexec.Thisissuehas2026-beenpatchedinversion2.0.0-beta.2.34581 CVE-TheMWWPFormpluginforWordPressisvulnerabletoarbitraryfilemovingduetoinsufficientfilepathvalidationviathe'generateuserfilepath'functionandthe'movetempfiletouploaddir'functioninallversionsupto,andincluding,5.1.0.This 2026-makesitpossibleforunauthenticatedattackerstomovearbitraryfilesontheserver,whichcaneasilyleadtoremotecodeexecutionwhentherightfileismoved(suchaswp-config.php).Thevulnerabilityisonlyexploitableifafileuploadfieldis 4347addedtotheformandthe"Savinginquirydataindatabase"optionisenabled. CVE-Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.17.0,aggregatefunctions(min,max)appliedtofieldswiththeconcealspecialtypeincorrectlyreturnrawdatabasevaluesinsteadofthemasked 2026-placeholder.WhencombinedwithgroupBy,anyauthenticateduserwithreadaccesstotheaffectedcollectioncanextractconcealedfieldvalues,includingstaticAPItokensandtwo-factorauthenticationsecretsfromdirectususers.Thisvulnerability 35442isfixedin11.17.0. CVE-SillyTavernisalocallyinstalleduserinterfacethatallowsuserstointeractwithtextgenerationlargelanguagemodels,imagegenerationengines,andtext-to-speechvoicemodels.Priortoversion1.17.0,apathtraversalvulnerabilityin2026-/api/chats/importallowsanauthenticatedattackertowriteattacker-controlledfilesoutsidetheintendedchatsdirectorybyinjectingtraversalsequencesintocharactername.Thisissuehasbeenpatchedinversion1.17.0.34522 CVE- 2026-GLPIisafreeassetandITmanagementsoftwarepackage.From11.0.0tobefore11.0.6,anunauthenticatedtime-basedblindSQLinjectionexistsinGLPI'sSearchengine.Thisvulnerabilityisfixedin11.0.6. 26263 CVE-AflawwasfoundinKeycloak.AnauthenticateduserwiththeumaprotectionrolecanbypassUser-ManagedAccess(UMA)policyvalidation.Thisallowstheattackertoincluderesourceidentifiersownedbyotherusersinapolicycreationrequest, 2026-eveniftheURLpathspecifiesanattacker-ownedresource.Consequently,theattackergainsunauthorizedpermissionstovictim-ownedresources,enablingthemtoobtainaRequestingPartyToken(RPT)andaccesssensitiveinformationorperform 4636unauthorizedactions. Cloudreveisaself-hostedfilemanagementandsharingsystem.Priortoversion4.13.0,theapplicationusestheweakpseudo-randomnumbergeneratormath/randseededwithtime.Now().UnixNano()togeneratecriticalsecuritysecrets,includingCVE-thesecretkey,andhashidsalt.Thesesecretsaregenerateduponfirststartupandpersistedinthedatabase.Anattackercanexploitthisbyobtainingtheadministrator'saccountcreationtime(viapublicAPIendpoints)tonarrowthesearchwindow2026-forthePRNGseed,anduseknownhashidtovalidatetheseed.Bybrute-forcingtheseed(demonstratedtotake<3hoursongeneralconsumerPC),anattackercanpredictthesecretkey.ThisallowsthemtoforgevalidJSONWebTokens(JWTs)for25726anyuser,includingadministrators,leadingtofullaccounttakeoverandprivilegeescalation.Thisissuehasbeenpatchedinversion4.13.0. CVE-Ferretisadeclarativesystemforworkingwithwebdata.Priorto2.0.0-alpha.4,apathtraversalvulnerabilityinFerret'sIO::FS::WRITEstandardlibraryfunctionallowsamaliciouswebsitetowritearbitraryfilestothefilesystemofthemachinerunning 2026-Ferret.Whenanoperatorscrapesawebsitethatreturnsfilenamescontaining../sequences,andusesthosefilenamestoconstructoutputpaths(astandardscrapingpattern),theattackercontrolsboththedestinationpathandthefilecontent.This 34783canleadtoremotecodeexecutionviacronjobs,SSHauthorized_keys,shellprofiles,orwebshells.Thisvulnerabilityisfixedin2.0.0-alpha.4. CVE-TheGoMCPSDKusedGo'sstandardencoding/json.Priortoversion1.4.0,theModelContextProtocol(MCP)GoSDKdoesnotenableDNSrebindingprotectionbydefaultforHTTP-basedservers.WhenanHTTP-basedMCPserverisrunonlocalhost withoutauthenticationwithStreamableHTTPHandlerorSSEHandler,amaliciouswebsitecouldexploitDNSrebindingtobypasssame-originpolicyrestrictionsandsendrequeststothelocalMCPserver.Thiscouldallowanattackertoinvoketoolsor 34742accessresourcesexposedbytheMCPserveronbehalfoftheuserinthoselimitedcircumstances.Thisissuehasbeenpatchedinversion1.4.0.

CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,authenticateduserswithEditRecordsorManageGroupspermissionscanexploitatime-basedblindSQLinjectionvulnerabilityinthePropertyAssign.phpendpointtoexfiltrate ormodifyanydatabasecontent,includingusercredentials,personalidentifiableinformation(PII),andconfigurationsecrets.Thisvulnerabilityisfixedin7.1.0. 34402 CVE- IBMVerifyIdentityAccessContainer11.0through11.0.2andIBMSecurityVerifyAccessContainer10.0through10.0.9.1andIBMVerifyIdentityAccess11.0through11.0.2andIBMSecurityVerifyAccess10.0through10.0.9.1undercertainload conditionscouldallowanattackertobypassauthenticationmechanismsandgainunauthorizedaccesstotheapplication.4101 CVE- Tinaisaheadlesscontentmanagementsystem.Priortoversion2.2.2,apathtraversalvulnerabilityin@tinacms/graphqlallowsunauthenticateduserstowriteandoverwritearbitraryfileswithintheprojectroot.Thisisachievedbymanipulatingthe2026- relativePathparameterinGraphQLmutations.Theimpactincludestheabilitytoreplacecriticalserverconfigurationfilesandpotentiallyexecutearbitrarycommandsbysabotagingbuildscript.Thisissuehasbeenpatchedinversion2.2.2.33949 CVE- prompts.chatpriortocommit0f8d4c3containsapathtraversalvulnerabilityinskillfilehandlingthatallowsattackerstowritearbitraryfilestotheclientsystembycraftingmaliciousZIParchiveswithunsanitizedfilenamescontainingpathtraversal 2026- sequences.Attackerscanexploitmissingserver-sidefilenamevalidationtoinjectpathtraversalsequences../intoskillfilearchives,whichwhenextractedbyvulnerabletoolswritefilesoutsidetheintendeddirectoryandoverwriteshellinitialization 22661 filestoachievecodeexecution. CVE- prompts.chatpriortocommit1464475containsanidentityconfusionvulnerabilityduetoinconsistentcase-sensitiveandcase-insensitivehandlingofusernamesacrosswriteandreadpaths,allowingattackerstocreatecase-variantusernamesthat2026- bypassuniquenesschecks.Attackerscanexploitnon-deterministicusernameresolutiontoimpersonatevictimaccounts,replaceprofilecontentoncanonicalURLs,andinjectattacker-controlledmetadataandcontentacrosstheplatform.22665 CVE- RedwoodSDKisaserver-firstReactframework.From1.0.0-beta.50to1.0.5,erverfunctionsexportedfrom"useserver"filescouldbeinvokedviaGETrequests,bypassingtheirintendedHTTPmethod.Incookie-authenticatedapplications,thisallowed 2026- cross-siteGETnavigationstotriggerstate-changingfunctions,becausebrowserssendSameSite=Laxcookiesontop-levelGETrequests.Thisaffectedallserverfunctions--bothserverAction()handlersandbareexportedfunctionsin"useserver" 39371 files.Thisvulnerabilityisfixedin1.0.6. CVE- HirschmannHiLCOSClassicPlatformswitchesClassicL2E,L2P,L3E,L3Pversionspriorto09.0.06andClassicL2Bpriorto05.3.07containacredentialexposurevulnerabilitywhereuserpasswordsaresynchronizedwithSNMPv1/v2communitystrings2016- andtransmittedinplaintextwhenthefeatureisenabled.AttackerswithlocalnetworkaccesscansniffSNMPtrafficorextractconfigurationdatatorecoverplaintextcredentialsandgainunauthorizedadministrativeaccesstotheswitches.15058 CVE- 2026- OutofboundsreadinWebCodecsinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoperformanoutofboundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5282 Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions39.8.1,40.7.0,and41.0.0,appsthatuseoffscreenrenderingandallowchildwindowsviawindow.open()maybevulnerabletoaCVE- use-after-free.IftheparentoffscreenWebContentsisdestroyedwhileachildwindowremainsopen,subsequentpaintframesonthechilddereferencefreedmemory,whichmayleadtoacrashormemorycorruption.Appsareonlyaffectedifthey2026- useoffscreenrendering(webPreferences.offscreen:true)andtheirsetWindowOpenHandlerpermitschildwindows.Appsthatdonotuseoffscreenrendering,orthatdenychildwindows,arenotaffected.Thisissuehasbeenpatchedinversions39.8.1,34774 40.7.0,and41.0.0. CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,Theapplicationisvulnerabletotime-basedSQLinjectionduetoanimproperinputvalidation.EndpointReports/ConfirmReportEmail.php?familyId=isnotcorrectlysanitising2026- userinput,specifically,thesanitisedinputisnotusedtocreatetheSQLquery.Thisvulnerabilityisfixedin7.1.0.39341 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,anauthenticatedAPIusercanmodifyanyfamilyrecord'sstatewithoutproperauthorizationbysimplychangingthe{familyId}parameterinrequests,regardlessofwhether 2026- theypossesstherequiredEditRecordsprivilege./family/{familyId}/verify,/family/{familyId}/verify/url,/family/{familyId}/verify/now,/family/{familyId}/activate/{status},and/family/{familyId}/geocodelackrole-basedaccesscontrol,allowingusers 39331 todeactivate/reactivatearbitraryfamilies,spamverificationemails,andmarkfamiliesasverifiedandtriggergeocoding.Thisvulnerabilityisfixedin7.1.0. CVE- TheWCFM-FrontendManagerforWooCommercealongwithBookingsSubscriptionListingsCompatiblepluginforWordPressisvulnerabletoInsecureDirectObjectReferenceinallversionsupto,andincluding,6.7.25viamultipleAJAXactions 2026- includingwcfm_modify_order_status,delete_wcfm_article,delete_wcfm_product,andthearticlemanagementcontrollerduetomissingvalidationonuser-suppliedobjectIDs.Thismakesitpossibleforauthenticatedattackers,withVendor-level 4896 accessandabove,tomodifythestatusofanyorder,deleteormodifyanypost/product/page,regardlessofownership. CVE- PraisonAIisamulti-agentteamssystem.Priorto1.5.113,ThePraisonAItemplatesinstallationfeatureisvulnerabletoa"ZipSlip"ArbitraryFileWriteattack.Whendownloadingandextractingtemplatearchivesfromexternalsources(e.g.,GitHub),2026- theapplicationusesPython'szipfile.extractall()withoutverifyingifthefileswithinthearchiveresolveoutsideoftheintendedextractiondirectory.Thisvulnerabilityisfixedin1.5.113.39307 CVE- UNSUPPORTEDWHENASSIGNEDFocalboardversion8.0failstosanitizecategoryIDsbeforeincorporatingthemintodynamicSQLstatementswhenreorderingcategories.AnattackercaninjectamaliciousSQLpayloadintothecategoryidfield, 2026- whichisstoredinthedatabaseandlaterexecutedunsanitizedwhenthecategoryreorderAPIprocessesthestoredvalue.ThisSecond-OrderSQLInjection(Time-BasedBlind)allowsanauthenticatedattackertoexfiltratesensitivedataincluding 25773 passwordhashesofotherusers.NOTE:Focalboardasastandaloneproductisnotmaintainedandnofixwillbeissued. CVE- FileBrowserisafilemanaginginterfaceforuploading,deleting,previewing,renaming,andeditingfileswithinaspecifieddirectory.Priorto2.63.1,thefixincommitb6a4fb1("self-registeredusersdon'tgetexecuteperms")strippedExecute 2026- permissionandCommandsfromuserscreatedviathesignuphandler.Thesamefixwasnotappliedtotheproxyauthhandler.Usersauto-createdonfirstsuccessfulproxy-authloginaregrantedexecutioncapabilitiesfromglobaldefaults,even 35607 thoughthesignuppathwasexplicitlychangedtopreventexecutionrightsfrombeinginheritedbyautomaticallyprovisionedaccounts.Thisvulnerabilityisfixedin2.63.1. CVE- ThePerfmatterspluginforWordPressisvulnerabletoarbitraryfiledeletionviapathtraversalinallversionsupto,andincluding,2.5.9.1.ThisisduetothePMCS::action_handler()methodprocessingthe$_GET['delete']parameterwithoutany 2026- sanitization,authorizationcheck,ornonceverification.Theunsanitizedfilenameisconcatenatedwiththestoragedirectorypathandpassedtounlink().Thismakesitpossibleforauthenticatedattackers,withSubscriber-levelaccessandabove,to 4350 deletearbitraryfilesontheserverbyusing../pathtraversalsequences,includingwp-config.phpwhichwouldforceWordPressintotheinstallationwizardandallowfullsitetakeover. ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,aSQLinjectionvulnerabilityexistsinPropertyTypeEditor.php,partoftheadministrationfunctionalityformanagingpropertytypecategories(People→PersonProperties/CVE- FamilyProperties).ThevulnerabilitywasintroducedwhenlegacyFilterInput()whichbothstripsHTMLandescapesSQL--wasreplacedwithsanitizeText(),whichstripsHTMLonly.User-suppliedvaluesfromtheNameandDescriptionfieldsare2026- concatenateddirectlyintorawINSERTandUPDATEquerieswithnoSQLescaping.ThisallowsanyauthenticateduserwiththeMenuOptionsrole(anon-adminstaffpermission)toperformtime-basedblindinjectionandexfiltrateanydatafromthe39340 database,includingpasswordhashesofallusers.Thisvulnerabilityisfixedin7.1.0. CVE- TandoorRecipesisanapplicationformanagingrecipes,planningmeals,andbuildingshoppinglists.Priorto2.6.4,RecipeBookViewSetandRecipeBookEntryViewSetuseCustomIsSharedasanalternativepermissionclass,but 2026- CustomIsShared.hasobjectpermission()returnsTrueforallHTTPmethods--includingDELETE,PUT,andPATCH--withoutcheckingrequest.methodinSAFE_METHODS.AnyuserwhoisinthesharedlistofaRecipeBookcandeleteoroverwriteit, 35488 eventhoughsharedaccessissemanticallyread-only.Thisvulnerabilityisfixedin2.6.4. CVE- OneUptimeisanopen-sourcemonitoringandobservabilityplatform.Priortoversion10.0.42,OneUptime'sSAMLSSOimplementation(App/FeatureSet/Identity/Utils/SSO.ts)hasdecoupledsignatureverificationandidentityextraction. 2026- isSignatureValid()verifiesthefirst elementintheXMLDOMusingxml-crypto,whilegetEmail()alwaysreadsfromassertion[0]viaxml2js.Anattackercanprependanunsignedassertioncontaininganarbitraryidentitybeforea 34840 legitimatelysignedassertion,resultinginauthenticationbypass.Thisissuehasbeenpatchedinversion10.0.42. CVE- Anissuethatallowedall-organizationadministratorstopromoteaccountstosuperuserstatushasbeenresolved.ThisisaninstanceofCWE-269:ImproperPrivilegeManagement,andhasanestimatedCVSSscoreof2026- CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N(8.1High).Thisissuewasfixedinversion4.0.260202.0oftherunZeroPlatform.5373 CVE- FileBrowserisafilemanaginginterfaceforuploading,deleting,previewing,renaming,andeditingfileswithinaspecifieddirectory.Priortoversion2.62.2,thesignupHandlerinFileBrowserappliesdefaultuserpermissionsvia d.settings.Defaults.Apply(user),thenstripsonlyAdmin.TheExecutepermissionandCommandslistfromthedefaultusertemplatearenotstripped.Whenanadministratorhasenabledsignup,server-sideexecution,andsetExecute=trueinthe 34528 defaultusertemplate,anyunauthenticateduserwhoself-registersinheritsshellexecutioncapabilitiesandcanrunarbitrarycommandsontheserver.Thisissuehasbeenpatchedinversion2.62.2.

CVE- InModem,thereisapossibleoutofboundswriteduetoamissingboundscheck.Thiscouldleadtoremoteescalationofprivilege,ifaUEhasconnectedtoaroguebasestationcontrolledbytheattacker,withnoadditionalexecutionprivileges needed.Userinteractionisneededforexploitation.PatchID:MOLY01406170;IssueID:MSV-4461.

20432 CVE- NokiaMantaRayNMisvulnerabletoanOScommandinjectionvulnerabilityduetoimproperneutralizationofspecialelementsusedinanOScommandinLogSearchapplication. 24818 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto6.5.3,aStoredCross-SiteScripting(StoredXSS)vulnerabilityintheadminpanel'sgroup-creationfeatureallowsanyuserwithgroup-creationprivilegestoinjectmaliciousJavaScript2026- thatexecutesautomaticallywhenanadministratorviewsthepage.Thisenablesattackerstostealtheadministrator'ssessioncookies,potentiallyleadingtofulladministrativeaccounttakeover.Thisvulnerabilityisfixedin6.5.3.35575 CVE- Avulnerabilityintheweb-basedmanagementinterfaceofCiscoEvolvedProgrammableNetworkManager(EPNM)couldallowanauthenticated,remoteattackerwithlowprivilegestoaccesssensitiveinformationthattheyarenotauthorizedto 2026- access.ThisvulnerabilityisduetoimproperauthorizationchecksonaRESTAPIendpointofanaffecteddevice. Anattackercouldexploitthisvulnerabilitybyqueryingtheaffectedendpoint.Asuccessfulexploitcouldallowtheattackertoview 20155 sessioninformationofactiveCiscoEPNMusers,includinguserswithadministrativeprivileges,whichcouldresultintheaffecteddevicebeingcompromised. CVE- AvulnerabilitywasdeterminedinTendaCX12L16.03.53.12.AffectedbythisissueisthefunctionfromwebExcptypemanFilterofthefile/goform/webExcptypemanFilter.Executingamanipulationoftheargumentpagecanleadtostack-basedbuffer2026- overflow.Theattackrequiresaccesstothelocalnetwork.Theexploithasbeenpubliclydisclosedandmaybeutilized.5684 CVE- TwitchStudioversion0.114.8andpriorcontainaprivilegeescalationvulnerabilityinitsprivilegedhelpertoolthatallowslocalattackerstoexecutearbitrarycodeasrootbyexploitinganunprotectedXPCservice.Attackerscaninvokethe2024- installFromPath:toPath:withReply:methodtooverwritesystemfilesandprivilegedbinaries,achievingfullsystemcompromise.TwitchStudiowasdiscontinuedinMay2024.14032 CVE- Thereisamemorycorruptionvulnerabilityduetoanout-of-boundswritewhenloadingacorruptedLVCLASSfileinNILabVIEW.Thisvulnerabilitymayresultininformationdisclosureorarbitrarycodeexecution.Successfulexploitationrequiresan2026- attackertogetausertoopenaspeciallycrafted.lvclassfile.ThisvulnerabilityaffectsNILabVIEW2026Q1(26.1.0)andpriorversions.32861 CVE- Thereisamemorycorruptionvulnerabilityduetoanout-of-boundswritewhenloadingacorruptedLVLIBfileinNILabVIEW.Thisvulnerabilitymayresultininformationdisclosureorarbitrarycodeexecution.Successfulexploitationrequiresan2026- attackertogetausertoopenaspeciallycrafted.lvlibfile.ThisvulnerabilityaffectsNILabVIEW2026Q1(26.1.0)andpriorversions.32860 CVE- 2025- Memorycorruptionwhileprocessingaframerequestfromuser. 47391 CVE- 2025- MemorycorruptionwhilepreprocessingIOCTLrequestinJPEGdriver. 47390 CVE- 2025- Memorycorruptionwhenbuffercopyoperationfailsduetointegeroverflowduringattestationreportgeneration. 47389 CVE- 2026- V-SFTversions6.2.10.0andpriorcontainanout-of-boundsreadvulnerabilityinVS6ComFile!loadlinkinf.OpeningacraftedV7filemayleadtoinformationdisclosurefromtheaffectedproduct. 32926 OpenPrintingCUPSisanopensourceprintingsystemforLinuxandotherUnix-likeoperatingsystems.Inversions2.4.16andprior,alocalunprivilegedusercancoercecupsdintoauthenticatingtoanattacker-controlledlocalhostIPPservicewithaCVE- reusableAuthorization:Local...token.Thattokenisenoughtodrive/admin/requestsonlocalhost,andtheattackercancombineCUPS-Create-Local-Printerwithprinter-is-shared=truetopersistafile:///...queueeventhoughthenormalFileDevice2026- policyrejectssuchURIs.Printingtothatqueuegivesanarbitraryrootfileoverwrite;thePoCbelowusesthatprimitivetodropasudoersfragmentanddemonstraterootcommandexecution.Attimeofpublication,therearenopubliclyavailable34990 patches. CVE- 2026- MemoryCorruptionwhenretrievingoutputbufferwithinsufficientsizevalidation. 21371 CVE- 2026- V-SFTversions6.2.10.0andpriorcontainanout-of-boundsreadvulnerabilityinVS6MemInIF!settemptypedefault.OpeningacraftedV7filemayleadtoinformationdisclosurefromtheaffectedproduct. 32927 CVE- PraisonAIisamulti-agentteamssystem.Priortoversion1.5.90,runpython()inpraisonaiconstructsashellcommandstringbyinterpolatinguser-controlledcodeintopython3-c" "andpassingittosubprocess.run(...,shell=True).The2026- escapinglogiconlyhandles\and",leaving$()andbackticksubstitutionsunescaped,allowingarbitraryOScommandexecutionbeforePythonisinvoked.Thisissuehasbeenpatchedinversion1.5.90.34937 CVE- AnthropicClaudeCodeCLIandClaudeAgentSDKcontainanOScommandinjectionvulnerabilityintheprompteditorinvocationutilitythatallowsattackerstoexecutearbitrarycommandsbycraftingmaliciousfilepaths.Attackerscaninjectshell 2026- metacharacterssuchas$()orbacktickexpressionsintofilepathsthatareinterpolatedintoshellcommandsexecutedviaexecSync.Althoughthefilepathiswrappedindoublequotes,POSIXshellsemantics(POSIX§2.2.3)donotpreventcommand 35021 substitutionwithindoublequotes,allowinginjectedexpressionstobeevaluatedandresultinginarbitrarycommandexecutionwiththeprivilegesoftheuserrunningtheCLI. IntheLinuxkernel,thefollowingvulnerabilityhasbeenresolved:apparmor:fixside-effectbuginmatch_char()macrousageThematch_char()macroevaluatesitscharacterparametermultipletimeswhentraversingdifferentialencodingchains. Wheninvokedwith*str++,thestringpointeradvancesoneachiterationoftheinnerdo-whileloop,causingtheDFAtocheckdifferentcharactersateachiterationandthereforeskipinputcharacters.Thisresultsinout-of-boundsreadswhenthe pointeradvancespasttheinputbufferboundary.[94.984676]==================================================================[ aa_dfa_match+0x5ae/0x760[94.985655]Readofsize1ataddrffff888100342000bytaskfile/976[94.986319]CPU:7UID:1000PID:976Comm:fileNottainted6.19.0-rc7-next-20260127#1PREEMPT(lazy)[ StandardPC(Q35+ICH9,2009),BIOS1.16.3-debian-1.16.3-204/01/2014[94.986329]CallTrace:[94.986341][94.986347]dump_stack_lvl+0x5e/0x80[CVE- 94.986388]kasan_report+0x118/0x150[94.986401]?aa_dfa_match+0x5ae/0x760[94.986405]aa_dfa_match+0x5ae/0x760[94.986408]__aa_path_perm+0x131/0x400[2026- apparmor_file_open+0x345/0x570[94.986431]security_file_open+0x5c/0x140[94.986442]do_dentry_open+0x2f6/0x1120[94.986450]vfs_open+0x38/0x2b0[23406 94.986469]?__x64_sys_openat+0xf8/0x130[94.986477]do_file_open+0x19d/0x360[94.986487]do_sys_openat2+0x98/0x100[94.986491]__x64_sys_openat+0xf8/0x130[ count_memcg_events+0x15f/0x3c0[94.986526]?srso_alias_return_thunk+0x5/0xfbef5[94.986540]?handle_mm_fault+0x1639/0x1ef0[94.986551]?vma_start_read+0xf0/0x320[ ?srso_alias_return_thunk+0x5/0xfbef5[94.986563]?fpregs_assert_state_consistent+0x50/0xe0[94.986572]?srso_alias_return_thunk+0x5/0xfbef5[94.986574] srso_alias_return_thunk+0x5/0xfbef5[94.986588]?irqentry_exit+0x3c/0x590[94.986595]entry_SYSCALL_64_after_hwframe+0x76/0x7e[94.986597]RIP:0033:0x7fda4a79c3ea ensuringsingleevaluationperouterloop. CVE- Thereisamemorycorruptionvulnerabilityduetoanout-of-boundswriteinResFileFactory::InitResourceMgr()inNILabVIEW.Thisvulnerabilitymayresultininformationdisclosureorarbitrarycodeexecution.Successfulexploitationrequiresan 2026- attackertogetausertoopenaspeciallycraftedVIfile.ThisvulnerabilityaffectsNILabVIEW2026Q1(26.1.0)andpriorversions. 32862 CVE- MemoryCorruptionwhenaccessinganoutputbufferwithoutvalidatingitssizeduringIOCTLprocessing. 21373

CVE- MemoryCorruptionwhensendingIOCTLrequestswithinvalidbuffersizesduringmemcpyoperations. 21372 CVE- IntheLinuxkernel,thefollowingvulnerabilityhasbeenresolved:apparmor:Fixdoublefreeofnsnameinaareplaceprofiles()ifnsnameisNULLafter1071error=aaunpack(udata,&lh,&nsname); 1089}elseif(ent->nsname){thennsnameisassignedtheent->nsname1095nsname=ent->nsname;howeverent->nsnameisfreedat1262aaloadentfree(ent); 23408 NULLingoutent->nsnameafteritistransferredtonsname") CVE- OpenEXRprovidesthespecificationandreferenceimplementationoftheEXRfileformat,animagestorageformatforthemotionpictureindustry.From3.1.0tobefore3.2.7,3.3.9,and3.4.9,internalexrundopiz()advancestheworkingwavelet 2026- pointerwithsigned32-bitarithmetic.Becausenx,ny,andwcountareint,acraftedEXRfilecanmakethisproductoverflowandwrap.Thenextchannelthendecodesfromanincorrectaddress.Thewaveletdecodepathoperatesinplace,sothis 34588 yieldsbothout-of-boundsreadsandout-of-boundswrites.Thisvulnerabilityisfixedin3.2.7,3.3.9,and3.4.9. CVE- 2026- MemoryCorruptionwhenhandlingpowermanagementrequestswithimproperlysizedinput/outputbuffers. 21382 CVE- UnsanitizedinputduringwebpagegenerationintheKiroAgentwebviewinKiroIDEbeforeversion0.8.140allowsaremoteunauthenticatedthreatactortoexecutearbitrarycodeviaapotentiallydamagingcraftedcolorthemenamewhenalocal2026- useropenstheworkspace.Thisissuerequirestheusertotrusttheworkspacewhenprompted.Toremediatethisissue,usersshouldupgradetoversion0.8.140.5429 CVE- 2026- MemoryCorruptionwhenusingdeprecatedDMABUFIOCTLcallstomanagevideomemory. 21380 CVE- 2026- MemoryCorruptionwhenaccessinganoutputbufferwithoutvalidatingitssizeduringIOCTLprocessinginacamerasensordriver. 21378 CVE- 2026- MemoryCorruptionwhenaccessinganoutputbufferwithoutvalidatingitssizeduringIOCTLprocessinginacamerasensordriver. 21376 CVE- 2026- MemoryCorruptionwhenaccessinganoutputbufferwithoutvalidatingitssizeduringIOCTLprocessing. 21375 CVE- 2026- MemoryCorruptionwhenprocessingauxiliarysensorinput/outputcontrolcommandswithinsufficientbuffersizevalidation. 21374 CVE- BentoMLisaPythonlibraryforbuildingonlineservingsystemsoptimizedforAIappsandmodelinference.Priorto1.4.38,theclouddeploymentpathinsrc/bentoml/internal/cloud/deployment.pywasnotincludedinthefixforCVE-2026-33744.Line 2026- 1648interpolatessystempackagesdirectlyintoashellcommandusinganf-stringwithoutanyquoting.ThegeneratedscriptisuploadedtoBentoCloudassetup.shandexecutedonthecloudbuildinfrastructureduringdeployment,makingthisa 35043 remotecodeexecutionontheCI/CDtier.Thisvulnerabilityisfixedin1.4.38. CVE- HiSecOSwebserverversions05.0.00to08.3.01priorto08.3.02containsaprivilegeescalationvulnerabilitythatallowsauthenticateduserswithoperatororauditorrolestoescalateprivilegestotheadministratorrolebysendingspeciallycrafted2023- packetstothewebserver.Attackerscanexploitthisflawtogainfulladministrativeaccesstotheaffecteddevice.7343 CVE- Theapplication'supdateservice,whencheckingforupdates,loadscertainsystemlibrariesfromasearchpaththatincludesdirectorieswritablebylow‑privilegedusersandisnotstrictlyrestrictedtotrustedsystemlocations.Becausetheselibraries2026- mayberesolvedandloadedfromuser‑writablelocations,alocalattackercanplaceamaliciouslibrarythereandhaveitloadedwithSYSTEMprivileges,resultinginlocalprivilegeescalationandarbitrarycodeexecution.3775 CVE- ImproperneutralizationofspecialelementsintheauthenticationcomponentsinAmazonAthenaODBCdriverbefore2.1.0.0mightallowathreatactortoexecutearbitrarycodeorredirectauthenticationflowsbyusingspeciallycraftedconnection2026- parametersthatareprocessedbythedriverduringuser-initiatedauthentication.Toremediatethisissue,usersshouldupgradetoversion2.1.0.0.35558 CVE- Theapplication'slistboxcalculatearraylogickeepsstalereferencestopageorformobjectsaftertheyaredeletedorre-created,whichallowscrafteddocumentstotriggerause-after-freewhenthecalculationrunsandcanpotentiallyleadto2026- arbitrarycodeexecution.3779 CVE- OScommandinjectioninthebrowser-basedauthenticationcomponentinAmazonAthenaODBCdriverbefore2.0.5.1onLinuxmightallowathreatactortoexecutearbitrarycodebyusingspeciallycraftedconnectionparametersthatareloadedby2026- thedriverduringalocaluser-initiatedconnection.Toremediatethisissue,usersshouldupgradetoversion2.0.5.1orlater.5485 CVE- Glancesisanopen-sourcesystemcross-platformmonitoringtool.Priortoversion4.5.3,Glancessupportsdynamicconfigurationvaluesinwhichsubstringsenclosedinbackticksareexecutedassystemcommandsduringconfigurationparsing.This 2026- behavioroccursinConfig.getvalue()andisimplementedwithoutvalidationorrestrictionoftheexecutedcommands.Ifanattackercanmodifyorinfluenceconfigurationfiles,arbitrarycommandswillexecuteautomaticallywiththeprivilegesofthe 33641 Glancesprocessduringstartuporconfigurationreload.IndeploymentswhereGlancesrunswithelevatedprivileges(e.g.,asasystemservice),thismayleadtoprivilegeescalation.Thisissuehasbeenpatchedinversion4.5.3. CVE- Thereisamemorycorruptionvulnerabilityduetoanout-of-boundsreadinmgcoreSH253!alignedfree()inNILabVIEW.Thisvulnerabilitymayresultininformationdisclosureorarbitrarycodeexecution.Successfulexploitationrequiresanattacker2026- togetausertoopenaspeciallycraftedVIfile.ThisvulnerabilityaffectsNILabVIEW2026Q1(26.1.0)andpriorversions.32864 CVE- Thereisamemorycorruptionvulnerabilityduetoanout-of-boundsreadinsentrytransactioncontextsetoperation()inNILabVIEW.Thisvulnerabilitymayresultininformationdisclosureorarbitrarycodeexecution.Successfulexploitationrequires2026- anattackertogetausertoopenaspeciallycraftedVIfile.ThisvulnerabilityaffectsNILabVIEW2026Q1(26.1.0)andpriorversions.32863 IntheLinuxkernel,thefollowingvulnerabilityhasbeenresolved:apparmor:fixmissingboundscheckonDEFAULTtableinverifydfa()Theverifydfa()functiononlychecksDEFAULTTABLEboundswhenthestateisnotdifferentiallyencoded. theverificationlooptraversesthedifferentialencodingchain,itreadsk=DEFAULTTABLE[j]anduseskasanarrayindexwithoutvalidation.AmalformedDFAwithDEFAULTTABLE[j]>=statecount,therefore,causesbothout-of-boundsreadsand writes.[57.179855]==================================================================[57.180549]BUG:KASAN:slab-out-of-boundsinverifydfa+0x59a/0x660[ ffff888100eadec4bytasksu/993[57.181554]CPU:1UID:0PID:993Comm:suNottainted6.19.0-rc7-next-20260127#1PREEMPT(lazy)[57.181558]Hardwarename:QEMUStandardPC(Q35+ICH9,2009),BIOS1.16.3-debian-1.16.3-204/01/2014 [57.181563]CallTrace:[57.181572] [57.181577]dumpstacklvl+0x5e/0x80[57.181596]printreport+0xc8/0x270[57.181605]?verifydfa+0x59a/0x660[ CVE- verifydfa+0x59a/0x660[57.181623]verifydfa+0x59a/0x660[57.181627]aadfaunpack+0x1610/0x1740[57.181629]?kmalloccachenoprof+0x1d0/0x470[ 2026- srsoaliasreturnthunk+0x5/0xfbef5[57.181653]?srsoaliasreturnthunk+0x5/0xfbef5[57.181656]?aaunpacknameX+0x1a8/0x300[57.181659]aaunpack+0x20b0/0x4c30[ 23407 stackdepotsaveflags+0x33/0x700[57.181681]?kasansavetrack+0x4f/0x80[57.181683]?kasansavetrack+0x3e/0x80[57.181686]?kasankmalloc+0x93/0xb0[ aasimplewritetobuffer+0x54/0x130[57.181697]?policyupdate+0x154/0x330[57.181704]aareplaceprofiles+0x15a/0x1dd0[57.181707]?srsoaliasreturnthunk+0x5/0xfbef5[ 57.181712]?aaloaddataalloc+0x77/0x140[57.181715]?srsoaliasreturnthunk+0x5/0xfbef5[57.181717]?copyfromuser+0x2a/0x70[57.181730]policyupdate+0x17a/0x330[ rwverifyarea+0x93/0x2d0[57.181740]vfswrite+0x235/0xab0[57.181745]ksyswrite+0xb0/0x170[57.181748]dosyscall64+0x8e/0x660[57.181762]entrySYSCALL64afterhwframe+0x76/0x7e[ RemovetheMATCHFLAGDIFFENCODEconditiontovalidateallDEFAULTTABLEentriesunconditionally.

CVE- RealTermSerialTerminal2.0.0.70containsastructuredexceptionhandling(SEH)bufferoverflowvulnerabilityintheEchoPorttabthatallowslocalattackerstoexecutearbitrarycodebysupplyingamaliciouspayload.Attackerscancraftabuffer overflowpayloadwithaPOPPOPRETgadgetchainandshellcodethattriggerscodeexecutionwhenpastedintothePortfieldandtheChangebuttonisclicked.25679 CVE- HotspotShield6.0.3containsanunquotedservicepathvulnerabilityinthehshldservicebinarythatallowslocalattackerstoescalateprivilegesbyinjectingmaliciousexecutables.Attackerscanplaceexecutablefilesintheservicepathandupon2016- servicerestartorsystemreboot,themaliciouscodeexecuteswithLocalSystemprivileges.20060 CVE- SpyEmergencybuild23.0.205containsanunquotedservicepathvulnerabilityintheSpyEmrgHealthandSpyEmrgSrvservicesthatallowslocalattackerstoescalateprivilegesbyinsertingmaliciousexecutables.Attackerscanplaceexecutablefiles2016- intheunquotedservicepathandtriggerservicerestartorsystemreboottoexecutecodewithLocalSystemprivileges.20056 CVE- Aflawwasfoundinlibssh.Thisvulnerabilityallowslocalman-in-the-middleattacks,securitydowngradesofSSH(SecureShell)connections,andmanipulationoftrustedhostinformation,posingasignificantrisktotheconfidentiality,integrity,and2025- availabilityofSSHcommunicationsviaaninsecuredefaultconfigurationonWindowssystemswherethelibraryautomaticallyloadsconfigurationfilesfromtheC:\etcdirectory,whichcanbecreatedandmodifiedbyunprivilegedlocalusers.14821 CVE- 2026- CodeexecutioninAssistFeedbackServiceofTECNOPova7Pro5GonAndroidallowslocalappstoexecutearbitrarycodeassystemviacommandinjection. 0634 CVE- 2026- V-SFTversions6.2.10.0andpriorcontainastack-basedbufferoverflowinVS6ComFile!CV7BaseMap::WriteV7DataToRom.OpeningacraftedV7filemayleadtoarbitrarycodeexecutionontheaffectedproduct. 32925 CVE- sheedAntiVirus2.3containsanunquotedservicepathvulnerabilityintheShavProtservicethatallowslocalattackerstoescalateprivilegesbyexploitingtheservicebinarypath.Attackerscaninsertamaliciousexecutableintheunquotedpathand2016- triggerservicerestartorsystemreboottoexecutecodewithLocalSystemprivileges.20061 CVE- pymanagerincludedthecurrentworkingdirectoryinsys.pathmeaningmodulescouldbeshadowedbymodulesinthecurrentworkingdirectory.Asaresult,ifauserexecutesapymanager-generatedcommand(e.g.,pip,pytest)2026- controlleddirectory,amaliciousmoduleinthatdirectorycanbeimportedandexecutedinsteadoftheintendedpackage.5271 CVE- IObitMalwareFighter4.3.1containsanunquotedservicepathvulnerabilityintheIMFserviceandLiveUpdateSvcservicesthatallowslocalattackerstoescalateprivileges.Attackerscaninsertamaliciousexecutablefileintheunquotedservicepath2016- andtriggerprivilegeescalationwhentheservicerestartsorthesystemreboots,executingcodewithLocalSystemprivileges.20059 CVE- NetgateAMITIAntivirusbuild23.0.305containsanunquotedservicepathvulnerabilityintheAmitiAvSrvandAmitiAntivirusHealthservicesthatallowslocalattackerstoescalateprivileges.Attackerscanplaceamaliciousexecutableintheunquoted2016- servicepathandtriggerservicerestartorsystemreboottoexecutecodewithLocalSystemprivileges.20058 CVE- 2026- V-SFTversions6.2.10.0andpriorcontainanout-of-boundsreadinVS6ComFile!getmacromemCOM.OpeningacraftedV7filemayleadtoinformationdisclosurefromtheaffectedproduct. 32929 CVE- NETGATERegistryCleanerbuild16.0.205containsanunquotedservicepathvulnerabilityintheNGRegClnSrvservicethatallowslocalattackerstoescalateprivilegesbyexploitingtheservicebinarypath.Attackerscanplaceamaliciousexecutable2016- intheunquotedpathandtriggerservicerestartorsystemreboottoexecutecodewithLocalSystemprivileges.20057 IntheLinuxkernel,thefollowingvulnerabilityhasbeenresolved:apparmor:fixraceonrawdatadereferenceThereisaraceconditionthatleadstoause-after-freesituation:becausetherawdatainodesarenotrefcounted,anattackercanstart CVE- open()ingoneoftherawdatafiles,andatthesametimeremovethelastreferencetothisrawdata(byremovingthecorrespondingprofile,forexample),whichfreesitsstructaaloaddata;asaresult,whenseqrawdataopen()isreached,iprivateis 2026- adanglingpointerandfreedmemoryisaccessed.Therawdatainodesweren'trefcountedtoavoidacircularrefcountandweresupposedtobeheldbytheprofilerawdatareference. 23410 andprofiledestructionrace,resultingintheuseafterfree.Fixthisbymovingtoadoublerefcountscheme.Wheretheprofilerefcountonrawdataisusedtobreakthecirculardependency.Allowingforfreeingoftherawdataonceallinodereferences totherawdataareput. CVE- 2026- V-SFTversions6.2.10.0andpriorcontainastack-basedbufferoverflowinVS6ComFile!CSaveData::convAnimationItem.OpeningacraftedV7filemayleadtoarbitrarycodeexecutionontheaffectedproduct. 32928 CVE- IObitAdvancedSystemCare10.0.2containsanunquotedservicepathvulnerabilityintheAdvancedSystemCareService10servicethatallowslocalattackerstoescalateprivileges.Attackerscanplaceamaliciousexecutableintheservicepathand2016- triggerprivilegeescalationwhentheservicerestartsorthesystemreboots,executingcodewithLocalSystemprivileges.20055 IntheLinuxkernel,thefollowingvulnerabilityhasbeenresolved:apparmor:fixracebetweenfreeingdataandfsaccessingitAppArmorwasputtingthereferencetoiprivatedataonitsendafterremovingtheoriginalentryfromthefilesystem.CVE- Howevertheinodecanaanddoeslivebeyondthatpointanditispossiblethatsomeofthefscallbackfunctionswillbeinvokedafterthereferencehasbeenput,whichresultsinaracebetweenfreeingthedataandaccessingitthroughthefs.2026- therawdata/loaddataisthemostlikelycandidatetofailtherace,asithasthefewestreferences.Ifproperlycrafteditmightbepossibletotriggeraracefortheothertypesstorediniprivate.23411 thecorrectplacewhichisduringinodeeviction. CVE- prompts.chatpriortocommit30a8f04containsaserver-siderequestforgeryvulnerabilityinFal.aimediastatuspollingthatallowsauthenticateduserstoperformarbitraryoutboundrequestsbysupplyingattacker-controlledURLsinthetoken2026- parameter.AttackerscanexploitthelackofURLvalidationtodisclosetheFALAPIKEYintheAuthorizationheader,enablingcredentialtheft,internalnetworkprobing,andabuseofthevictim'sFal.aiaccount.22664 CVE- OpenObserveisacloud-nativeobservabilityplatform.In0.70.3andearlier,thevalidateenrichmenturlfunctioninsrc/handler/http/request/enrichmenttable/mod.rsfailstoblockIPv6addressesbecauseRust'surlcratereturnsthemwithsurrounding 2026- brackets(e.g."[::1]"not"::1").Anauthenticatedattackercanreachinternalservicesblockedfromexternalaccess.OnclouddeploymentsthisenablesretrievalofIAMcredentialsviaAWSIMDSv1(169.254.169.254),GCPmetadata,orAzureIMDS.On 39361 self-hosteddeploymentsitallowsprobinginternalnetworkservices. CVE- PostizisanAIsocialmediaschedulingtool.Priortoversion2.21.3,thePOST/public/v1/upload-from-urlendpointacceptsauser-suppliedURLandfetchesitserver-sideusingaxios.get()withnoSSRFprotections.Theonlyvalidationisafileextension 2026- check(.png,.jpg,etc.)whichistriviallybypassedbyappendinganimageextensiontoanyURLpath.AnauthenticatedAPIusercanfetchinternalnetworkresources,cloudinstancemetadata,andotherinternalservices,withtheresponsedata 34576 uploadedtostorageandreturnedtotheattacker.Thisissuehasbeenpatchedinversion2.21.3. CVE- Tinyauthisanauthenticationandauthorizationserver.Priortoversion5.0.5,allthreeOAuthserviceimplementations(GenericOAuthService,GithubOAuthService,GoogleOAuthService)storePKCEverifiersandaccesstokensasmutablestructfields 2026- onsingletoninstancessharedacrossallconcurrentrequests.WhentwousersinitiateOAuthloginforthesameproviderconcurrently,araceconditionbetweenVerifyCode()andUserinfo()causesoneusertoreceiveasessionwiththeotheruser's 33544 identity.Thisissuehasbeenpatchedinversion5.0.5.

CVE- MbedTLSbefore3.6.6andTF-PSA-Cryptobefore1.1.0misuseseedsinaPseudo-RandomNumberGenerator(PRNG). 25835

CVE- Payloadisafreeandopensourceheadlesscontentmanagementsystem.Priortoversion3.79.1,anauthenticatedServer-SideRequestForgery(SSRF)vulnerabilityexistsintheuploadfunctionality.Authenticateduserswithcreateorupdateaccess toanupload-enabledcollectioncouldcausetheservertomakeoutboundHTTPrequeststoarbitraryURLs.Thisissuehasbeenpatchedinversion3.79.1. 34746 Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.0,40.7.0,and41.0.0-beta.8,anundocumentedcommandLineSwitcheswebPreferenceallowedarbitraryswitchestoCVE- beappendedtotherendererprocesscommandline.AppsthatconstructwebPreferencesbyspreadinguntrustedconfigurationobjectsmayinadvertentlyallowanattackertoinjectswitchesthatdisablerenderersandboxingorwebsecuritycontrols. AppsareonlyaffectediftheyconstructwebPreferencesfromexternaloruntrustedinputwithoutanallowlist.Appsthatuseafixed,hardcodedwebPreferencesobjectarenotaffected.Thisissuehasbeenpatchedinversions38.8.6,39.8.0,40.7.0,34769 and41.0.0-beta.8. CVE- Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.16.0,aServer-SideRequestForgery(SSRF)protectionbypasshasbeenidentifiedandfixedinDirectus.TheIPaddressvalidationmechanismusedtoblock2026- requeststolocalandprivatenetworkscouldbecircumventedusingIPv4-MappedIPv6addressnotation.Thisvulnerabilityisfixedin11.16.0.35409 CVE- pyLoadisafreeandopen-sourcedownloadmanagerwritteninPython.In0.5.0b3.dev96andearlier,theparseurlsAPIfunctioninsrc/pyload/core/api/init.pyfetchesarbitraryURLsserver-sideviageturl(url)(pycurl)withoutanyURLvalidation, 2026- protocolrestriction,orIPblacklist.AnauthenticateduserwithADDpermissioncanmakeHTTP/HTTPSrequeststointernalnetworkresourcesandcloudmetadataendpoints,readlocalfilesviafile://protocol(pycurlreadsthefileserver-side),interact 35187 withinternalservicesviagopher://anddict://protocols,andenumeratefileexistenceviaerror-basedoracle(error37vsemptyresponse). CVE- 2026- OpenWebUIisaself-hostedartificialintelligenceplatformdesignedtooperateentirelyoffline.Priortoversion0.8.11,thereisabrokenaccesscontrolvulnerabilityintoolvalues.Thisissuehasbeenpatchedinversion0.8.11. 34222 CVE- PraisonAIisamulti-agentteamssystem.Priortoversion4.5.90,passthrough()andapassthrough()inpraisonaiacceptacaller-controlledapibaseparameterthatisconcatenatedwithendpointandpasseddirectlytohttpx.Client.request()whenthe2026- litellmprimarypathraisesAttributeError.NoURLschemevalidation,privateIPfiltering,ordomainallowlistisapplied,allowingrequeststoanyhostreachablefromtheserver.Thisissuehasbeenpatchedinversion4.5.90.34936 CVE- misemanagesdevtoolslikenode,python,cmake,andterraform.From2026.2.18through2026.4.5,miseloadstrust-controlsettingsfromalocalproject.mise.tomlbeforethetrustcheckruns.Anattackerwhocanplaceamalicious.mise.tomlina2026- repositorycanmakethatsamefileappeartrustedandthenreachdangerousdirectivessuchas[env].source,templates,hooks,ortasks.35533 CVE- 2026- TransientDOSwhenprocessingnonstandardFILSDiscoveryFrameswithout-of-rangeactionsizesduringinitialscans. 21367 CVE- 2026- FreeScoutisafreehelpdeskandsharedinboxbuiltwithPHP'sLaravelframework.Priorto1.8.212,FreeScoutdoesnottakethelimitusercustomervisibilityparameterintoaccountwhenmergingcustomers.Thisvulnerabilityisfixedin1.8.212. 39384 CVE- OpenClawversionspriortocommitb57b680containanapprovalbypassvulnerabilityduetoinconsistentenvironmentvariablenormalizationbetweenapprovalandexecutionpaths,allowingattackerstoinjectattacker-controlledenvironment 2026- variablesintoexecutionwithoutapprovalsystemvalidation.Attackerscanexploitdifferingnormalizationlogictodiscardnon-portablekeysduringapprovalprocessingwhileacceptingthematexecutiontime,bypassingoperatorreviewand 34426 potentiallyinfluencingruntimebehaviorincludingexecutionofattacker-controlledbinaries. CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,astoredcross-sitescriptingvulnerabilityexistsinPersonView.phpduetoincorrectuseofsanitizeText()asanoutputsanitizerforHTMLattributecontext.Thefunctiononly 2026- stripsHTMLtags,itdoesnotescapequotecharactersallowinganattackertobreakoutofthehrefattributeandinjectarbitraryJavaScripteventhandlers.AnyauthenticateduserwiththeEditRecordsrolecanstorethepayloadinaperson'sFacebook 35534 field.TheXSSfiresagainstanyuserwhoviewsthatperson'sprofilepage,includingadministrators,enablingsessionhijackingandfullaccounttakeover.Thisvulnerabilityisfixedin7.1.0. CVE- IBMStorageProtectServer8.2.0IBMStorageProtectPlusServerisvulnerabletoSQLinjection.AremoteattackercouldsendspeciallycraftedSQLstatements,whichcouldallowtheattackertoview,add,modify,ordeleteinformationintheback-end2025- database.13855 CVE- WWBNAVideoisanopensourcevideoplatform.Inversions26.0andprior,objects/aVideoEncoderReceiveImage.json.phpallowedanauthenticateduploadertofetchattacker-controlledsame-origin/videos/...URLs,bypasstraversalscrubbing,and2026- exposeserver-localfilesthroughtheGIFposterstoragepath.ThevulnerableGIFbranchcouldbeabusedtoreadlocalfilessuchas/etc/passwdorapplicationsourcefilesandrepublishthosebytesthroughanormalpublicGIFmediaURL.39369 CVE- FileBrowserisafilemanaginginterfaceforuploading,deleting,previewing,renaming,andeditingfileswithinaspecifieddirectory.Priortoversion2.62.2,theEPUBpreviewfunctioninFileBrowserisvulnerabletoStoredCross-SiteScripting(XSS).2026- JavaScriptembeddedinacraftedEPUBfileexecutesinthevictim'sbrowserwhentheypreviewthefile.Thisissuehasbeenpatchedinversion2.62.2.34529 CVE- 2026- TransientDOSwhenreceivingaservicedataframewithexcessivelengthduringdevicematchingoveraneighborhoodawarenessnetworkprotocolconnection. 21381 CVE- 2026- Aspecificadministrativeendpointisaccessiblewithoutproperauthentication,exposingdevicemanagementfunctions. 32646 CVE- HirschmannIndustrialITproducts(BAT-R,BAT-F,BAT450-F,BAT867-R,BAT867-F,WLC,BATControllerVirtual)containaheapoverflowvulnerabilityintheHiLCOSwebinterfacethatallowsunauthenticatedremoteattackerstotriggeradenial-of- 2024- serviceconditionbysendingspeciallycraftedrequeststothewebinterface.Attackerscanexploitthisheapoverflowtocrashtheaffecteddeviceandcauseservicedisruption,particularlyinconfigurationswherethePublicSpotfunctionalityis 14033 enabled. RackisamodularRubywebserverinterface.Fromversions3.0.0.beta1tobefore3.1.21,and3.2.0tobefore3.2.6,Rack::Multipart::Parser#handlemimeheadparsesquotedmultipartparameterssuchasContent-Disposition:form-data;name="..."CVE- usingrepeatedString#indexsearchescombinedwithString#slice!prefixdeletion.Forescape-heavyquotedvalues,thiscausessuper-linearprocessing.Anunauthenticatedattackercansendacraftedmultipart/form-datarequestcontainingmany2026- partswithlongbackslash-escapedparametervaluestotriggerexcessiveCPUusageduringmultipartparsing.ThisresultsinadenialofserviceconditioninRackapplicationsthatacceptmultipartformdata.Thisissuehasbeenpatchedinversions34827 3.1.21and3.2.6. CVE- AremoteattackercansupplyashortX-WingHPKEencapsulatedkeyandtriggeranout-of-boundsreadintheCdecapsulationpath,potentiallycausingacrashormemorydisclosuredependingonruntimeprotections.Thisissueisfixedinswift-crypto2026- version4.3.1.28815 AnissuewasdiscoveredinMbedTLS3.xbefore3.6.6.Anout-of-boundsreadvulnerabilityinmbedtlsccmfinish()inlibrary/ccm.callowsattackerstoobtainadjacentCCMcontextdataviainvocationofthemultipartCCMAPIwithanoversizedtaglenCVE- parameter.Thisiscausedbymissingvalidationofthetaglenparameteragainstthesizeoftheinternal16-byteauthenticationbuffer.TheissueaffectsthepublicmultipartCCMAPIinMbedTLS3.x,wherembedtlsccm_finish()canbeinvoked2026- directlybyapplications.InMbedTLS4.xversionspriortothefix,thesamemissingvalidationexistsintheinternalimplementation;however,thefunctionisnotexposedaspartofthepublicAPI.Exploitationrequiresapplication-levelinvocationofthe34876 multipartCCMAPI. CVE- ATime-of-ChecktoTime-of-Use(TOCTOU)raceconditionvulnerabilityinBalenaEtcherforWindowspriortov2.1.4allowsattackerstoescalateprivilegesandexecutearbitrarycodeviareplacingalegitimatescriptwithacraftedpayloadduringthe flashingprocess.30332 CVE- HirschmannEagleSDVversion05.4.01priorto05.4.02containsadenial-of-servicevulnerabilitythatcausesthedevicetocrashduringsessionestablishmentwhenusingTLS1.0orTLS1.1.AttackerscantriggeracrashbyinitiatingTLSconnections

withtheseprotocolversionstodisruptserviceavailability. CVE- ThestoredAPIkeysintemporarybrowserclientisnotmarkedasprotectedallowingforJavScriptconsoleorothererrorstoallowforextractionoftheencryptioncredentials. 35467 CVE-prompts.chatpriortocommit7b81836containsmultipleauthorizationbypassvulnerabilitiesduetomissingisPrivatechecksacrossAPIendpointsandpagemetadatagenerationthatallowunauthorizeduserstoaccesssensitivedataassociatedwith2026-privateprompts.Attackerscanexploitthesemissingauthorizationcheckstoretrieveprivatepromptversionhistory,changerequests,examples,currentcontent,andmetadataincludingtitlesanddescriptionsexposedviaHTMLmetatags.22663 CVE-FedifyisaTypeScriptlibraryforbuildingfederatedserverappspoweredbyActivityPub.Priorto1.9.6,1.10.5,2.0.8,and2.1.1,@fedify/fedifyfollowsHTTPredirectsrecursivelyinitsremotedocumentloaderandauthenticateddocumentloader 2026-withoutenforcingamaximumredirectcountorvisited-URLloopdetection.AnattackerwhocontrolsaremoteActivityPubkeyoractorURLcanforceaserverusingFedifytomakerepeatedoutboundrequestsfromasingleinboundrequest,leadingto 34148resourceconsumptionanddenialofservice.Thisvulnerabilityisfixedin1.9.6,1.10.5,2.0.8,and2.1.1. CVE-AllocationofresourceswithoutlimitsintheparsingcomponentsinAmazonAthenaODBCdriverbefore2.1.0.0mightallowathreatactortocauseadenialofservicebydeliveringcraftedinputthattriggersexcessiveresourceconsumptionduringthe2026-driver'sparsingoperations.Toremediatethisissue,usersshouldupgradetoversion2.1.0.0.35562 CVE-ApacheTrafficServerallowsrequestsmugglingifchunkedmessagesaremalformed.ThisissueaffectsApacheTrafficServer:from9.0.0through9.2.12,from10.0.0through10.1.1.2025-whichfixtheissue.65114 CVE-Wikipedia12.0containsadenialofservicevulnerabilitythatallowsunauthenticatedattackerstocrashtheapplicationbysubmittingoversizedinputthroughthesearchfunctionality.Attackerscanpastealargebufferofrepeatedcharactersintothe2018-searchbartotriggeranapplicationcrash.25246 RackisamodularRubywebserverinterface.Priortoversions2.2.23,3.1.21,and3.2.6,Rack::Multipart::ParseronlywrapstherequestbodyinaBoundedIOwhenCONTENTLENGTHispresent.Whenamultipart/form-datarequestissentwithoutaCVE-Content-Lengthheader,suchaswithHTTPchunkedtransferencoding,multipartparsingcontinuesuntilend-of-streamwithnototalsizelimit.Forfileparts,theuploadedbodyiswrittendirectlytoatemporaryfileondiskratherthanbeingconstrained2026-bythebufferedin-memoryuploadlimit.Anunauthenticatedattackercanthereforestreamanarbitrarilylargemultipartfileuploadandconsumeunboundeddiskspace.ThisresultsinadenialofserviceconditionforRackapplicationsthataccept34829multipartformdata.Thisissuehasbeenpatchedinversions2.2.23,3.1.21,and3.2.6. xmldomisapureJavaScriptW3Cstandard-based(XMLDOMLevel2Core)DOMParserandXMLSerializermodule.Inxmldomversions0.6.0andpriorand@xmldom/xmldompriortoversions0.8.12and0.9.9,xmldom/xmldomallowsattacker-CVE-controlledstringscontainingtheCDATAterminator]]>tobeinsertedintoaCDATASectionnode.Duringserialization,XMLSerializeremittedtheCDATAcontentverbatimwithoutrejectingorsafelysplittingtheterminator.Asaresult,dataintendedto2026-remaintext-onlybecameactiveXMLmarkupintheserializedoutput,enablingXMLstructureinjectionanddownstreambusiness-logicmanipulation.Thisissuehasbeenpatchedinxmldomversion0.6.0and@xmldom/xmldomversions0.8.12and346010.9.9. CVE- 2026-HarakaisaNode.jsmailserver.Priortoversion3.1.4,sendinganemailwithproto:asaheadernamecrashestheHarakaworkerprocess.Thisissuehasbeenpatchedinversion3.1.4. 34752 CVE-TheTexttoSpeechforWP(AIVoicesbyMementor)pluginforWordPressisvulnerabletosensitiveinformationexposureinallversionsupto,andincluding,1.9.8.ThisisduetotheplugincontaininghardcodedMySQLdatabasecredentialsforthe2026-vendor'sexternaltelemetryserverinthe`MementorTTSRemoteTelemetry`class.Thismakesitpossibleforunauthenticatedattackerstoextractanddecodethesecredentials,gainingunauthorizedwriteaccesstothevendor'stelemetrydatabase.1233 Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.0,40.7.0,and41.0.0-beta.8,appsthatregisteranasynchronoussession.setPermissionRequestHandler()maybeCVE-vulnerabletoause-after-freewhenhandlingfullscreen,pointer-lock,orkeyboard-lockpermissionrequests.Iftherequestingframenavigatesorthewindowcloseswhilethepermissionhandlerispending,invokingthestoredcallbackdereferences2026-freedmemory,whichmayleadtoacrashormemorycorruption.Appsthatdonotsetapermissionrequesthandler,orwhosehandlerrespondssynchronously,arenotaffected.Thisissuehasbeenpatchedinversions38.8.6,39.8.0,40.7.0,and3477141.0.0-beta.8. CVE- 2026-GLPIisafreeassetandITmanagementsoftwarepackage.From11.0.0tobefore11.0.6,anunauthenticatedusercanstoreanXSSpayloadthroughtheinventoryendpoint.Thisvulnerabilityisfixedin11.0.6. 26027 CVE-MesopisaPython-basedUIframeworkthatallowsuserstobuildwebapplications.Fromversion1.2.3tobeforeversion1.2.5,anuncontrolledresourceconsumptionvulnerabilityexistsintheWebSocketimplementationoftheMesopframework.An 2026-unauthenticatedattackercansendarapidsuccessionofWebSocketmessages,forcingtheservertospawnanunboundednumberofoperatingsystemthreads.ThisleadstothreadexhaustionandOutofMemory(OOM)errors,causingacomplete 34824DenialofService(DoS)foranyapplicationbuiltontheframework.Thisissuehasbeenpatchedinversion1.2.5. CVE-nimiq/core-rs-albatrossisaRustimplementationoftheNimiqProof-of-StakeprotocolbasedontheAlbatrossconsensusalgorithm.Priortoversion1.3.0,thediscoveryhandleracceptsapeer-controlledlimitduringhandshakeandstoresitunchanged. 2026-TheimmediateHandshakeAckpaththenhonorslimit=0andreturnszerocontacts,whichmakesthesessionlookbenign.Later,afterthesamesessionreachesEstablished,theperiodicupdatepathcomputesself.peerlistlimit.unwrap()asusize-1. 33184Withlimit=0,thatwrapstousize::MAXandtheninrand0.9.2,choosemultiple()immediatelyattemptsVec::withcapacity(amount),whichdeterministicallypanicswithcapacityoverflow.Thisissuehasbeenpatchedinversion1.3.0. CVE-Distributionisatoolkittopack,ship,store,anddelivercontainercontent.Priorto3.1.0,inpull-throughcachemode,distributiondiscoverstokenauthendpointsbyparsingWWW-Authenticatechallengesreturnedbytheconfiguredupstreamregistry. 2026-TherealmURLfromabearerchallengeisusedwithoutvalidatingthatitmatchestheupstreamregistryhost.Asaresult,anattacker-controlledupstream(oranattackerwithMitMpositiontotheupstream)cancausedistributiontosendthe 33540configuredupstreamcredentialsviabasicauthtoanattacker-controlledrealmURL.Thisvulnerabilityisfixedin3.1.0. CVE- 2026-InOpenSSHbefore10.3,afiledownloadedbyscpmaybeinstalledsetuidorsetgid,anoutcomecontrarytosomeusers'expectations,ifthedownloadisperformedasrootwith-O(legacyscpprotocol)andwithout-p(preservemode). 35385 CVE-CoreFTP2.0build653containsadenialofservicevulnerabilityinthePBSZcommandthatallowsunauthenticatedattackerstocrashtheservicebysendingamalformedcommandwithanoversizedbuffer.AttackerscansendaPBSZcommandwith2019-apayloadexceeding211bytestotriggeranaccessviolationandcrashtheFTPserverprocess.25686 CVE-Piwigoisanopensourcephotogalleryapplicationfortheweb.Priortoversion16.3.0,thepwg.history.searchAPImethodinPiwigoisregisteredwithouttheadmin_onlyoption,allowingunauthenticateduserstoaccessthefullbrowsinghistoryofall2026-galleryvisitors.Thisissuehasbeenpatchedinversion16.3.0.27833 CVE-SandboxJSisaJavaScriptsandboxinglibrary.Priorto0.8.36,the@nyariv/sandboxjsparsercontainsunboundedrecursionintherestOfExpfunctionandthelispify/lispifyExprcallchain.AnattackercancrashanyNode.jsprocessthatparsesuntrusted2026-inputbysupplyingdeeplynestedexpressions(e.g.,~2000nestedparentheses),causingaRangeError:Maximumcallstacksizeexceededthatterminatestheprocess.Thisvulnerabilityisfixedin0.8.36.34211 CVE-RackisamodularRubywebserverinterface.Priortoversions2.2.23,3.1.21,and3.2.6,Rack::Staticdetermineswhetherarequestshouldbeservedasastaticfileusingasimplestringprefixcheck.WhenconfiguredwithURLprefixessuchas"/css", itmatchesanyrequestpaththatbeginswiththatstring,includingunrelatedpathssuchas"/css-config.env"or"/css-backup.sql".Asaresult,filesunderthestaticrootwhosenamesmerelysharetheconfiguredprefixmaybeservedunintentionally, 34785leadingtoinformationdisclosure.Thisissuehasbeenpatchedinversions2.2.23,3.1.21,and3.2.6. CVE-VPNBrowser+1.1.0.0containsadenialofservicevulnerabilitythatallowsunauthenticatedattackerstocrashtheapplicationbysubmittingoversizedinputthroughthesearchfunctionality.Attackerscanpastealargebufferofcharactersintothe searchbartotriggeranunhandledexceptionthatterminatestheapplication.25241

CVE- Araceconditionwasaddressedwithadditionalvalidation.ThisissueisfixedinmacOSSequoia15.1.Anappmaybeabletobreakoutofitssandbox. 40849 CVE- SignalKServerisaserverapplicationthatrunsonacentralhubinaboat.Priortoversion2.24.0-beta.1,theSignalKServerexposesanunauthenticatedHTTPendpointthatallowsremoteattackerstomodifynavigationdatasourcepriorities.This endpoint,accessibleviaPUT/signalk/v1/api/sourcePriorities,doesnotenforceauthenticationorauthorizationchecksanddirectlyassignsuser-controlledinputtotheserverconfiguration.Asaresult,attackerscaninfluencewhichGPS,AIS,orother 33951 sensordatasourcesaretrustedbythesystem.Thechangesareimmediatelyappliedandpersistedtodisk,allowingthemanipulationtosurviveserverrestarts.Thisissuehasbeenpatchedinversion2.24.0-beta.1. CVE- 2024- Apermissionsissuewasaddressedwithadditionalrestrictions.ThisissueisfixedinmacOSSequoia15.1.Amaliciousapplicationwithrootprivilegesmaybeabletoaccessprivateinformation. 44219 CVE- 7Tik1.0.1.0containsadenialofservicevulnerabilitythatallowsattackerstocrashtheapplicationbysubmittingexcessivelylonginputstringstothesearchfunctionality.Attackerscanpasteabufferof7700charactersintothesearchbartotrigger2018- anapplicationcrash.25245 CVE- AbuginPOSTrequesthandlingcausesacrashunderacertaincondition.ThisissueaffectsApacheTrafficServer:from10.0.0through10.1.1,from9.0.0through9.2.12.2025- issue.Aworkaroundforolderversionsistosetproxy.config.http.requestbufferenabledto0(thedefaultvalueis0).58136 CVE- 2024- Thisissuewasaddressedthroughimprovedstatemanagement.ThisissueisfixedinmacOSSequoia15.1.Anattackerwithphysicalaccesscaninputkeyboardeventstoappsrunningonalockeddevice. 44286 CVE- 2024- Theissuewasaddressedwithimprovedchecks.ThisissueisfixedinmacOSSequoia15.1.Amaliciousapplicationmaybeabletomodifyprotectedpartsofthefilesystem. 44303 CVE- 2026- AnissueinDokuwikiv.2025-05-14b'Librarian'allowsaremoteattackertocauseadenialofserviceviathemediauploadxhr()functioninthemedia.phpfile 26477 CVE- 2026- OpenAirInterfaceV2.2.0AMFcrasheswhenitreceivesanNGAPmessagewithinvalidprocedurecodeorinvalidPDU-type.ForexamplewhenthemessagespecificationrequiresInitiatingMessagebutsentwithsuccessfulOutcome. 30078 CVE- HirschmannHiOSdevicesversionspriorto08.1.00and07.1.01containadenialofservicevulnerabilityintheEtherNet/IPstackwhereimproperhandlingofpacketlengthfieldsallowsremoteattackerstocrashorhangthedevice.Attackerscansend2020- speciallycraftedUDPEtherNet/IPpacketswithalengthvaluelargerthantheactualpacketsizetorenderthedeviceinoperable.37216 CVE- OpenNeuralNetworkExchange(ONNX)isanopenstandardformachinelearninginteroperability.Priortoversion1.21.0,apathtraversalvulnerabilityviasymlinkallowstoreadarbitraryfilesoutsidemodeloruser-provideddirectory.Thisissuehas2026- beenpatchedinversion1.21.0.27489 CVE- 2026- SuricataisanetworkIDS,IPSandNSMengine.Priortoversions7.0.15and8.0.4,speciallycraftedtrafficcancauseSuricatatoslowdown,affectingperformanceinIDSmode.Thisissuehasbeenpatchedinversions7.0.15and8.0.4. 31933 CVE- 2026- SuricataisanetworkIDS,IPSandNSMengine.Fromversion8.0.0tobeforeversion8.0.4,useofthe"tls.alpn"rulekeywordcancauseSuricatatocrashwithaNULLdereference.Thisissuehasbeenpatchedinversion8.0.4. 31931 CVE- pyLoadisafreeandopen-sourcedownloadmanagerwritteninPython.ThefixforCVE-2026-33509addedanADMINONLYOPTIONSsettoblocknon-adminusersfrommodifyingsecurity-criticalconfigoptions.Thestoragefolderoptionisnotinthis 2026- setandpassestheexistingpathrestrictionbecausetheFlasksessiondirectoryisoutsidebothPKGDIRanduserdir.AuserwithSETTINGSandADDpermissionscanredirectdownloadstotheFlaskfilesystemsessionstore,plantamaliciouspickle 35464 payloadasapredictablesessionfile,andtriggerarbitrarycodeexecutionwhenanyHTTPrequestarriveswiththecorrespondingsessioncookie.Thisvulnerabilityisfixedwithcommitc4cf995a2803bdbe388addfc2b0f323277efc0e1. CVE- AIOHTTPisanasynchronousHTTPclient/serverframeworkforasyncioandPython.Priortoversion3.13.4,aresponsewithanexcessivenumberofmultipartheadersmaybeallowedtousemorememorythanintended,potentiallyallowingaDoS2026- vulnerability.Thisissuehasbeenpatchedinversion3.13.4.34516 CVE- text-generation-webuiisanopen-sourcewebinterfaceforrunningLargeLanguageModels.Priorto4.3,anunauthenticatedpathtraversalvulnerabilityinloadgrammar()allowsreadinganyfileontheserverfilesystemwithnoextensionrestriction.2026- Gradiodoesnotserver-sidevalidatedropdownvalues,soanattackercanPOSTdirectorytraversalpayloads(e.g.,../../../etc/passwd)viatheAPIandreceivethefullfilecontentsintheresponse.Thisvulnerabilityisfixedin4.3.35485 CVE- AnissuewasdiscoveredinNASinSamsungMobileProcessor,WearableProcessor,andModemExynos980,990,850,1080,2100,1280,2200,1330,1380,1480,2400,1580,2500,9110,W920,W930,W1000,Modem5123,Modem5300,and2025- Modem5400.IncorrectHandlingofaDLNASTransportpacketleadstoaDenialofService.54324 CVE- Anissuewasdiscoveredin6.0before6.0.4,5.2before5.2.13,and4.2before4.2.30.ASGIRequestallowsaremoteattackertospoofheadersbyexploitinganambiguousmappingoftwoheadervariants(withhyphensorwithunderscores)toa2026- singleversionwithunderscores.Earlier,unsupportedDjangoseries(suchas5.0.x,4.1.x,and3.2.x)werenotevaluatedandmayalsobeaffected.DjangowouldliketothankTarekNakkouchforreportingthisissue.3902 AddressableisanalternativeimplementationtotheURIimplementationthatispartofRuby'sstandardlibrary.From2.3.0tobefore2.9.0,withintheURItemplateimplementationinAddressable,twoclassesofURItemplategenerateregular CVE- expressionsvulnerabletocatastrophicbacktracking.Templatesusingthe(explode)modifierwithanyexpansionoperator(e.g.,{foo},{+var},{#var},{/var},{.var},{;var},{?var},{&var*})generatepatternswithnestedunbounded 2026- quantifiersthatareO(2^n)whenmatchedagainstamaliciouslycraftedURI.Templatesusingmultiplevariableswiththe+or#operators(e.g.,{+v1,v2,v3})generatepatternswithO(n^k)complexityduetothecommaseparatorbeingwithinthe 35611 matchedcharacterclass,causingambiguousbacktrackingacrosskvariables.WhenmatchedagainstamaliciouslycraftedURI,thiscanresultincatastrophicbacktrackinganduncontrolledresourceconsumption,leadingtodenialofservice.This vulnerabilityisfixedin2.9.0. CVE- Aregressioninthewayhasheswerecalculatedcausedrulescontainingtheaddressrangesyntax(x.x.x.x-y.y.y.y)thatonlydifferintheaddressrange(s)involvedtobesilentlydroppedasduplicates. 2026- pf.Rangesexpressedusingtheaddress[/mask-bits]syntaxwerenotaffected.Somekeywordsrepresentingactionstakenonapacket-matchingrule,suchas'log','returntll',or'dnpipe',maysufferfromthesameissue. 4748 suchconfigurations,astheseruleswouldalwaysberedundant.Affectedrulesaresilentlyignored,whichcanleadtounexpectedbehaviourincludingover-andunderblocking. CVE- AIOHTTPisanasynchronousHTTPclient/serverframeworkforasyncioandPython.Priortoversion3.13.4,insufficientrestrictionsinheader/trailerhandlingcouldcauseuncappedmemoryusage.Thisissuehasbeenpatchedinversion3.13.4. 22815 CVE- text-generation-webuiisanopen-sourcewebinterfaceforrunningLargeLanguageModels.Priorto4.3,hesuperboogaandsuperboogav2RAGextensionsfetchuser-suppliedURLsviarequests.get()withzerovalidation--noschemecheck,noIP filtering,nohostnameallowlist.Anattackercanaccesscloudmetadataendpoints,stealIAMcredentials,andprobeinternalservices.ThefetchedcontentisexfiltratedthroughtheRAGpipeline.Thisvulnerabilityisfixedin4.3.

35486 CVE- TheW3TotalCachepluginforWordPressisvulnerabletoinformationexposureinallversionsupto,andincluding,2.9.3.Thisisduetothepluginbypassingitsentireoutputbufferingandprocessingpipelinewhentherequest'sUser-Agentheader contains"W3TotalCache",whichcausesrawmfunc/mcludedynamicfragmentHTMLcomments--includingtheW3TCDYNAMICSECURITYsecuritytoken--toberenderedinthepagesource.Thismakesitpossibleforunauthenticatedattackersto discoverthevalueoftheW3TCDYNAMICSECURITYconstantbysendingacraftedUser-Agentheadertoanypagethatcontainsdeveloper-placeddynamicfragmenttags,grantedthesitehasthefragmentcachingfeatureenabled. CVE- AflawwasfoundinKeycloak.AnunauthenticatedattackercanexploitthisvulnerabilitybysendingaspeciallycraftedPOSTrequestwithanexcessivelylongscopeparametertotheOpenIDConnect(OIDC)tokenendpoint.Thisleadstohighresource2026- consumptionandprolongedprocessingtimes,ultimatelyresultinginaDenialofService(DoS)fortheKeycloakserver.4634 CVE- 2026- UseafterfreeinDawninGoogleChromepriorto146.0.7680.178allowedaremoteattackerwhohadcompromisedtherendererprocesstoexecutearbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5284 CVE- 2026- AnissuewasdiscoveredinMbedTLSthrough3.6.5and4.xthrough4.0.0.ThereisaNULLpointerdereferenceindistinguishednameparsingthatallowsanattackertowritetoaddress0. 34874 CVE- 2026- MbedTLS3.5.0to3.6.5fixedin3.6.6and4.1.0hasabufferoverflowinthex509inetptonipv6()function 25833 CVE- DrizzleisamodernTypeScriptORM.Priorto0.45.2and1.0.0-beta.20,DrizzleORMimproperlyescapedquotedSQLidentifiersinitsdialect-specificescapeName()implementations.Inaffectedversions,embeddedidentifierdelimiterswerenot 2026- escapedbeforetheidentifierwaswrappedinquotesorbackticks.Asaresult,applicationsthatpassattacker-controlledinputtoAPIsthatconstructSQLidentifiersoraliases,suchassql.identifier(),.as(),mayallowanattackertoterminatethequoted 39356 identifierandinjectSQL.Thisvulnerabilityisfixedin0.45.2and1.0.0-beta.20. CVE- Anissuewasdiscoveredin6.0before6.0.4,5.2before5.2.13,and4.2before4.2.30.ASGIrequestswithamissingorunderstatedContent-Lengthheadercouldbypassthe`DATAUPLOADMAXMEMORYSIZElimitwhenreading 2026-HttpRequest.body`,allowingremoteattackerstoloadanunboundedrequestbodyintomemory.Earlier,unsupportedDjangoseries(suchas5.0.x,4.1.x,and3.2.x)werenotevaluatedandmayalsobeaffected.DjangowouldliketothankSuperior 33034 forreportingthisissue. StrawberryGraphQLisalibraryforcreatingGraphQLAPIs.Priorto0.312.3,StrawberryGraphQL'sWebSocketsubscriptionhandlersforboththegraphql-transport-wsandlegacygraphql-wsprotocolsallocateanasyncio.TaskandassociatedOperationCVE- objectforeveryincomingsubscribemessagewithoutenforcinganylimitonthenumberofactivesubscriptionsperconnection.AnunauthenticatedattackercanopenasingleWebSocketconnection,sendconnectioninit,andthenfloodsubscribe2026- messageswithuniqueIDs.Eachmessageunconditionallyspawnsanewasyncio.Taskandasyncgenerator,causinglinearmemorygrowthandeventloopsaturation.ThisleadstoserverdegradationoranOOMcrash.Thisvulnerabilityisfixedin35526 0.312.3. CVE- PdfDingisaselfhostedPDFmanager,viewerandeditorofferingaseamlessuserexperienceonmultipledevices.Priortoversion1.7.0,anaccess-controlvulnerabilityallowsunauthenticateduserstoretrievepassword-protectedsharedPDFsby 2026- directlycallingthefile-servingendpointwithoutcompletingthepasswordverificationflow.Thisresultsinunauthorizedaccesstoconfidentialdocumentsthatusersexpectedtobeprotectedbyashared-linkpassword.Thisissuehasbeenpatchedin 34376 version1.7.0. CVE- AnissuewasdiscoveredinSamsungMobileProcessor,WearableProcessor,andModem(Exynos980,850,990,1080,2100,1280,2200,1330,1380,1480,2400,1580,2500,1680,9110,W920,W930,W1000,Modem5123,Modem5300,Modem2025- 5400,andModem5410).TheabsenceofproperinputvalidationleadstoaDenialofService.57834 CVE- 2026- AnunauthenticatedremoteattackercanexploitanunauthenticatedSQLInjectionvulnerabilityinthegetinfoendpointduetoimproperneutralizationofspecialelementsinaSQLSELECTcommand.Thiscanresultinatotallossofconfidentiality. 33614 CVE- Distributionisatoolkittopack,ship,store,anddelivercontainercontent.Priorto3.1.0,distributioncanrestorereadaccessinrepoaafteranexplicitdeletewhenstorage.cache.blobdescriptor:redisandstorage.delete.enabled:trueareboth 2026- enabled.Thedeletepathclearstheshareddigestdescriptorbutleavesstalerepo-scopedmembershipbehind,soalaterStatorGetfromrepobrepopulatestheshareddescriptorandmakesthedeletedblobreadablefromrepoaagain.This 35172 vulnerabilityisfixedin3.1.0. CVE- AnunauthenticatedremoteattackercanexploitanunauthenticatedblindSQLInjectionvulnerabilityinthemb24apiendpointduetoimproperneutralizationofspecialelementsinaSQLSELECTcommand.Thiscanresultinatotallossof2026- confidentiality.33616 CVE- StrawberryGraphQLisalibraryforcreatingGraphQLAPIs.Strawberryupuntilversion0.312.3isvulnerabletoanauthenticationbypassonWebSocketsubscriptionendpoints.Thelegacygraphql-wssubprotocolhandlerdoesnotverifythata 2026- connectioninithandshakehasbeencompletedbeforeprocessingstart(subscription)messages.Thisallowsaremoteattackertoskiptheonwsconnectauthenticationhookentirelybyconnectingwiththegraphql-wssubprotocolandsendingastart 35523 messagedirectly,withouteversendingconnectioninit.Thisvulnerabilityisfixedin0.312.3. CVE- ZLMediaKitisastreamingmediaserviceframework.theVP9RTPpayloadparserinext-codec/VP9Rtp.cppreadsmultiplefieldsfromtheRTPpayloadbasedonflagbitsinthefirstbyte,withoutverifyingthatsufficientdataexistsinthebuffer.A 2026- craftedVP9RTPpacketwitha1-bytepayload(0xFF,allflagsset)causestheparsertoreadpasttheendoftheallocatedbuffer,resultinginaheap-buffer-overflow.Thisvulnerabilityisfixedwithcommit 35203 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d. CVE- 2026- SuricataisanetworkIDS,IPSandNSMengine.Priortoversions7.0.15and8.0.4,inefficiencyinKRB5bufferingcanleadtoperformancedegradation.Thisissuehasbeenpatchedinversions7.0.15and8.0.4. 31932 CVE- FastFeedParserisahighperformanceRSS,AtomandRDFparser.Priorto0.5.10,whenparse()fetchesaURLthatreturnsanHTMLpagecontaininga tag,itrecursivelycallsitselfwiththeredirectURL--withnodepth 2026- limit,novisited-URLdeduplication,andnoredirectcountcap.Anattacker-controlledserverthatreturnsaninfinitechainofHTMLmeta-refreshresponsescausesunboundedrecursion,exhaustingthePythoncallstackandcrashingtheprocess.This 39376 vulnerabilitycanalsobechainedwiththecompanionSSRFissuetoreachinternalnetworktargetsafterbypassingtheinitialURLcheck.Thisvulnerabilityisfixedin0.5.10. defuissoftwarethatallowsuerstoassigndefaultpropertiesrecursively.Priortoversion6.1.5,applicationsthatpassunsanitizeduserinput(e.g.parsedJSONrequestbodies,databaserecords,orconfigfilesfromuntrustedsources)asthefirstCVE- argumenttodefu()arevulnerabletoprototypepollution.Acraftedpayloadcontaininga__proto__keycanoverrideintendeddefaultvaluesinthemergedresul.Theinternal_defufunctionusedObject.assign({},defaults)tocopythedefaults2026- object.Object.assigninvokesthe__proto__setter,whichreplacestheresultingobject's[[Prototype]]withattacker-controlledvalues.Propertiesinheritedfromthepollutedprototypethenbypasstheexisting__proto__keyguardinthe35209 for...inloopandlandinthefinalresult.Version6.1.5replacesObject.assign({},defaults)withobjectspread({...defaults}),whichuses[[DefineOwnProperty]]anddoesnotinvokethe__proto__setter. CVE- AnissuewasdiscoveredinUSIMinSamsungMobileProcessor,WearableProcessor,andModemExynos980,990,850,1080,2100,1280,2200,1330,1380,1480,2400,1580,2500,9110,W920,W930,W1000,Modem5123,Modem5300,and2025- Modem5400.ImproperhandlingofSIMcardproactivecommandsleadstoaDenialofService.59440 Tinyproxythrough1.11.3isvulnerabletoHTTPrequestparsingdesynchronizationduetoacase-sensitivecomparisonoftheTransfer-Encodingheaderinsrc/reqs.c.Theischunkedtransfer()functionusesstrcmp()tocomparetheheadervalue against"chunked",eventhoughRFC7230specifiesthattransfer-codingnamesarecase-insensitive.BysendingarequestwithTransfer-Encoding:Chunked,anunauthenticatedremoteattackercancauseTinyproxytomisinterprettherequestas CVE- havingnobody.Inthisstate,Tinyproxysetscontentlength.clientto-1,skipspullclientdatachunked(),forwardsrequestheadersupstream,andtransitionsintorelay_connection()rawTCPforwardingwhileunreadbodydataremainsbuffered.This leadstoinconsistentrequeststatebetweenTinyproxyandbackendservers.RFC-compliantbackends(e.g.,Node.js,Nginx)willcontinuewaitingforchunkedbodydata,causingconnectionstohangindefinitely.Thisbehaviorenablesapplication-level 31842 denialofservicethroughbackendworkerexhaustion.Additionally,indeploymentswhereTinyproxyisusedforrequest-bodyinspection,filtering,orsecurityenforcement,theunreadbodymaybeforwardedwithoutproperinspection,resultingin potentialsecuritycontrolbypass. CVE- OpenTelemetry-GoistheGoimplementationofOpenTelemetry.From1.36.0to1.40.0,multi-valuebaggage:headerextractionparseseachheaderfield-valueindependentlyandaggregatesmembersacrossvalues.Thisallowsanattackertoamplify

cpuandallocationsbysendingmanybaggage:headerlines,evenwheneachindividualvalueiswithinthe8192-byteper-valueparselimit.Thisvulnerabilityisfixedin1.41.0. 29181 CVE- XenForobefore2.3.7disclosesfilesystempathsthroughexceptionmessagestriggeredbyopenbasedirrestrictions.Thisallowsanattackertoobtaininformationabouttheserver'sdirectorystructure. 71282 CVE- 2026-Cross-SiteRequestForgery(CSRF)vulnerabilityinAnalytifySimpleSocialMediaShareButtonsallowsCrossSiteRequestForgery.ThisissueaffectsSimpleSocialMediaShareButtons:fromn/athrough6.2.0. 34904 GoJOSEprovidesanimplementationoftheJavascriptObjectSigningandEncryptionsetofstandardsinGo,includingsupportforJSONWebEncryption(JWE),JSONWebSignature(JWS),andJSONWebToken(JWT)standards.Priorto4.1.4and3.0.5, decryptingaJSONWebEncryption(JWE)objectwillpanicifthealgfieldindicatesakeywrappingalgorithm(oneendinginKW,withtheexceptionofA128GCMKW,A192GCMKW,andA256GCMKW)andtheencryptedkeyfieldisempty.ThepanicCVE-happenswhencipher.KeyUnwrap()inkeywrap.goattemptstoallocateaslicewithazeroornegativelengthbasedonthelengthoftheencryptedkey.ThiscodepathisreachablefromParseEncrypted()/ParseEncryptedJSON()/2026-ParseEncryptedCompact()followedbyDecrypt()ontheresultingobject.Notethattheparsefunctionstakealistofacceptedkeyalgorithms.Iftheacceptedkeyalgorithmsdonotincludeanykeywrappingalgorithms,parsingwillfailandthe34986applicationwillbeunaffected.Thispanicisalsoreachablebycallingcipher.KeyUnwrap()directlywithanyciphertextparameterlessthan16byteslong,butcallingthisfunctiondirectlyislesscommon.Panicscanleadtodenialofservice.This vulnerabilityisfixedin4.1.4and3.0.5. CVE- 2026-Cross-SiteRequestForgery(CSRF)vulnerabilityinAnalytifyUnderConstruction,ComingSoon&MaintenanceModeallowsCrossSiteRequestForgery.ThisissueaffectsUnderConstruction,ComingSoon&MaintenanceMode:fromn/athrough2.1.1. 34896 CVE-Ech0isanopen-source,self-hostedpublishingplatformforpersonalideasharing.Priorto4.2.8,Ech0implementslinkpreview(editorfetchesapagetitle)throughGET/api/website/title.Thatislegitimateproductbehavior,buttheimplementationis 2026-unsafe:therouteisunauthenticated,acceptsafullyattacker-controlledURL,performsaserver-sideGET,readstheentireresponsebodyintomemory(io.ReadAll).Thereisnohostallowlist,noSSRFfilter,andInsecureSkipVerify:trueontheoutbound 35036client.AnyonewhocanreachtheinstancecanforcetheEch0servertoopenHTTP/HTTPSURLsoftheirchoiceasseenfromtheserver'snetworkposition(Dockerbridge,VPC,localhostfromtheprocessview).Thisvulnerabilityisfixedin4.2.8. CVE-OpenEXRprovidesthespecificationandreferenceimplementationoftheEXRfileformat,animagestorageformatforthemotionpictureindustry.Fromversion3.4.0tobeforeversion3.4.8,sensitiveinformationfromheapmemorymaybeleaked2026-throughthedecodedpixeldata(informationdisclosure).Thisoccursunderdefaultsettings;simplyreadingamaliciousEXRfileissufficienttotriggertheissue,withoutanyuserinteraction.Thisissuehasbeenpatchedinversion3.4.8.34543 CVE-fast-jwtprovidesfastJSONWebToken(JWT)implementation.In6.1.0andearlier,fast-jwtdoesnotvalidatethecrit(Critical)HeaderParameterdefinedinRFC7515§4.1.11.WhenaJWStokencontainsacritarraylistingextensionsthatfast-jwtdoes2026-notunderstand,thelibraryacceptsthetokeninsteadofrejectingit.ThisviolatestheMUSTrequirementintheRFC.35042 CVE- 2026-NVIDIATritonInferenceServercontainsavulnerabilitywhereanattackercouldcauseaservercrashbysendingamalformedrequestheadertotheserver.Asuccessfulexploitofthisvulnerabilitymightleadtodenialofservice. 24175 CVE-libp2p-rustistheofficialrustlanguageImplementationofthelibp2pnetworkingstack.Priorto0.17.1,libp2p-rendezvousserverhasnolimitonhowmanynamespacesasinglepeercanregister. 2026-namespacesinaloopandtheserverhappilyacceptseverysingleoneallocatingmemoryforeachregistrationwithnopushback.Keepdoingthislongenough(orwithmultiplesybilpeers)andtheserverprocessgetsOOMkilled.Thisvulnerabilityis 35405fixedin0.17.1. CVE-AnissuewasdiscoveredinRRCinSamsungMobileProcessor,WearableProcessor,andModemExynos980,990,850,1080,2100,1280,2200,1330,1380,1480,2400,1580,2500,9110,W920,W930,W1000,Modem5123,Modem5300,and2025-Modem5400.Impropermemoryinitializationresultsinanillegalmemoryaccess,causingasystemcrashviaamalformedRRCReconfigurationmessage.57835 CVE- 2026-NVIDIATritonInferenceServercontainsavulnerabilitywhereanattackercouldcauseaservercrashbysendingamalformedrequesttotheserver.Asuccessfulexploitofthisvulnerabilitymightleadtodenialofservice. 24174 CVE-AflawwasfoundinCorosync.AnintegeroverflowvulnerabilityinCorosync'sjoinmessagesanityvalidationallowsaremote,unauthenticatedattackertosendcraftedUserDatagramProtocol(UDP)packets.Thiscancausetheservicetocrash,2026-leadingtoadenialofservice.ThisvulnerabilityspecificallyaffectsCorosyncdeploymentsconfiguredtousetotemudp/totemudpumode.35092 CVE- 2026-NVIDIATritonInferenceServercontainsavulnerabilitywhereanattackercouldcauseaservercrashbysendingamalformedrequesttotheserver.Asuccessfulexploitofthisvulnerabilitymightleadtodenialofservice. 24173 CVE-SuricataisanetworkIDS,IPSandNSMengine.Fromversion8.0.0tobeforeversion8.0.4,thereisaquadraticcomplexityissuewhensearchingforURLsinmimeencodedmessagesoverSMTPleadingtoaperformanceimpact.Thisissuehasbeen2026-patchedinversion8.0.4.31934 CVE-IntegeroverflowinANGLEinGoogleChromeonWindowspriorto146.0.7680.178allowedaremoteattackerwhohadcompromisedtherendererprocesstoperformanoutofboundsmemorywriteviaacraftedHTMLpage.(Chromiumsecurity2026-severity:High)5277 CVE- 2026-NVIDIATritonInferenceServercontainsavulnerabilitywhereinsufficientinputvalidationandalargenumberofoutputscouldcauseaservercrash.Asuccessfulexploitofthisvulnerabilitymightleadtodenialofservice. 24146 CVE-SoftEtherVPNisaanopen-sourcecross-platformmulti-protocolVPNProgram.In5.2.5188andearlier,apre-authenticationdenial-of-servicevulnerabilityexistsinSoftEtherVPNDeveloperEdition5.2.5188(andlikelyearlierversionsofDeveloper2026-Edition).AnunauthenticatedremoteattackercancrashthevpnserverprocessbysendingasinglemalformedEAP-TLSpacketoverrawL2TP(UDP/1701),terminatingallactiveVPNsessions.39312 CVE-ABusinessLogicvulnerabilityexistsinSourceCodesterPharmacyProductManagementSystem1.0.Thevulnerabilityislocatedintheadd-sales.phpfile.Theapplicationfailstovalidatethe"txtprice"and"txttotalcost"parameters,allowingattackers2026-tosubmitnegativevaluesforsalestransactions.Thisleadstoincorrectfinancialcalculations,corruptionofsalesreports,andpotentialfinancialloss.30573 CVE- 2026-SuricataisanetworkIDS,IPSandNSMengine.Priortoversion7.0.15,inefficiencyinDCERPCbufferingcanleadtoaperformancedegradation.Thisissuehasbeenpatchedinversion7.0.15. 31937 CVE-SuricataisanetworkIDS,IPSandNSMengine.Priortoversions7.0.15and8.0.4,floodingofcraftHTTP2continuationframescanleadtomemoryexhaustion,usuallyresultingintheSuricataprocessbeingshutdownbytheoperatingsystem.This issuehasbeenpatchedinversions7.0.15and8.0.4.31935 CVE- LakesideSysTrackAgent11before11.5.0.15hasaraceconditionwithresultantlocalprivilegeescalationtoSYSTEM.Thefixedversionsare11.2.1.28,11.3.0.38,11.4.0.24,and11.5.0.15. 35099

CVE- InSudothrough1.9.17p2before3e474c2,afailureofasetuid,setgid,orsetgroupscall,duringaprivilegedropbeforerunningthemailer,isnotafatalerrorandcanleadtoprivilegeescalation. 35535 CVE- ClerkJavaScriptistheofficialJavaScriptrepositoryforClerkauthentication.In@clerk/honofromversions0.1.0tobefore0.1.5,@clerk/expressfromversions2.0.0tobefore2.0.7,@clerk/backendfromversions3.0.0tobefore3.2.3,and@clerk/fastify 2026- fromversions3.1.0tobefore3.1.5,theclerkFrontendApiProxyfunctionin@clerk/backendisvulnerabletoServer-SideRequestForgery(SSRF).Anunauthenticatedattackercancraftarequestpaththatcausestheproxytosendtheapplication's 34076 Clerk-Secret-Keytoanattacker-controlledserver.Thisissuehasbeenpatchedin@clerk/honoversion0.1.5,@clerk/expressversion2.0.7,@clerk/backendversion3.2.3,and@clerk/fastifyversion3.1.5. CVE- Insufficientauthenticationsecuritycontrolsinthebrowser-basedauthenticationcomponentsinAmazonAthenaODBCdriverbefore2.1.0.0mightallowathreatactortointerceptorhijackauthenticationsessionsduetoinsufficientprotectionsinthe2026- browser-basedauthenticationflows.Toremediatethisissue,usersshouldupgradetoversion2.1.0.0.35561 CVE- ImpropercertificatevalidationintheidentityproviderconnectioncomponentsinAmazonAthenaODBCdriverbefore2.1.0.0mightallowaman-in-the-middlethreatactortointerceptauthenticationcredentialsduetoinsufficientdefaulttransport2026- securitywhenconnectingtoidentityproviders.ThisonlyappliestoconnectionswithexternalidentityprovidersanddoesnotapplytoconnectionswithAthena.Toremediatethisissue,usersshouldupgradetoversion2.1.0.0.35560 CVE- AflawwasfoundinKeycloak.TheSingleUseObjectProvider,aglobalkey-valuestore,lackspropertypeandnamespaceisolation.Thisvulnerabilityallowsanunauthenticatedattackertoforgeauthorizationcodes.Successfulexploitationcanleadto2026- thecreationofadmin-capableaccesstokens,resultinginprivilegeescalation.4282 CVE- TandoorRecipesisanapplicationformanagingrecipes,planningmeals,andbuildingshoppinglists.Priorto2.6.4,thePOST/api/food/{id}/shopping/endpointreadsamountandunitdirectlyfromrequest.dataandpassesthemwithoutvalidationto 2026- ShoppingListEntry.objects.create().Invalidamountvalues(non-numericstrings)causeanunhandledexceptionandHTTP500.AunitIDfromadifferentSpacecanbeassociatedcross-space,leakingforeign-keyreferencesacrosstenantboundaries. 35489 AllotherendpointscreatingShoppingListEntryuseShoppingListEntrySerializer,whichvalidatesandsanitizesthesefields.Thisvulnerabilityisfixedin2.6.4. CVE- 2026- pandas-aiv3.0.0wasdiscoveredtocontainaSQLinjectionvulnerabilityviathepandasai.agent.base.executesqlquerycomponent. 30273 CVE- IBMVerifyIdentityAccessContainer11.0through11.0.2andIBMSecurityVerifyAccessContainer10.0through10.0.9.1andIBMVerifyIdentityAccess11.0through11.0.2andIBMSecurityVerifyAccess10.0through10.0.9.1couldallowan2026- unauthenticatedusertoexecutearbitrarycommandsasloweruserprivilegesonthesystemduetoimpropervalidationofusersuppliedinput.1345 CVE- AvulnerabilitywasdetectedinSourceCodester/jkevRecordManagementSystem1.0.Affectedbythisvulnerabilityisanunknownfunctionalityofthefileindex.phpofthecomponentLogin.ThemanipulationoftheargumentUsernameresultsinsql2026- injection.Theattackmaybelaunchedremotely.Theexploitisnowpublicandmaybeused.5575 AvulnerabilityinthewebinterfaceofCiscoSmartSoftwareManagerOn-Prem(SSMOn-Prem)couldallowanauthenticated,remoteattackertoelevateprivilegesonanaffectedsystem.CVE- sensitiveuserinformation.AnattackercouldexploitthisvulnerabilitybysendingacraftedmessagetoanaffectedCiscoSSMOn-Premhostandretrievingsessioncredentialsfromsubsequentstatusmessages.Asuccessfulexploitcouldallowthe2026- attackertoelevateprivilegesontheaffectedsystemfromlowtoadministrative.Toexploitthisvulnerability,theattackermusthavevalidcredentialsforauseraccountwithatleasttheroleofSystemUser.Note:Thisvulnerabilityexposes20151 informationonlyaboutuserswhologgedintotheCiscoSSMOn-Premhostusingthewebinterfaceandwhoarecurrentlyloggedin.SSHsessionsarenotaffected. CVE- Avulnerabilitywasidentifiedinappsmithorgappsmithupto1.97.ImpactedisthefunctioncomputeDisallowedHostsofthefileapp/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.javaofthecomponentDashboard.Such 2026- manipulationleadstoserver-siderequestforgery.Theattackmaybelaunchedremotely.Theexploitispubliclyavailableandmightbeused.Upgradingtoversion1.99isrecommendedtoaddressthisissue.Theaffectedcomponentshouldbe 5418 upgraded.Thevendorwascontactedearly,respondedinaveryprofessionalmannerandquicklyreleasedafixedversionoftheaffectedproduct. CVE- AvulnerabilityhasbeenfoundinFosowlagenticSeek0.1.0.ImpactedisthefunctionPyInterpreter.executeofthefilesources/tools/PyInterpreter.pyofthecomponentqueryEndpoint.Suchmanipulationleadstocodeinjection.Theattackcanbe2026- launchedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5584 CVE- AvulnerabilityhasbeenfoundinSong-Licrossbrowseruptoca690f0fe6954fd9bcda36d071b68ed8682a786a.Thisaffectsanunknownpartofthefileflask/uniquemachine_app.pyofthecomponentdetailsEndpoint.Suchmanipulationofthe 2026- argumentIDleadstosqlinjection.Theattackcanbeexecutedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Thisproductimplementsarollingreleaseforongoingdelivery,whichmeansversioninformationforaffectedor 5577 updatedreleasesisunavailable.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinEquipmentMailboxDetailsreport. 3879 CVE- Aflawhasbeenfoundincode-projectsSimpleLaundrySystem1.0.Thisvulnerabilityaffectsunknowncodeofthefile/modify.phpofthecomponentParameterHandler.ThismanipulationoftheargumentfirstNamecausessqlinjection.Remote2026- exploitationoftheattackispossible.Theexploithasbeenpublishedandmaybeused.5256 CVE- Avulnerabilityhasbeenfoundincode-projectsSimpleLaundrySystem1.0.Thisissueaffectssomeunknownprocessingofthefile/delstaffinfo.phpofthecomponentParameterHandler.Suchmanipulationoftheargumentuseridleadstosql2026- injection.Theattackcanbeexecutedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.5257 CVE- 2026- Blindserver-siderequestforgery(SSRF)vulnerabilityinlegacyconnectionmethodsofdocumentco-authoringfeaturesinM-FilesServerbefore26.3allowanunauthenticatedattackertocausetheservertosendHTTPGETrequeststoarbitraryURLs. 0932 CVE- AvulnerabilitywasidentifiedinShandongHoteamInforCenterPLMupto8.3.8.TheimpactedelementisthefunctionuploadFileToIISofthefile/Base/BaseHandler.ashx.ThemanipulationoftheargumentFileleadstounrestrictedupload.Itispossible2026- toinitiatetheattackremotely.Theexploitispubliclyavailableandmightbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5261 CVE- 2026- DellAppSync,version(s)4.6.0,contain(s)anUNIXSymbolicLink(Symlink)Followingvulnerability.Alowprivilegedattackerwithlocalaccesscouldpotentiallyexploitthisvulnerability,leadingtoInformationtampering. 22767 CVE- 2026- DellAppSync,version(s)4.6.0,contain(s)anIncorrectPermissionAssignmentforCriticalResourcevulnerability.Alowprivilegedattackerwithlocalaccesscouldpotentiallyexploitthisvulnerability,leadingtoElevationofprivileges. 22768 CVE- NVIDIADALIcontainsavulnerabilitywhereanattackercouldcauseadeserializationofuntrusteddata.Asuccessfulexploitofthisvulnerabilitymightleadtoarbitrarycodeexecution. 24156 CVE- AsecurityflawhasbeendiscoveredinTenda4G03Proupto1.0/1.1/04.03.01.53/192.168.0.1.Affectedbythisvulnerabilityisanunknownfunctionalityofthefile/bin/httpd.Themanipulationresultsinimproperaccesscontrols.Theattackmaybe performedfromremote.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.

CVE- AvulnerabilitywasidentifiedinitsourcecodeOnlineEnrollmentSystem1.0.Thisaffectsanunknownfunctionofthefile/sms/user/index.php?view=edit&id=10ofthecomponentParameterHandler.SuchmanipulationoftheargumentUSERIDleadsto sqlinjection.Theattackcanbeexecutedremotely.Theexploitispubliclyavailableandmightbeused. CVE- AweaknesshasbeenidentifiedinFedML-AIFedMLupto0.8.9.AffectedisthefunctionsendMessageofthefilegrpcserver.pyofthecomponentgRPCserver.Executingamanipulationcanleadtodeserialization.Theattackmaybeperformedfrom2026- remote.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5536 PraisonAIisamulti-agentteamssystem.Priorto1.5.113,PraisonAI'sreciperegistrypullflowextractsattacker-controlled.praisontararchiveswithtar.extractall()anddoesnotvalidatearchivememberpathsbeforeextraction.AmaliciouspublisherCVE- canuploadarecipebundlethatcontains../traversalentriesandanyuserwholaterpullsthatrecipewillwritefilesoutsidetheoutputdirectorytheyselected.Thisisapathtraversal/arbitraryfilewritevulnerabilityontheclientsideoftherecipe2026- registryworkflow.ItaffectsboththelocalregistrypullpathandtheHTTPregistrypullpath.Thechecksumverificationdoesnotpreventexploitationbecausethemalicioustraversalpayloadispartofthesignedbundleitself.Thisvulnerabilityisfixed39306 in1.5.113. CVE- AvulnerabilitywasfoundinSansterIOPaint1.5.3.Impactedisthefunctiongetfileofthefileiopaint/filemanager/filemanager.pyofthecomponentFileManager.Performingamanipulationoftheargumentfilenameresultsinpathtraversal.The2026- attackispossibletobecarriedoutremotely.Theexploithasbeenmadepublicandcouldbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5258 CVE- Avulnerabilityhasbeenfoundincode-projectsSimpleLaundrySystem1.0.Thisvulnerabilityaffectsunknowncodeofthefile/modifymember.phpofthecomponentParameterHandler.SuchmanipulationoftheargumentfirstNameleadstosql2026- injection.Theattackcanbelaunchedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.5540 CVE- AsecurityflawhasbeendiscoveredinitsourcecodeFreeHotelReservationSystem1.0.Thisvulnerabilityaffectsunknowncodeofthefile/hotel/admin/login.phpofthecomponentParameterHandler.Themanipulationoftheargumentemailresults2026- insqlinjection.Theattackmaybelaunchedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.5551 CVE- Asecurityflawhasbeendiscoveredincode-projectsConcertTicketReservationSystem1.0.Affectedbythisissueissomeunknownfunctionalityofthefile/ConcertTicketReservationSystem-master/processsearch.phpofthecomponentParameter2026- Handler.Performingamanipulationoftheargumentsearchingresultsinsqlinjection.Theattackmaybeinitiatedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.5554 CVE- Aweaknesshasbeenidentifiedincode-projectsConcertTicketReservationSystem1.0.Thisaffectsanunknownpartofthefile/ConcertTicketReservationSystem-master/login.phpofthecomponentParameterHandler.Executingamanipulationof2026- theargumentEmailcanleadtosqlinjection.Theattackmaybelaunchedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5555 CVE- Avulnerabilitywasidentifiedinprovectuskafka-uiupto0.7.2.ThisimpactsthefunctionvalidateAccessofthefile/api/smartfilters/testexecutionsofthecomponentEndpoint.Themanipulationleadstocodeinjection.Theattackcanbeinitiated2026- remotely.Theexploitispubliclyavailableandmightbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5562 CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinPermissionsBasedonMailboxesreport. 27655 CVE- Aweaknesshasbeenidentifiedincode-projectsSimpleLaundrySystem1.0.Affectedbythisvulnerabilityisanunknownfunctionalityofthefile/searchguest.phpofthecomponentParameterHandler.Thismanipulationoftheargument2026- searchServiceIdcausessqlinjection.Theattackmaybeinitiatedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5564 CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinNon-OwnerMailboxPermissionreport. 4108 CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinFolderMessageCountandSizereport. 4107 CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinPublicFolderClientPermissionsreport. 3880 CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinMailsExchangedBetweenUsersreport. 28703 CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinPermissionsbasedonDistributionGroupsreport. 28756 CVE- 2026- ZohocorpManageEngineExchangeReporterPlusversionsbefore5802arevulnerabletoStoredXSSinDistributionListsreport. 28754 CVE- Asecurityvulnerabilityhasbeendetectedincode-projectsSimpleLaundrySystem1.0.Affectedbythisissueissomeunknownfunctionalityofthefile/delmemberinfo.phpofthecomponentParameterHandler.Suchmanipulationoftheargument2026- useridleadstosqlinjection.Theattackmaybelaunchedremotely.Theexploithasbeendisclosedpubliclyandmaybeused.5565 CVE- IncorrectDefaultPermissionsvulnerabilityinAIRBUSPSSTETRAConnectivityServeronWindowsServerOSallowsPrivilegeAbuse.AnattackermayexecutearbitrarycodewithSYSTEMprivilegesifauseristrickedordirectedtoplaceacraftedfile2025- intothevulnerabledirectory.ThisissueaffectsTETRAconnectivityServer:7.0.Vulnerabilityfixisavailableanddeliveredtoimpactedcustomers.7024 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto6.5.3,astoredCross-SiteScripting(XSS)vulnerabilityinChurchCRM'sNoteEditorallowsauthenticateduserswithnote-addingpermissionstoexecutearbitraryJavaScriptcodeinthe2026- contextofotherusers'browsers,includingadministrators.Thiscanleadtosessionhijacking,privilegeescalation,andunauthorizedaccesstosensitivechurchmemberdata.Thisvulnerabilityisfixedin6.5.3.35574 CVE- AvulnerabilitywasfoundinTechnostrobeHI-LED-WR120-G25.5.0.1R6.03.30.Impactedisanunknownfunctionofthefile/Technostrobe/ofthecomponentEndpoint.Themanipulationresultsinimproperaccesscontrols.Theattackmaybeperformed fromremote.Theexploithasbeenmadepublicandcouldbeused.Multipleendpointsareaffected.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE- AvulnerabilitywasdeterminedinTechnostrobeHI-LED-WR120-G25.5.0.1R6.03.30.Theaffectedelementisthefunctionindex_configofthefile/LoginCB.Thismanipulationcausesimproperauthentication.Itispossibletoinitiatetheattackremotely. Theexploithasbeenpubliclydisclosedandmaybeutilized.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.

CVE- AweaknesshasbeenidentifiedinTechnostrobeHI-LED-WR120-G25.5.0.1R6.03.30.Thisimpactsanunknownfunctionofthefile/fs.Executingamanipulationoftheargumentcwdcanleadtounrestrictedupload.Theattackcanbelaunched remotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE- OpenEXRprovidesthespecificationandreferenceimplementationoftheEXRfileformat,animagestorageformatforthemotionpictureindustry.Fromversion3.4.0tobeforeversion3.4.8,acraftedB44orB44AEXRfilecancauseanout-of-bounds2026- writeinanyapplicationthatdecodesitviaexrdecodingrun().Consequencesrangefromimmediatecrash(mostlikely)tocorruptionofadjacentheapallocations(layout-dependent).Thisissuehasbeenpatchedinversion3.4.8.34544 CVE- OpenEXRprovidesthespecificationandreferenceimplementationoftheEXRfileformat,animagestorageformatforthemotionpictureindustry.Fromversion3.4.0tobeforeversion3.4.7,anattackerprovidingacrafted.exrfilewithHTJ2K 2026- compressionandachannelwidthof32768canwritecontrolleddatabeyondtheoutputheapbufferinanyapplicationthatdecodesEXRimages.Thewriteprimitiveis2bytesperoverflowiterationor4bytes(byanotherpath),repeatingforeach 34545 additionalpixelpasttheoverflowpoint.Inthiscontext,aheapwriteoverflowcanleadtoremotecodeexecutiononsystems.Thisissuehasbeenpatchedinversion3.4.7. CVE- AweaknesshasbeenidentifiedinitsourcecodePayrollManagementSystem1.0.Affectedbythisissueissomeunknownfunctionalityofthefile/viewemployee.phpofthecomponentParameterHandler.ExecutingamanipulationoftheargumentID2026- canleadtosqlinjection.Theattackmaybeperformedfromremote.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5238 CVE- Asecurityvulnerabilityhasbeendetectedincode-projectsOnlineFIRSystem1.0.Affectedbythisvulnerabilityisanunknownfunctionalityofthefile/Login/checklogin.phpofthecomponentLogin.Themanipulationoftheargumentemail/password2026- leadstosqlinjection.Theattackispossibletobecarriedoutremotely.Theexploithasbeendisclosedpubliclyandmaybeused.5665 CVE- AvulnerabilityhasbeenfoundinCesantaMongooseupto7.20.Thisaffectsthefunctionmgtlsrecvcertofthefilemongoose.cofthecomponentTLS1.3Handler.Suchmanipulationoftheargumentpubkeyleadstoheap-basedbufferoverflow.The 2026- attackmaybelaunchedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Upgradingtoversion7.21mitigatesthisissue.Thenameofthepatchis0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1.Itisadvisabletoupgradethe 5244 affectedcomponent.Thevendorwascontactedearly,respondedinaveryprofessionalmannerandquicklyreleasedafixedversionoftheaffectedproduct. CVE- AvulnerabilityhasbeenfoundinCyber-IIIStudent-Management-Systemupto1a938fa61e9f735078e9b291d2e6215b4942af3f.Thisvulnerabilityaffectsunknowncodeofthefile/login.phpofthecomponentParameterHandler.Suchmanipulationof 2026- theargumentPasswordleadstosqlinjection.Itispossibletolaunchtheattackremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Thisproducttakestheapproachofrollingreleasestoprovidecontiniousdelivery.Therefore, 5669 versiondetailsforaffectedandupdatedreleasesarenotavailable.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet. CVE- Avulnerabilitywasdeterminedinhuimeicloudhmeditorupto2.2.3.Impactedisthefunctionclient.getofthefilesrc/mcp-server.jsofthecomponentimage-to-base64Endpoint.Executingamanipulationoftheargumenturlcanleadtoserver-side2026- requestforgery.Itispossibletolaunchtheattackremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5346 CVE- AvulnerabilitywasdeterminedinCyber-IIIStudent-Management-Systemupto1a938fa61e9f735078e9b291d2e6215b4942af3f.Thisaffectsanunknownfunctionofthefile/viva/update.phpofthecomponentHTTPPOSTRequestHandler.This 2026- manipulationoftheargumentNamecausesimproperauthorization.Itispossibletoinitiatetheattackremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized.Thisproductisusingarollingreleasetoprovidecontiniousdelivery. 5642 Therefore,noversiondetailsforaffectednorupdatedreleasesareavailable.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet. CVE- AsecurityvulnerabilityhasbeendetectedinprojectworldsCarRentalSystem1.0.Thisvulnerabilityaffectsunknowncodeofthefile/messageadmin.phpofthecomponentParameterHandler.SuchmanipulationoftheargumentMessageleadsto2026- sqlinjection.Theattackmaybelaunchedremotely.Theexploithasbeendisclosedpubliclyandmaybeused.5637 CVE- AvulnerabilitywasdeterminedinprojectworldsCarRentalProject1.0.Theaffectedelementisanunknownfunctionofthefile/login.phpofthecomponentParameterHandler.Thismanipulationoftheargumentunamecausessqlinjection.Remote2026- exploitationoftheattackispossible.Theexploithasbeenpubliclydisclosedandmaybeutilized.5368 CVE- Aweaknesshasbeenidentifiedinsuvarchaldocker-mcp-serverupto0.1.0.Theimpactedelementisthefunctionstopcontainer/removecontainer/pullimageofthefilesrc/index.tsofthecomponentHTTPInterface.Thismanipulationcausesos2026- commandinjection.Theattackispossibletobecarriedoutremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5741 CVE- AvulnerabilitywasidentifiedinprojectworldsCarRentalProject1.0.Affectedbythisvulnerabilityisanunknownfunctionalityofthefile/bookcar.phpofthecomponentParameterHandler.Themanipulationoftheargumentfnameleadstosql2026- injection.Theattackcanbeinitiatedremotely.Theexploitispubliclyavailableandmightbeused.5634 CVE- Avulnerabilitywasdeterminedinassafelovicgpt-researcherupto3.4.3.AffectedisanunknownfunctionofthecomponentwsEndpoint.Executingamanipulationoftheargumentsourceurlscanleadtoserver-siderequestforgery.Itispossibleto2026- launchtheattackremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5633 CVE- AsecurityvulnerabilityhasbeendetectedinJeecgBoot3.9.0/3.9.1.Theimpactedelementisanunknownfunctionofthefilejeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/airag/JeecgBizToolsProvider.javaofthe 2026- componentAIChatModule.Suchmanipulationleadstomissingauthentication.Theattackcanbeexecutedremotely.Thenameofthepatchisb7c9aeba7aefda9e008ea8fe4fc3daf08d0c5b39/2c1cc88b8d983868df8c520a343d6ff4369d9e59.Itisbest 5616 practicetoapplyapatchtoresolvethisissue.Theprojectfixedtheissuewithacommitwhichshallbepartofthenextofficialrelease. CVE- Avulnerabilitywasfoundinassafelovicgpt-researcherupto3.4.3.ThisimpactsanunknownfunctionofthecomponentHTTPRESTAPIEndpoint.Performingamanipulationresultsinmissingauthentication.Itispossibletoinitiatetheattackremotely.2026- Theexploithasbeenmadepublicandcouldbeused.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5632 CVE- Avulnerabilityhasbeenfoundinassafelovicgpt-researcherupto3.4.3.Thisaffectsthefunctionextractcommanddataofthefilebackend/server/serverutils.pyofthecomponentwsEndpoint.Suchmanipulationoftheargumentargsleadstocode2026- injection.Theattackmaybeperformedfromremote.Theexploithasbeendisclosedtothepublicandmaybeused.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5631 CVE- AsecurityflawhasbeendiscoveredinPowerJob5.1.0/5.1.1/5.1.2.TheaffectedelementisthefunctionGroovyEvaluator.evaluateofthefile/openApi/addWorkflowNodeofthecomponentOpenAPIEndpoint.Themanipulationoftheargument2026- nodeParamsresultsincodeinjection.Theattackcanbeexecutedremotely.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5739 CVE- AweaknesshasbeenidentifiedinitsourcecodeOnlineEnrollmentSystem1.0.Impactedisanunknownfunctionofthefile/enrollment/index.php?view=edit&id=3ofthecomponentParameterHandler.Thismanipulationoftheargumentdeptid2026- causessqlinjection.Theattackispossibletobecarriedoutremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5334 CVE- AsecurityflawhasbeendiscoveredinDefaultFuctionContent-Management-System1.0.Thisissueaffectssomeunknownprocessingofthefile/admin/tools.php.Themanipulationoftheargumenthostresultsincommandinjection.Theattackcanbe2026- executedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.5333 CVE- AweaknesshasbeenidentifiedinprojectworldsCarRentalSystem1.0.Affectedbythisvulnerabilityisanunknownfunctionalityofthefile/pay.phpofthecomponentParameterHandler.Executingamanipulationoftheargumentmpesacanleadto2026- sqlinjection.Theattackcanbelaunchedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks. CVE- Avulnerabilityhasbeenfoundincode-projectsSimpleITDiscussionForum1.0.Affectedbythisissueissomeunknownfunctionalityofthefile/edit-category.phpofthecomponentParameterHandler.Themanipulationoftheargumentcat_idleadsto sqlinjection.Itispossibletoinitiatetheattackremotely.Theexploithasbeendisclosedtothepublicandmaybeused.

CVE- Asecurityvulnerabilityhasbeendetectedincode-projectsEasyBlogSite1.0.Affectedbythisissueissomeunknownfunctionalityofthefilelogin.php.Themanipulationoftheargumentusername/passwordleadstosqlinjection.Theattackmaybe initiatedremotely.Theexploithasbeendisclosedpubliclyandmaybeused.

CVE- Avulnerabilitywasdetectedinvanna-aivannaupto2.0.2.Affectedbythisvulnerabilityisanunknownfunctionalityofthefile/api/vanna/v2/ofthecomponentChatAPIEndpoint.Performingamanipulationresultsinmissingauthentication.The attackcanbeinitiatedremotely.Theexploitisnowpublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5320 CVE- AflawwasfoundinKeycloak.Thisissueallowsanattacker,whocontrolsanotherpathonthesamewebserver,tobypasstheallowedpathinredirectUniformResourceIdentifiers(URIs)thatuseawildcard.Asuccessfulattackmayleadtothetheftof2026- anaccesstoken,resultingininformationdisclosure.3872 CVE- AweaknesshasbeenidentifiedinTotolinkA7100RU7.4cu.2313b20191024.TheaffectedelementisthefunctionsetScheduleCfgofthefile/cgi-bin/cstecgi.cgi.Executingamanipulationoftheargumentmodecanleadtooscommandinjection.The2026- attackmaybelaunchedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5678 CVE- AsecurityflawhasbeendiscoveredinTotolinkA7100RU7.4cu.2313b20191024.ImpactedisthefunctionCsteSystemofthefile/cgi-bin/cstecgi.cgi.PerformingamanipulationoftheargumentresetFlagsresultsinoscommandinjection.Theattack2026- maybeinitiatedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.5677 CVE- AvulnerabilitywasidentifiedinPowerJob5.1.0/5.1.1/5.1.2.Impactedisanunknownfunctionofthefilepowerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.javaofthecomponentdetailPlus2026- Endpoint.ThemanipulationoftheargumentcustomQueryleadstosqlinjection.Remoteexploitationoftheattackispossible.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5736 CVE- Theapplication'sinstallerrunswithelevatedprivilegesbutresolvessystemexecutablesandDLLsusinguntrustedsearchpathsthatcanincludeuser-writabledirectories,allowingalocalattackertoplacemaliciousbinarieswiththesamenamesand2026- havethemloadedorexecutedinsteadofthelegitimatesystemfiles,resultinginlocalprivilegeescalation.3780 CVE- Aflawhasbeenfoundincode-projectsSimpleLaundrySystem1.0.Thisvulnerabilityaffectsunknowncodeofthefile/userfinishregister.phpofthecomponentParameterHandler.ThismanipulationoftheargumentfirstNamecausessqlinjection.2026- Remoteexploitationoftheattackispossible.Theexploithasbeenpublishedandmaybeused.5648 CVE- AvulnerabilitywasfoundinTotolinkA7100RU7.4cu.2313b20191024.ThisimpactsthefunctionsetGameSpeedCfgofthefile/cgi-bin/cstecgi.cgi.Themanipulationoftheargumentenableresultsinoscommandinjection.Theattackmaybe2026- performedfromremote.Theexploithasbeenmadepublicandcouldbeused.5692 CVE- AvulnerabilityhasbeenfoundinTotolinkA7100RU7.4cu.2313b20191024.ThisaffectsthefunctionsetFirewallTypeofthefile/cgi-bin/cstecgi.cgi.ThemanipulationoftheargumentfirewallTypeleadstooscommandinjection.Theattackispossible2026- tobecarriedoutremotely.Theexploithasbeendisclosedtothepublicandmaybeused.5691 CVE- AflawhasbeenfoundinTotolinkA7100RU7.4cu.2313b20191024.TheimpactedelementisthefunctionsetRemoteCfgofthefile/cgi-bin/cstecgi.cgi.Executingamanipulationoftheargumentenablecanleadtooscommandinjection.Theattack2026- canbeexecutedremotely.Theexploithasbeenpublishedandmaybeused.5690 CVE- HirschmannIndustrialHiVisionversion08.1.03priorto08.1.04and08.2.00containsavulnerabilityintheexecutionofuser-configuredexternalapplicationsthatallowsalocalattackertoexecutearbitrarybinaries.Duetoinsufficientpath 2022- sanitization,anattackercanplaceamaliciousbinaryintheexecutionpathofaconfiguredexternalapplication,causingittobeexecutedinsteadoftheintendedapplication.Thiscanresultinexecutionwithelevatedprivilegesdependingonthe 4987 contextoftheexternalapplication. CVE- AsecurityflawhasbeendiscoveredinOFFISDCMTKupto3.7.0.ThisimpactsthefunctionexecuteOnReception/executeOnEndOfStudyofthefiledcmnet/apps/storescp.ccofthecomponentstorescp.Performingamanipulationresultsinoscommand2026- injection.Remoteexploitationoftheattackispossible.Thepatchisnamededbb085e45788dccaf0e64d71534cfca925784b8.Applyingapatchistherecommendedactiontofixthisissue.5663 CVE- AvulnerabilitywasidentifiedinTotolinkA8000R5.9c.681B20180413.ThisissueaffectsthefunctionsetLanguageCfgofthefile/cgi-bin/cstecgi.cgi.SuchmanipulationoftheargumentlangTypeleadstomissingauthentication.Theattackcanbe2026- launchedremotely.Theexploitispubliclyavailableandmightbeused.5676 CVE- AvulnerabilityhasbeenfoundinAlejandroArciniegasmcp-data-visbc597e391f184d2187062fd567599a3cb72adf51/de5a51525a69822290eaee569a1ab447b490746d.ThisaffectsthefunctionRequestofthefilesrc/servers/database/server.jsofthe 2026- componentMCPHandler.Themanipulationleadstosqlinjection.Theattackmaybeinitiatedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Thisproductusesarollingreleasemodeltodelivercontinuousupdates.Asa 5322 result,specificversioninformationforaffectedorupdatedreleasesisnotavailable.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE- AvulnerabilitywasdetectedinTotolinkA7100RU7.4cu.2313b20191024.TheaffectedelementisthefunctionsetNtpCfgofthefile/cgi-bin/cstecgi.cgi.Performingamanipulationoftheargumenttzresultsinoscommandinjection.Remote2026- exploitationoftheattackispossible.Theexploitisnowpublicandmaybeused.5689 CVE- AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313b20191024.ImpactedisthefunctionsetDdnsCfgofthefile/cgi-bin/cstecgi.cgi.Suchmanipulationoftheargumentproviderleadstooscommandinjection.Theattackmay2026- belaunchedremotely.Theexploithasbeendisclosedpubliclyandmaybeused.5688 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,aSQLinjectionvulnerabilityexistsintheEditEventTypes.phpfile,whichisonlyaccessibletoadministrators.TheENtyidPOSTparameterisnotsanitizedbeforebeingusedin2026- aSQLquery,allowinganadministratortoexecutearbitrarySQLcommandsdirectlyagainstthedatabase.Thisvulnerabilityisfixedin7.1.0.39343 CVE- 2026- XenForobefore2.3.9andbefore2.2.18allowsremotecodeexecution(RCE)byauthenticated,butmalicious,adminusers.Anattackerwithadminpanelaccesscanexecutearbitrarycodeontheserver. 35056 CVE- OpenSTAManagerisanopensourcemanagementsoftwarefortechnicalassistanceandinvoicing.Priortoversion2.10.2,theoauth2.phpfileinOpenSTAManagerisanunauthenticatedendpoint($skippermissions=true).Itloadsarecordfromthe2026- zzoauth2tableusingtheattacker-controlledGETparameterstate,andduringtheOAuth2configurationflowcallsunserialize()ontheaccesstokenfieldwithoutanyclassrestriction.Thisissuehasbeenpatchedinversion2.10.2.29782 CVE- Piwigoisanopensourcephotogalleryapplicationfortheweb.Priortoversion16.3.0,aSQLInjectionvulnerabilitywasdiscoveredinPiwigoaffectingtheActivityListAPIendpoint.Thisvulnerabilityallowsanauthenticatedadministratortoextract2026- sensitivedatafromthedatabase,includingusercredentials,emailaddresses,andallstoredcontent.Thisissuehasbeenpatchedinversion16.3.0.27885 CVE- EmissaryisaP2Pbaseddata-drivenworkflowengine.Priorto8.39.0,theExecutrixutilityclassconstructedshellcommandsbyconcatenatingconfiguration-derivedvalues--includingthePLACE_NAMEparameter--withinsufficientsanitization.Only spaceswerereplacedwithunderscores,allowingshellmetacharacters(;,|,$,`,(,),etc.)topassthroughinto/bin/sh-ccommandexecution.Thisvulnerabilityisfixedin8.39.0.35581 CVE-

MyBBLastUser'sThreadsinProfilePlugin1.2containsapersistentcross-sitescriptingvulnerabilitythatallowsattackerstoinjectmaliciousscriptsbycraftingthreadsubjectswithscripttags.Attackerscancreatethreadswithscriptpayloadsinthe 25250subjectfieldthatexecutewhenusersvisittheattacker'sprofilepage. CVE-CI4MSisaCodeIgniter4-basedCMSskeletonthatdeliversaproduction-ready,modulararchitecturewithRBACauthorizationandthemesupport.Priorto0.31.2.0,theapplicationfailstoproperlysanitizeuser-controlledinputwithinSystemSettings- CompanyInformation.Severaladministrativeconfigurationfieldsacceptattacker-controlledinputthatisstoredserver-sideandlaterrenderedwithoutproperoutputencoding.Thesevaluesarepersistedinthedatabaseandrenderedunsafelyon 35035public-facingpagesonly,suchasthemainlandingpage.Thereisnoexecutionintheadministrativedashboard--thevulnerabilityonlyimpactsthepublicfrontend.Thisvulnerabilityisfixedin0.31.2.0. CVE-Emlogisanopensourcewebsitebuildingsystem.Inversions2.6.2andprior,apathtraversalvulnerabilityexistsintheemUnZip()function(include/lib/common.php:793).WhenextractingZIParchives(plugin/templateuploads,backupimports),the 2026-functioncalls$zip->extractTo($path)withoutsanitizingZIPentrynames.AnauthenticatedadmincanuploadacraftedZIPcontainingentrieswith../sequencestowritearbitraryfilestotheserverfilesystem,includingPHPwebshells,achieving 34607RemoteCodeExecution(RCE).Attimeofpublication,therearenopubliclyavailablepatches. CVE-ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,anSQLinjectionvulnerabilitywasfoundintheendpoint/SettingsUser.phpinChurchCRM7.0.5.AuthenticatedadministrativeuserscaninjectarbitrarySQLstatementsthrough2026-thetypearrayparameterviatheindexandthusextractandmodifyinformationfromthedatabase.Thisvulnerabilityisfixedin7.1.0.39325 CVE-DolibarrERP/CRMversionspriorto23.0.2containanauthenticatedremotecodeexecutionvulnerabilityinthedolevalstandard()functionthatfailstoapplyforbiddenstringchecksinwhitelistmodeanddoesnotdetectPHPdynamiccallablesyntax.2026-AttackerswithadministratorprivilegescaninjectmaliciouspayloadsthroughcomputedextrafieldsorotherevaluationpathsusingPHPdynamiccallablesyntaxtobypassvalidationandachievearbitrarycommandexecutionviaeval().22666 CVE-Piwigoisanopensourcephotogalleryapplicationfortheweb.Priortoversion16.3.0,aSQLInjectionvulnerabilityexistsinthepwg.users.getListWebServiceAPImethod.ThefilterparameterisdirectlyconcatenatedintoaSQLquerywithoutproper2026-sanitization,allowingauthenticatedadministratorstoexecutearbitrarySQLcommands.Thisissuehasbeenpatchedinversion16.3.0.27834 CVE-TheWidgetsforSocialPhotoFeedpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'feeddata'parameterkeysinallversionsupto,andincluding,1.7.9duetoinsufficientinputsanitizationandoutputescaping.Thismakesit2026-possibleforunauthenticatedattackerstoinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage.5425 CVE- 2026-TheSpamProtectforContactForm7WordPresspluginbefore1.2.10allowsloggingtoaPHPfile,whichcouldallowanattackerwitheditoraccesstoachieveRemoteCodeExecutionbyusingacraftedheader 1540 CVE-TheVisitorTrafficRealTimeStatisticspluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'pagetitle'parameterinallversionsupto,andincluding,8.4duetoinsufficientinputsanitizationandoutputescaping.Thismakesit2026-possibleforunauthenticatedattackerstoinjectarbitrarywebscriptsinpagesthatwillexecutewheneveranadminuseraccessestheTrafficbyTitlesection.2936 CVE-TheWebmentionpluginforWordPressisvulnerabletoServer-SideRequestForgeryinallversionsupto,andincluding,5.6.2inthe'MF2::parseauthorpage'functionviathe'Receiver::post'function.Thismakesitpossibleforunauthenticated2026-attackerstomakewebrequeststoarbitrarylocationsoriginatingfromthewebapplicationandcanbeusedtoqueryandmodifyinformationfrominternalservices.0686 CVE- 2026-GLPIisaFreeAssetandITManagementSoftwarepackage.From0.60tobefore10.0.24,anauthenticatedtechnicianusercanstoreanXSSpayloadinasupplierfields.Thisvulnerabilityisfixedin10.0.24. 25932 CVE-Ech0isanopen-source,self-hostedpublishingplatformforpersonalideasharing.Priorto4.2.8,theGET/api/website/titleendpointacceptsanarbitraryURLviathewebsiteurlqueryparameterandmakesaserver-sideHTTPrequesttoitwithoutany 2026-validationofthetargethostorIPaddress.Theendpointrequiresnoauthentication.Anattackercanusethistoreachinternalnetworkservices,cloudmetadataendpoints(169.254.169.254),andlocalhost-boundservices,withpartialresponsedata 35037exfiltratedviatheHTML

tagextractionThisvulnerabilityisfixedin4.2.8. CVE-DuetotheimproperneutralisationofspecialelementsusedinanOScommand,aremoteattackercanexploitanRCEvulnerabilityinthegenerateSrpArrayfunction,resultinginfullsystemcompromise.Thisvulnerabilitycanonlybeattackedifthe2026-attackerhassomeotherwaytowritearbitrarydatatotheusertable.33613 CVE-MyBBDownloadsPlugin2.0.3containsapersistentcross-sitescriptingvulnerabilitythatallowsregularmemberstoinjectmaliciousscriptsthroughthedownloadtitlefield.AttackerscansubmitanewdownloadwithHTML/JavaScriptcodeinthetitle2018-parameter,whichexecuteswhenadministratorsvalidatethedownloadindownloads.php.25248 CVE- 2026-GLPIisafreeassetandITmanagementsoftwarepackage.From10.0.0tobefore10.0.24and11.0.6,anauthenticatedusercanperformaSQLinjectionviathelogsexportfeature.Thisvulnerabilityisfixedin10.0.24and11.0.6. 29047 CVE- 2026-InTornadobefore6.5.5,cookieattributeinjectioncouldoccurbecausethedomain,path,andsamesiteargumentsto.RequestHandler.setcookiewerenotcheckedforcraftedcharacters. 35536 PraisonAIisamulti-agentteamssystem.Priorto1.5.113,PraisonAI'sreciperegistrypublishendpointwritesuploadedrecipebundlestoafilesystempathderivedfromthebundle'sinternalmanifest.jsonbeforeitverifiesthatthemanifestnameandCVE-versionmatchtheHTTProute.Amaliciouspublishercanplace../traversalsequencesinthebundlemanifestandcausetheregistryservertocreatefilesoutsidetheconfiguredregistryrooteventhoughtherequestisultimatelyrejectedwithHTTP2026-400.Thisisanarbitraryfilewrite/pathtraversalissueontheregistryhost.Itaffectsdeploymentsthatexposethereciperegistrypublishflow.Iftheregistryisintentionallyrunwithoutatoken,anynetworkclientthatcanreachtheservicecan39308triggerit.Ifatokenisconfigured,anyuserwithpublishaccesscanstillexploitit.Thisvulnerabilityisfixedin1.5.113. CVE-EndianFirewallversion3.3.25andpriorallowauthenticateduserstodeletearbitraryfilesviadirectorytraversalintheremoveARCHIVEparameterto/cgi-bin/backup.cgi.TheremoveARCHIVEparametervalueisusedtoconstructafilepathwithout2026-sanitizationofdirectorytraversalsequences,whichisthenpassedtoanunlink()call.34790 Kedroisatoolboxforproduction-readydatascience.Priorto1.3.0,thegetversionedpath()methodinkedro/io/core.pyconstructsfilesystempathsbydirectlyinterpolatinguser-suppliedversionstringswithoutsanitization.Becauseversionstrings CVE-areusedaspathcomponents,traversalsequencessuchas../arepreservedandcanescapetheintendedversioneddatasetdirectory.Thisisreachablethroughmultipleentrypoints:catalog.load(...,version=...),DataCatalog.fromconfig(..., 2026-loadversions=...),andtheCLIviakedrorun--load-versions=dataset:../../../secrets.AnattackerwhocaninfluencetheversionstringcanforceKedrotoloadfilesfromoutsidetheintendedversiondirectory,enablingunauthorizedfilereads,data 35167poisoning,orcross-tenantdataaccessinsharedenvironments.Thisvulnerabilityisfixedin1.3.0.

CVE- ThePaidMembershipPlugin,Ecommerce,UserRegistrationForm,LoginForm,UserProfile&RestrictContent-ProfilePresspluginforWordPressisvulnerabletounauthorizedmembershippaymentbypassinallversionsupto,andincluding,4.16.11. 2026- Thisisduetoamissingownershipverificationonthechange_plan_sub_idparameterintheprocess_checkout()function.Thismakesitpossibleforauthenticatedattackers,withsubscriberlevelaccessandabove,toreferenceanotheruser'sactive 3445 subscriptionduringcheckouttomanipulateprorationcalculations,allowingthemtoobtainpaidlifetimemembershipplanswithoutpaymentviatheppress_process_checkoutAJAXaction. CVE- WWBNAVideoisanopensourcevideoplatform.Inversions26.0andprior,objects/aVideoEncoder.json.phpstillallowsattacker-controlleddownloadURLvalueswithcommonmediaorarchiveextensionssuchas.mp4,.mp3,.zip,.jpg,.png,.gif,and .webmtobypassSSRFvalidation.Theserverthenfetchestheresponseandstoresitasmediacontent.Thisallowsanauthenticateduploadertoturntheupload-by-URLflowintoareliableSSRFresponse-exfiltrationprimitive.Thevulnerabilityis 39370 causedbyanincompletefixforCVE-2026-27732. CVE- OpenHarnesspriortocommit166fcfecontainsanimproperaccesscontrolvulnerabilityinbuilt-infiletoolsduetoinconsistentparameterhandlinginpermissionenforcement,allowingattackerswhocaninfluenceagenttoolexecutiontoreadarbitrary localfilesoutsidetheintendedrepositoryscope.AttackerscanexploitthepathparameternotbeingpassedtothePermissionCheckerinreadfile,writefile,editfile,andnotebookedittoolstobypassdenyrulesandaccesssensitivefilessuchas

22682 configurationfiles,credentials,andSSHmaterial,orcreateandoverwritefilesinrestrictedhostpathsinfullautomode. CVE- Cryptographicissuewhilecopyingdatatoadestinationbufferwithoutvalidatingitssize. 47400 CVE- openFPGALoaderisautilityforprogrammingFPGAs.In1.1.1andearlier,aheap-buffer-overflowreadvulnerabilityexistsinPOFParser::parseSection()thatallowsout-of-boundsheapmemoryaccesswhenparsingacrafted.poffile.NoFPGAhardware2026- isrequiredtotriggerthisvulnerability.35176 CVE- Tinaisaheadlesscontentmanagementsystem.Priortoversion2.2.2,@tinacms/clirecentlyaddedlexicalpath-traversalcheckstothedevmediaroutes,buttheimplementationstillvalidatesonlythepathstringanddoesnotresolvesymlinkor 2026- junctiontargets.Ifalinkalreadyexistsunderthemediaroot,Tinaacceptsapathlikepivot/written-from-media.txtas"inside"themediadirectoryandthenperformsrealfilesystemoperationsthroughthatlinktarget.Thisallowsout-of-rootmedia 34603 listingandwriteaccess,andthesamerootcausealsoaffectsdelete.Thisissuehasbeenpatchedinversion2.2.2. CVE- Addressedapotentialinsecuredirectobjectreference(IDOR)vulnerabilityinthesigninginvitationacceptanceprocess.Undercertainconditions,thisissuecouldhaveallowedanattackertoaccessormodifyunauthorizedresourcesbymanipulating 2026- user-suppliedobjectidentifiers,potentiallyleadingtoforgedsignaturesandcompromisingtheintegrityandauthenticityofdocumentsundergoingthesigningprocess.Theissuewascausedbyinsufficientauthorizationvalidationonreferenced 4947 resourcesduringrequestprocessing. CVE- HirschmannIndustrialHiVisionversions06.0.00and07.0.00priorto06.0.06and07.0.01containsanimproperauthorizationvulnerabilitythatallowsread-onlyuserstogainwriteaccesstomanageddevicesbybypassingaccesscontrolmechanisms.2017- AttackerscanexploitalternativeinterfacessuchasthewebinterfaceorSNMPbrowsertomodifydeviceconfigurationsdespitehavingrestrictedpermissions.20238 CVE- 2024- Apermissionsissuewasaddressedwithadditionalrestrictions.ThisissueisfixedinmacOSSequoia15.1.AnappmaybeabletoaccessContactswithoutuserconsent. 40858 CVE- SDLimageisalibrarytoloadimagesofvariousformatsasSDLsurfaces.Indolayersurface()insrc/IMGxcf.c,pixelindexvaluesfromdecodedXCFtiledataareuseddirectlyascolormapindiceswithoutvalidatingthemagainstthecolormapsize 2026- (cmnum).Acrafted.xcffilewithasmallcolormapandout-of-rangepixelindicescausesheapout-of-boundsreadsofupto762bytespastthecolormapallocation.BothIMAGEINDEXEDcodepathsareaffected(bpp=1andbpp=2).Theleakedheap 35444 bytesarewrittenintotheoutputsurfacepixeldata,makingthempotentiallyobservableintherenderedimage.Thisvulnerabilityisfixedwithcommit996bf12888925932daace576e09c3053410896f8. CVE- Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.16.1,Directus'TUSresumableuploadendpoint(/files/tus)allowsanyauthenticateduserwithbasicfileuploadpermissionstooverwritearbitraryexisting 2026- filesbyUUID.TheTUScontrollerperformsonlycollection-levelauthorizationchecks,verifyingtheuserhassomepermissionondirectusfiles,butnevervalidatesitem-levelaccesstothespecificfilebeingreplaced.Asaresult,row-levelpermission 35412 rules(e.g.,"userscanonlyupdatetheirownfiles")arecompletelybypassedviatheTUSpathwhilebeingcorrectlyenforcedonthestandardRESTuploadpath.Thisvulnerabilityisfixedin11.16.1. CVE- openFPGALoaderisautilityforprogrammingFPGAs.In1.1.1andearlier,aheap-buffer-overflowreadvulnerabilityexistsinBitParser::parseHeader()thatallowsout-of-boundsheapmemoryaccesswhenparsingacrafted.bitfile.NoFPGAhardwareis2026- requiredtotriggerthisvulnerability.35170 OpenEXRprovidesthespecificationandreferenceimplementationoftheEXRfileformat,animagestorageformatforthemotionpictureindustry.From3.2.0tobefore3.2.7,3.3.9,and3.4.9,amisalignedmemorywritevulnerabilityexistsinCVE- LossyDctDecoderexecute()insrc/lib/OpenEXRCore/internaldwadecoder.h:749.WhendecodingaDWAorDWAB-compressedEXRfilecontainingaFLOAT-typechannel,thedecoderperformsanin-placeHALF→FLOATconversionbycastingan2026- unaligneduint8trowpointertofloatandwritingthroughit.Becausetherowbuffermaynotbe4-bytealigned,thisconstitutesundefinedbehaviorundertheCstandardandcrashesimmediatelyonarchitecturesthatenforcealignment(ARM,34379 RISC-V,etc.).Onx86itissilentlytoleratedatruntimebutremainsexploitableviacompileroptimizationsthatassumealignedaccess.Thisvulnerabilityisfixedin3.2.7,3.3.9,and3.4.9. CVE- BraveCMSisanopen-sourceCMS.Priorto2.0.6,anInsecureDirectObjectReference(IDOR)vulnerabilityexistsinthearticleimagedeletionfeature.Itislocatedinapp/Http/Controllers/Dashboard/ArticleController.phpwithinthedeleteImage2026- method.TheendpointacceptsafilenamefromtheURLbutdoesnotverifyownership.Thisallowsanauthenticateduserwitheditpermissionstodeleteimagesattachedtoarticlesownedbyotherusers.Thisvulnerabilityisfixedin2.0.6.35183 CVE- Tinaisaheadlesscontentmanagementsystem.Priortoversion2.2.2,@tinacms/graphqlusesstring-basedpathcontainmentchecksinFilesystemBridge.Thatblocksplain../traversal,butitdoesnotresolvesymlinkorjunctiontargets.Ifa 2026- symlink/junctionalreadyexistsundertheallowedcontentroot,apathlikecontent/posts/pivot/owned.mdisstillconsidered"inside"thebaseeventhoughtherealfilesystemtargetcanbeoutsideit.Asaresult,FilesystemBridge.get(),put(),delete(), 34604 andglob()canoperateonfilesoutsidetheintendedroot.Thisissuehasbeenpatchedinversion2.2.2. CVE- listmonkisastandalone,self-hosted,newsletterandmailinglistmanager.Fromversion4.1.0tobeforeversion6.1.0,asessionmanagementvulnerabilityallowspreviouslyissuedauthenticatedsessionstoremainvalidaftersensitiveaccount 2026- securitychanges,specificallypasswordresetandpasswordchange.Asaresult,anattackerwhohasalreadyobtainedavalidsessioncookiecanretainaccesstotheaccountevenafterthevictimchangesorresetstheirpassword.Thisweakens 34828 accountrecoveryandsessionsecurityguarantees.Thisissuehasbeenpatchedinversion6.1.0. CVE- SuiteCRM7.10.7containsaSQLinjectionvulnerabilitythatallowsauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughtheparentTabparameter.AttackerscansendGETrequeststotheemailmodulewithmalicious2019- parentTabvaluesusingboolean-basedSQLinjectiontechniquestoextractsensitivedatabaseinformation.25663 CVE- SuiteCRM7.10.7containsatime-basedSQLinjectionvulnerabilityintherecordparameteroftheUsersmoduleDetailViewactionthatallowsauthenticatedattackerstomanipulatedatabasequeries.AttackerscanappendSQLcodetotherecord2019- parameterinGETrequeststotheindex.phpendpointtoextractsensitivedatabaseinformationthroughtime-basedblindSQLinjectiontechniques.25664 CVE- AnissuewasdiscoveredintheWi-FidriverinSamsungMobileProcessoramdWearableProcessorExynos980,850,1080,1280,1330,1380,1480,1580,W920,W930,andW1000.Impropersynchronizationonaglobalvariableleadstoadoublefree.2025- Anattackercantriggeraraceconditionbyinvokinganioctlfunctionconcurrentlyfrommultiplethreads.54601 CVE- AnissuewasdiscoveredintheWi-FidriverinSamsungMobileProcessorandWearableProcessorExynos980,850,1080,1280,1330,1380,1480,1580,W920,W930,andW1000.Impropersynchronizationonaglobalvariableleadstoause-after-2025- free.Anattackercantriggeraraceconditionbyinvokinganioctlfunctionconcurrentlyfrommultiplethreads.54602 Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.1,40.8.0,and41.0.0-beta.8,appsthatusethepowerMonitormodulemaybevulnerabletoause-after-free.AfterCVE- thenativePowerMonitorobjectisgarbage-collected,theassociatedOS-levelresources(amessagewindowonWindows,ashutdownhandleronmacOS)retaindanglingreferences.Asubsequentsession-changeevent(Windows)orsystemshutdown2026- (macOS)dereferencesfreedmemory,whichmayleadtoacrashormemorycorruption.AllappsthataccesspowerMonitorevents(suspend,resume,lock-screen,etc.)arepotentiallyaffected.Theissueisnotdirectlyrenderer-controllable.Thisissue34770 hasbeenpatchedinversions38.8.6,39.8.1,40.8.0,and41.0.0-beta.8. CVE- FileBrowserisafilemanaginginterfaceforuploading,deleting,previewing,renaming,andeditingfileswithinaspecifieddirectory.Priortoversion2.62.2,theSPAindexpageinFileBrowserisvulnerabletoStoredCross-SiteScripting(XSS)via2026- admin-controlledbrandingfields.Anadminwhosetsbranding.nametoamaliciouspayloadinjectspersistentJavaScriptthatexecutesforALLvisitors,includingunauthenticatedusers.Thisissuehasbeenpatchedinversion2.62.2.34530

CVE- TheOWASPcoreruleset(CRS)isasetofgenericattackdetectionrulesforusewithcompatiblewebapplicationfirewalls.Priortoversions3.3.9and4.25.0,abypasswasidentifiedinOWASPCRSthatallowsuploadingfileswithdangerousextensions 2026- (.php,.phar,.jsp,.jspx)byinsertingwhitespacepaddinginthefilename(e.g.photo.phporshell.jsp).Theaffectedrulesdonotnormalizewhitespacebeforeevaluatingthefileextensionregex,sothedot-extensioncheckfailstomatch.Thisissuehas 33691 beenpatchedinversions3.3.9and4.25.0. CVE- Aremotecommandexecution(RCE)vulnerabilityinthe/goform/formReleaseConnectcomponentofUTTAggressive520Wv3v1.7.7-180627allowsattackerstoexecutearbitrarycommandsviaacraftedstring. 31067

CVE- Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.4,40.8.4,and41.0.0,thenodeIntegrationInWorkerwebPreferencewasnotcorrectlyscopedinallconfigurations.In certainprocess-sharingscenarios,workersspawnedinframesconfiguredwithnodeIntegrationInWorker:falsecouldstillreceiveNode.jsintegration.AppsareonlyaffectediftheyenablenodeIntegrationInWorker.Appsthatdonotuse 34775 nodeIntegrationInWorkerarenotaffected.Thisissuehasbeenpatchedinversions38.8.6,39.8.4,40.8.4,and41.0.0. CVE- AnissueinthefirmwareupdatemechanismofQianniaoQN-L23PA0904v20250721.1640allowsattackerstogainrootaccess,installbackdoors,andexfiltratedataviasupplyingacraftediu.shscriptcontainedinanSDcard. 30603 CVE- pyLoadisafreeandopen-sourcedownloadmanagerwritteninPython.Priorto0.5.0b3.dev97,theADMINONLYCOREOPTIONSauthorizationsetinsetconfigvalue()usesincorrectoptionnamessslcertandsslkey,whiletheactualconfiguration 2026- optionnamesaresslcertfileandsslkeyfile.Thisnamemismatchcausestheadmin-onlychecktoalwaysevaluatetoFalse,allowinganyuserwithSETTINGSpermissiontooverwritetheSSLcertificateandkeyfilepaths.Additionally,thesslcertchain 35586 optionwasneveraddedtotheadmin-onlysetatall.Thisvulnerabilityisfixedin0.5.0b3.dev97. CVE- FastMCPisthestandardframeworkforbuildingMCPapplications.Priortoversion3.2.0,servernamescontainingshellmetacharacters(e.g.,&)cancausecommandinjectiononWindowswhenpassedtofastmcpinstallclaude-codeorfastmcpinstall 2025- gemini-cli.Theseinstallpathsusesubprocess.run()withalistargument,butonWindowsthetargetCLIsoftenresolveto.cmdwrappersthatareexecutedthroughcmd.exe,whichinterpretsmetacharactersintheflattenedcommandstring.Thisissue 64340 hasbeenpatchedinversion3.2.0. CVE- 2026- AnissuewasdiscoveredinMbedTLSbefore3.6.6and4.xbefore4.1.0andTF-PSA-Cryptobefore1.1.0.ThereisaPredictableSeedinaPseudo-RandomNumberGenerator(PRNG). 34871 CVE- dyeisaportableandrespectfulcolorlibraryforshellscripts.Priorto1.1.1,certaindyetemplateexpressionswouldresultinexecutionofarbitrarycode.Thisissuewasdiscoveredandfixedbydye'sauthor,andisnotknowntobeexploited.This2026- vulnerabilityisfixedin1.1.1.35197 CVE- WWBNAVideoisanopensourcevideoplatform.Inversions26.0andprior,thePayPalIPNv1handleratplugin/PayPalYPT/ipn.phplackstransactiondeduplication,allowinganattackertoreplayasinglelegitimateIPNnotificationtorepeatedlyinflate2026- theirwalletbalanceandrenewsubscriptions.TheneweripnV2.phpandwebhook.phphandlerscorrectlydeduplicateviaPayPalYPTlogentries,butthev1handlerwasneverupdatedandremainsactivelyreferencedasthenotifyurlforbillingplans.39366 CVE- WWBNAVideoisanopensourcevideoplatform.Inversions26.0andprior,theLiverestreamlogcallbackflowacceptedanattacker-controlledrestreamerURLandlaterfetchedthatstoredURLserver-side,enablingstoredSSRFforauthenticated2026- streamers.Thevulnerableflowallowedalow-privilegeuserwithstreamingpermissiontostoreanarbitrarycallbackURLandtriggerserver-siderequeststoloopbackorinternalHTTPservicesthroughtherestreamlogfeature.39368 CVE- ThePieRegister-UserRegistration,Profiles&ContentRestrictionpluginforWordPressisvulnerabletounauthorizedmodificationofdataduetoamissingcapabilitycheckonthepiemain()functioninallversionsupto,andincluding,3.8.4.8.This2026- makesitpossibleforunauthenticatedattackerstochangeregistrationformstatus.3571 CVE- OpenPrintingCUPSisanopensourceprintingsystemforLinuxandotherUnix-likeoperatingsystems.Inversions2.4.16andprior,theRSSnotifierallows..pathtraversalinnotify-recipient-uri(e.g.,rss:///../job.cache),lettingaremoteIPPclientwrite 2026- RSSXMLbytesoutsideCacheDir/rss(anywherethatislp-writable).Inparticular,becauseCacheDirisgroup-writablebydefault(typicallyroot:lpandmode0770),thenotifier(runningaslp)canreplaceroot-managedstatefilesviatemp-file+ 34978 rename().ThisPoCclobbersCacheDir/job.cachewithRSSXML,andafterrestartingcupsdtheschedulerfailstoparsethejobcacheandpreviouslyqueuedjobsdisappear.Attimeofpublication,therearenopubliclyavailablepatches. CVE- 2026- InappropriateimplementationinANGLEinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoleakcross-origindataviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5283 CVE- Out-of-boundswriteinthequeryprocessingcomponentsinAmazonAthenaODBCdriverbefore2.1.0.0mightallowathreatactortocrashthedriverbyusingspeciallycrafteddatathatisprocessedbythedriverduringqueryoperations.2026- remediatethisissue,usersshouldupgradetoversion2.1.0.0.35559 CVE- ScooldisaQ&Aandaknowledgesharingplatformforteams.Priorto1.66.2,anauthenticatedauthorizationflawinScooldallowsanylogged-in,low-privilegeusertooverwriteanotheruser'sexistingquestionbysupplyingthatquestion'spublicIDas 2026- thepostIdparametertoPOST/questions/ask.BecausequestionIDsareexposedinnormalquestionURLs,alow-privilegeattackercantakeavictimquestionIDfromapublicpageandcauseattacker-controlledcontenttobestoredunderthatexisting 39354 questionobject.Thiscausesdirectintegritylossofuser-generatedcontentandcorruptstheintegrityoftheexistingdiscussionthread.Thisvulnerabilityisfixedin1.66.2. CVE- Emlogisanopensourcewebsitebuildingsystem.Inversions2.6.2andprior,aLocalFileInclusion(LFI)vulnerabilityexistsinadmin/plugin.phpatline80.The$pluginparameterfromtheGETrequestisdirectlyusedinarequireoncepathwithout 2026- propersanitization.IftheCSRFtokencheckcanbebypassed(seepotentialbypassconditions),anattackercanincludearbitraryPHPfilesfromtheserverfilesystem,leadingtocodeexecution.Attimeofpublication,therearenopubliclyavailable 34787 patches. CVE- ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinBrainstormForceUltimateAddonsforWPBakeryPageBuilderallowsDOM-BasedXSS.ThisissueaffectsUltimateAddonsforWPBakeryPageBuilder:2026- fromn/abefore3.21.4.34889 CVE- Planeisananopen-sourceprojectmanagementtool.Priorto1.3.0,theIssueBulkUpdateDateEndpointallowsaprojectmember(ADMINorMEMBER)tomodifythestartdateandtargetdateofANYissueacrosstheentirePlaneinstance,regardlessof2026- workspaceorprojectmembership.TheendpointfetchesissuesbyIDwithoutfilteringbyworkspaceorproject,enablingcross-boundarydatamodification.Thisvulnerabilityisfixedin1.3.0.39374 CVE- Emlogisanopensourcewebsitebuildingsystem.Inversions2.6.2andprior,aSQLinjectionvulnerabilityexistsininclude/model/tagmodel.phpatline168.TheupdateTagName()functiondirectlyinterpolatesuserinputintotheSQLquerystring2026- withoutusingparameterizedqueriesorproperescaping($this->db->escapestring()),makingitvulnerabletoSQLinjectionattacks.Attimeofpublication,therearenopubliclyavailablepatches.34788 CVE- Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.1,40.8.0,and41.0.0-beta.8,onmacOS,app.moveToApplicationsFolder()usedanAppleScriptfallbackpaththatdid 2026- notproperlyhandlecertaincharactersintheapplicationbundlepath.Underspecificconditions,acraftedlaunchpathcouldleadtoarbitraryAppleScriptexecutionwhentheuseracceptedthemove-to-Applicationsprompt.Appsareonlyaffectedif 34779 theycallapp.moveToApplicationsFolder().AppsthatdonotusethisAPIarenotaffected.Thisissuehasbeenpatchedinversions38.8.6,39.8.1,40.8.0,and41.0.0-beta.8. CVE- PraisonAIisamulti-agentteamssystem.Priortoversion4.5.90,MCPToolIndex.searchtools()compilesacaller-suppliedstringdirectlyasaPythonregularexpressionwithnovalidation,sanitization,ortimeout.Acraftedregexcausescatastrophic2026- backtrackinginthereengine,blockingthePythonthreadforhundredsofsecondsandcausingacompleteserviceoutage.Thisissuehasbeenpatchedinversion4.5.90.34939 CVE- 2026- InappropriateimplementationinWebGLinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoobtainpotentiallysensitiveinformationfromprocessmemoryviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) 5291 CVE- 2026- InsufficientpolicyenforcementinWebUSBinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoobtainpotentiallysensitiveinformationfromprocessmemoryviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5276 CVE- OpenEXRprovidesthespecificationandreferenceimplementationoftheEXRfileformat,animagestorageformatforthemotionpictureindustry.From3.4.0tobefore3.4.9,amissingboundscheckonthedataWindowattributeinEXRfileheaders allowsanattackertotriggerasignedintegeroverflowingenericunpack().BysettingdataWindow.min.xtoalargenegativevalue,OpenEXRCorecomputesanenormousimagewidth,whichislaterusedinasignedintegermultiplicationthat 34378 overflows,causingtheprocesstoterminatewithSIGILLviaUBSan.Thisvulnerabilityisfixedin3.4.9. CVE- Kedro-DatasetsisaKendopluginprovidingdataconnectors.Priorto9.3.0,PartitionedDatasetinkedro-datasetswasvulnerabletopathtraversal.PartitionIDswereconcatenateddirectlywiththedatasetbasepathwithoutvalidation.Anattackeror

maliciousinputcontaining..componentsinapartitionIDcouldcausefilestobewrittenoutsidetheconfigureddatasetdirectory,potentiallyoverwritingarbitraryfilesonthefilesystem.UsersofPartitionedDatasetwithanystoragebackend(local 35492filesystem,S3,GCS,etc.)areaffected.Thisvulnerabilityisfixedin9.3.0. CVE- ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinMarkO'DonnellMSTWLeagueManagerallowsDOM-BasedXSS.ThisissueaffectsMSTWLeagueManager:fromn/athrough2.10. 34890 CVE-ScooldisaQ&Aandaknowledgesharingplatformforteams.Priortoversion1.66.1,Scooldcontainsanauthenticatedauthorizationflawinfeedbackdeletionthatallowsanylogged-in,low-privilegeusertodeleteanotheruser'sfeedbackpostby 2026-submittingitsIDtoPOST/feedback/{id}/delete.Thehandlerenforcesauthenticationbutdoesnotenforceobjectownership(ormoderator/adminauthorization)beforedeletion.Inverification,asecondnon-privilegedaccountsuccessfullydeleteda 34832victimaccount'sfeedbackitem,andtheitemimmediatelydisappearedfromthefeedbacklisting/detailviews.Thisissuehasbeenpatchedinversion1.66.1. CVE-Flask-HTTPAuthprovidesBasic,DigestandTokenHTTPauthenticationforFlaskroutes.Priortoversion4.8.1,inasituationwheretheclientmakesarequesttoatokenprotectedresourcewithoutpassingatoken,orpassinganemptytoken,Flask- 2026-HTTPAuthwouldinvoketheapplication'stokenverificationcallbackfunctionwiththetokenargumentsettoanemptystring.Iftheapplicationhadanyusersinitsdatabasewithanemptystringsetastheirtoken,thenitcouldpotentiallyauthenticate 34531theclientrequestagainstanyofthoseusers.Thisissuehasbeenpatchedinversion4.8.1. CVE-Anissuewasdiscoveredin6.0before6.0.4,5.2before5.2.13,and4.2before4.2.30.MultiPartParserallowsremoteattackerstodegradeperformancebysubmittingmultipartuploadswithContent-Transfer-Encoding:base64includingexcessive2026-whitespace.Earlier,unsupportedDjangoseries(suchas5.0.x,4.1.x,and3.2.x)werenotevaluatedandmayalsobeaffected.DjangowouldliketothankSeokchanYoonforreportingthisissue.33033 CVE-IBMDataPowerGateway10.6CD10.6.1.0through10.6.5.0andIBMDataPowerGateway10.5.010.5.0.0through10.5.0.20andIBMDataPowerGateway10.6.010.6.0.0through10.6.0.8IBMDataPowerGatewayisvulnerabletocross-siterequest2025-forgerywhichcouldallowanattackertoexecutemaliciousandunauthorizedactionstransmittedfromauserthatthewebsitetrusts.36375 CVE- 2026-TheSQLChartBuilderWordPresspluginbefore2.3.8doesnotproperlyescapeuserinputasitisconcatenedtoSQLqueries,makingitpossibleforattackerstoconductSQLInjectionattacksagainstthedynamicfilterfunctionality. 4079 CVE- 2026-TheLinkWhisperFreeWordPresspluginbefore0.9.1hasapubliclyaccessibleRESTendpointthatallowsunauthenticatedsettingsupdates. 1900 CVE-InModem,thereisapossiblesystemcrashduetoalogicerror.Thiscouldleadtoremotedenialofservice,ifaUEhasconnectedtoaroguebasestationcontrolledbytheattacker,withnoadditionalexecutionprivilegesneeded.Userinteractionis2026-notneededforexploitation.PatchID:MOLY01106496;IssueID:MSV-4467.20431 Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.17.0,Directus'GraphQLendpoints(/graphqland/graphql/system)didnotdeduplicateresolverinvocationswithinasinglerequest.Anauthenticateduser CVE-couldexploitGraphQLaliasingtorepeatanexpensiverelationalquerymanytimesinasinglerequest,forcingtheservertoexecutealargenumberofindependentcomplexdatabasequeriesconcurrently,multiplyingdatabaseloadlinearlywiththe 2026-numberofaliases.TheexistingtokenlimitonGraphQLqueriesstillpermittedenoughaliasesforsignificantresourceexhaustion,whiletherelationaldepthlimitappliedperaliaswithoutreducingthetotalnumberexecuted.Ratelimitingisdisabledby 35441default,meaningnobuilt-inthrottlepreventedthisfromcausingCPU,memory,andI/Oexhaustionthatcoulddegradeorcrashtheservice.Anyauthenticateduser,includingthosewithminimalread-onlypermissions,couldtriggerthiscondition.This vulnerabilityisfixedin11.17.0. CVE-Adenial-of-servicevulnerabilitywasidentifiedinTP-LinkTapoC520WSv2.6withintheHTTPrequestpathparsinglogic.Theimplementationenforceslengthrestrictionsontherawrequestpathbutdoesnotaccountforpathexpansionperformed2026-duringnormalization.AnattackerontheadjacentnetworkmaysendacraftedHTTPrequesttocausebufferoverflowandmemorycorruption,leadingtosysteminterruptionordevicereboot.34124 CVE-Astack-basedbufferoverflowvulnerabilitywasidentifiedinTP-LinkTapoC520WSv2.6withinaconfigurationhandlingcomponentduetoinsufficientinputvalidation.2026-avulnerableconfigurationparameter,resultinginastackoverflow.SuccessfulexploitationresultsinDenial-of-Service(DoS)condition,leadingtoaservicecrashordevicereboot,impactingavailability.34122 CVE-Aheap-basedbufferoverflowvulnerabilitywasidentifiedinTP-LinkTapoC520WSv2.6withintheasynchronousparsingoflocalvideostreamcontentduetoinsufficientalignmentandvalidationofbufferboundarieswhenprocessingstreaming 2026-inputs.Anattackeronthesamenetworksegmentcouldtriggerheapmemorycorruptionconditionsbysendingcraftedpayloadsthatcausewriteoperationsbeyondallocatedbufferboundaries.SuccessfulexploitationcausesaDenial-of-Service(DoS) 34120condition,causingthedevice'sprocesstocrashorbecomeunresponsive. CVE-BentleySystemsiTwinPlatformexposedaCesiumionaccesstokeninthesourceofsomewebpages.Anunauthenticatedattackercouldusethistokentoenumerateordeletecertainassets.Asof2026-03-27,thetokenisnolongerpresentinthe2026-webpagesandcannotbeusedtoenumerateordeleteassets.35383 CVE-Aheap-basedbufferoverflowvulnerabilitywasidentifiedinTP-LinkTapoC520WSv2.6withintheHTTPparsingloopwhenappendingsegmentedrequestbodieswithoutcontinuouswrite‑boundaryverification,duetoinsufficientboundaryvalidation 2026-whenhandlingexternallysuppliedHTTPinput.Anattackeronthesamenetworksegmentcouldtriggerheapmemorycorruptionconditionsbysendingcraftedpayloadsthatcausewriteoperationsbeyondallocatedbufferboundaries.Successful 34119exploitationcausesaDenial-of-Service(DoS)condition,causingthedevice'sprocesstocrashorbecomeunresponsive. CVE-Aheap-basedbufferoverflowvulnerabilitywasidentifiedinTP-LinkTapoC520WSv2.6intheHTTPPOSTbodyparsinglogicduetomissingvalidationofremainingbuffercapacityafterdynamicallocation,duetoinsufficientboundaryvalidationwhen 2026-handlingexternallysuppliedHTTPinput.Anattackeronthesamenetworksegmentcouldtriggerheapmemorycorruptionconditionsbysendingcraftedpayloadsthatcausewriteoperationsbeyondallocatedbufferboundaries.Successful 34118exploitationcausesaDenial-of-Service(DoS)condition,causingthedevice'sprocesstocrashorbecomeunresponsive. CVE-AvulnerabilitywasfoundinSourceCodester/mayurikBestCourierManagementSystem1.0.Affectedbythisissueissomeunknownfunctionalityofthefile/ajax.php?action=deleteuserofthecomponentUserDeleteHandler.Performinga2026-manipulationoftheargumentIDresultsinimproperaccesscontrols.Theattackmaybeinitiatedremotely.Theexploithasbeenmadepublicandcouldbeused.5330 CVE- 2026-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinDavidLingrenMediaLIbraryAssistantallowsStoredXSS.ThisissueaffectsMediaLIbraryAssistant:fromn/athrough3.34. 34897 CVE- 2026-SignalKServerisaserverapplicationthatrunsonacentralhubinaboat.Priortoversion2.24.0,thereisanarbitraryprototypereadvulnerabilityviafromfieldbypass.Thisvulnerabilityallowsalow-privilegedauthenticatedusertobypass 35038prototypeboundaryfilteringtoextractinternalfunctionsandpropertiesfromtheglobalprototypeobjectthisviolatesdataisolationandletsauserreadmorethantheyshould.Thisissuehasbeenpatchedinversion2.24.0.

CVE- 2025- MemoryCorruptionwhenaccessingfreedmemoryduetoconcurrentfencederegistrationandsignalhandling. 47374 CVE- ChyrpLiteisanultra-lightweightbloggingengine.Priorto2026.01,anIDOR/MassAssignmentissueexistsinthePostmodelthatallowsauthenticateduserswithposteditingpermissions(EditPost,EditDraft,EditOwnPost,EditOwnDraft)tomodify poststheydonotownanddonothavepermissiontoedit.Bypassinginternalclasspropertiessuchasidintothepostattributespayload,anattackercanaltertheobjectbeinginstantiated.Asaresult,furtheractionsareperformedonanotheruser's 35173 postratherthantheattacker'sownpost,effectivelyenablingposttakeover.Thisvulnerabilityisfixedin2026.01. Glancesisanopen-sourcesystemcross-platformmonitoringtool.Priortoversion4.5.3,theGlancesXML-RPCserver(activatedwithglances-sorglances--server)sendsAccess-Control-Allow-Origin:*oneveryHTTPresponse.BecausetheXML-RPCCVE- handlerdoesnotvalidatetheContent-Typeheader,anattacker-controlledwebpagecanissueaCORS"simplerequest"(POSTwithContent-Type:text/plain)containingavalidXML-RPCpayload.Thebrowsersendstherequestwithoutapreflight

check,theserverprocessestheXMLbodyandreturnsthefullsystemmonitoringdataset,andthewildcardCORSheaderletstheattacker'sJavaScriptreadtheresponse.Theresultiscompleteexfiltrationofhostname,OSversion,IPaddresses,33533 CPU/memory/disk/networkstats,andthefullprocesslistincludingcommandlines(whichoftencontaintokens,passwords,orinternalpaths).Thisissuehasbeenpatchedinversion4.5.3. CVE-vLLMisaninferenceandservingengineforlargelanguagemodels(LLMs).From0.1.0tobefore0.19.0,aDenialofServicevulnerabilityexistsinthevLLMOpenAI-compatibleAPIserver.Duetothelackofanupperboundvalidationonthen parameterintheChatCompletionRequestandCompletionRequestPydanticmodels,anunauthenticatedattackercansendasingleHTTPrequestwithanastronomicallylargenvalue.ThiscompletelyblocksthePythonasyncioeventloopandcauses 34756immediateOut-Of-Memorycrashesbyallocatingmillionsofrequestobjectcopiesintheheapbeforetherequestevenreachestheschedulingqueue.Thisvulnerabilityisfixedin0.19.0. CVE-vLLMisaninferenceandservingengineforlargelanguagemodels(LLMs).From0.7.0tobefore0.19.0,theVideoMediaIO.loadbase64()methodatvllm/multimodal/media/video.pysplitsvideo/jpegdataURLsbycommatoextractindividualJPEG 2026-frames,butdoesnotenforceaframecountlimit.Thenumframesparameter(default:32),whichisenforcedbytheloadbytes()codepath,iscompletelybypassedinthevideo/jpegbase64path.AnattackercansendasingleAPIrequestcontaining 34755thousandsofcomma-separatedbase64-encodedJPEGframes,causingtheservertodecodeallframesintomemoryandcrashwithOOM.Thisvulnerabilityisfixedin0.19.0. CVE-Payloadisafreeandopensourceheadlesscontentmanagementsystem.Priortoversion3.78.0in@payloadcms/storage-azure,@payloadcms/storage-gcs,@payloadcms/storage-r2,and@payloadcms/storage-s3,theclient-uploadsigned-URL 2026-endpointsforS3,GCS,Azure,andR2didnotproperlysanitizefilenames.Anattackercouldcraftfilenamestoescapetheintendedstoragelocation.Thisissuehasbeenpatchedinversion3.78.0for@payloadcms/storage-azure, 34750@payloadcms/storage-gcs,@payloadcms/storage-r2,and@payloadcms/storage-s3. TheBookingforAppointmentsandEventsCalendar-AmeliapluginforWordPressisvulnerabletoSQLInjectionviathesortparameterinthepaymentslistingendpointinallversionsupto,andincluding,2.1.2.ThisisduetoinsufficientescapingonCVE-theuser-suppliedsortparameterandlackofsufficientpreparationontheexistingSQLqueryinPaymentRepository.php,wherethesortfieldisinterpolateddirectlyintoanORDERBYclausewithoutsanitizationorwhitelistvalidation.PDO2026-preparedstatementsdonotprotectORDERBYcolumnnames.GETrequestsalsoskipAmelia'snoncevalidationentirely.Thismakesitpossibleforauthenticatedattackers,withManager-level(wpamelia-manager)accessandabove,toappend4668additionalSQLqueriesintoalreadyexistingqueriesthatcanbeusedtoextractsensitiveinformationfromthedatabaseviatime-basedblindSQLinjection. CVE-AvulnerabilityintheconfigurationbackupfeatureofCiscoNexusDashboardcouldallowanattackerwhohastheencryptionpasswordandaccesstoFullorConfig-onlybackupfilestoaccesssensitiveinformation. 2026-authenticationdetailsareincludedintheencryptedbackupfiles.Anattackerwithavalidbackupfileandencryptionpasswordfromanaffecteddevicecoulddecryptthebackupfile.Theattackercouldthenusetheauthenticationdetailsinthebackup 20042filetoaccessinternal-onlyAPIsontheaffecteddevice.Asuccessfulexploitcouldallowtheattackertoexecutearbitrarycommandsontheunderlyingoperatingsystemastherootuser. CVE-ABusinessLogicvulnerabilityexistsinSourceCodesterLoanManagementSystemv1.0duetoimproperserver-sidevalidation.Theapplicationallowsadministratorstocreate"LoanPlans"withspecificpenaltyratesforoverduepayments.Whilethe 2026-frontendinterfacepreventsusersfromenteringnegativenumbersinthe"MonthlyOverduePenalty"field,thisconstraintisnotenforcedonthebackend.Anauthenticatedattackercanbypasstheclient-siderestrictionbymanipulatingtheHTTPPOST 30522requesttosubmitanegativevalueforthepenaltyrate. CVE- 2026-MbedTLSv3.3.0upto3.6.5and4.0.0allowsAlgorithmDowngrade. 25834 CVE- 2026-Anunauthenticatedremotecodeexecution(RCE)vulnerabilityexistsinapplicationsthatusetheReplicatornodepackagemanager(npm)version1.0.5todeserializeuntrusteduserinputandexecutetheresultingobject. 2265 CVE-Avulnerabilityintheweb-basedmanagementinterfaceofCiscoIMCcouldallowanauthenticated,remoteattackerwithadmin-levelprivilegestoexecutearbitrarycodeastherootuser. Thisvulnerabilityisduetoimpropervalidationofuser- 2026-suppliedinputtotheweb-basedmanagementinterface.AnattackercouldexploitthisvulnerabilitybysendingcraftedHTTPrequeststoanaffecteddevice.Asuccessfulexploitcouldallowtheattackertoexecutearbitrarycodeontheunderlying 20097operatingsystemastherootuser.CiscohasassignedthisvulnerabilityaSIRofHighratherthanMediumasthescoreindicatesbecauseadditionalsecurityimplicationscouldoccurwhentheattackerbecomesroot. Avulnerabilityintheweb-basedmanagementinterfaceofCiscoIMCcouldallowanauthenticated,remoteattackerwithadmin-levelprivilegestoperformcommandinjectionattacksonanaffectedsystemand executearbitrarycommandsasCVE-therootuser.Thisvulnerabilityisduetoimpropervalidationofuser-suppliedinput.Anattackercouldexploitthisvulnerabilitybysendingcraftedcommandstotheweb-basedmanagementinterfaceoftheaffectedsoftware.Asuccessfulexploitcould2026-allowtheattackertoexecutearbitrarycommandsontheunderlyingoperatingsystemastherootuser.CiscohasassignedthisvulnerabilityaSecurityImpactRating(SIR)ofHigh,ratherthanMediumasthescoreindicates,becauseadditional20096securityimplicationscouldoccuroncetheattackerhasbecomeroot. Avulnerabilityintheweb-basedmanagementinterfaceofCiscoIMCcouldallowanauthenticated,remoteattackerwithadmin-levelprivilegestoperformcommandinjectionattacksonanaffectedsystemand executearbitrarycommandsasCVE-therootuser.Thisvulnerabilityisduetoimpropervalidationofuser-suppliedinput.Anattackercouldexploitthisvulnerabilitybysendingcraftedcommandstotheweb-basedmanagementinterfaceoftheaffectedsoftware.Asuccessfulexploitcould2026-allowtheattackertoexecutearbitrarycommandsontheunderlyingoperatingsystemastherootuser.CiscohasassignedthisvulnerabilityaSecurityImpactRating(SIR)ofHigh,ratherthanMediumasthescoreindicates,becauseadditional20095securityimplicationscouldoccuroncetheattackerhasbecomeroot. CVE-AnissuewasdiscoveredinMariaDBServerbefore11.4.10,11.5.xthrough11.8.xbefore11.8.6,and12.xbefore12.2.2.Ifthecachingsha2passwordauthenticationpluginisinstalled,andsomeuseraccountsareconfiguredtouseit,alargepacket2026-cancrashtheserverbecausesha256cryptrusesalloca.35549 CVE-AsecurityvulnerabilityhasbeendetectedinTechnostrobeHI-LED-WR120-G25.5.0.1R6.03.30.AffectedisthefunctiondeletefileofthecomponentFsBrowseClean.Themanipulationoftheargumentdir/pathleadstomissingauthorization.Theattack2026-maybeinitiatedremotely.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5574 CVE-ExposureofsensitiveinformationintheusersMFAfeatureinDevolutionsServerallowsuserswithusermanagementprivilegestoobtainotherusersOTPkeysviaanauthenticatedAPIrequest.2026-2026.1.11.4927 CVE-ThePaidMembershipPlugin,Ecommerce,UserRegistrationForm,LoginForm,UserProfile&RestrictContent-ProfilePresspluginforWordPressisvulnerabletoarbitraryshortcodeexecutioninallversionsupto,andincluding,4.16.11.Thisisdueto 2026-thepluginallowinguser-suppliedbillingfieldvaluesfromthecheckoutprocesstobeinterpolatedintoshortcodetemplatestringsthataresubsequentlyprocessedwithoutpropersanitizationofshortcodesyntax.Thismakesitpossiblefor 3309unauthenticatedattackerstoexecutearbitraryshortcodesbysubmittingcraftedbillingfieldvaluesduringthecheckoutprocess. CVE-ChangeDetection.ioversionspriorto0.54.7containaprotectionbypassvulnerabilityintheSafeXPath3ParserimplementationthatallowsattackerstoreadarbitrarylocalfilesbyusingunblockedXPath3.0/3.1functionssuchasjson-doc()andsimilar2026-file-accessprimitives.AttackerscanexploittheincompleteblocklistofdangerousXPathfunctionstoaccesssensitivedatafromthelocalfilesystem.35000 CVE-ABusinessLogicvulnerabilityexistsinSourceCodesterLoanManagementSystemv1.0duetothelackofproperinputvalidation.Theapplicationallowsadministratorstodefine"LoanPlans"whichdeterminethedurationofaloan(inmonths).2026-However,thebackendfailstovalidatethatthedurationmustbeapositiveinteger.Anattackercansubmitanegativevalueforthemonthsparameter.Thesystemacceptsthisinvaliddataandcreatesaloanplanwithanegativeduration.30523 CVE-TheSimpleShoppingCartpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheplugin's'wpscdisplayproduct'shortcodeinallversionsupto,andincluding,5.2.4duetoinsufficientinputsanitizationandoutputescapingonuser2026-suppliedattributes.Thismakesitpossibleforauthenticatedattackers,withcontributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage.0552

CVE- Pi-holeisaLinuxnetwork-leveladvertisementandInternettrackerblockingapplication.Version6.4hasalocalprivilege-escalationvulnerabilityallowscodeexecutionasrootfromthelow-privilegepiholeaccount.Importantcontext:thepihole 2026- accountusesnologin,sothisisnotadirectinteractive-loginissue.However,nologindoesnotpreventcodefromrunningasUIDpiholeifaPi-holecomponentiscompromised.Inthatrealisticpost-compromisescenario,attacker-controlledcontentin 33727 /etc/pihole/versionsissourcedbyroot-runPi-holescripts,leadingtorootcodeexecution.Thisvulnerabilityisfixedin6.4.1. CVE- TheWPShortcodesPlugin-ShortcodesUltimatepluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathesucarouselshortcodeinallversionsupto,andincluding,7.4.8.Thisisduetoinsufficientinputsanitizationandoutputescaping inthe'suslidelink'attachmentmetafield.Thismakesitpossibleforauthenticatedattackers,withauthorlevelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage. CVE- TheRoyalAddonsforElementorpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'buttontext'parameterinallversionsupto,andincluding,1.7.1049duetoinsufficientinputsanitizationandoutputescaping.Thismakesit

possibleforauthenticatedattackers,withcontributorlevelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage. CVE-TheXproAddons--140+WidgetsforElementorpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathePricingWidget's'onClickEvent'settinginallversionsupto,andincluding,1.4.20duetoinsufficientinputsanitizationand outputescaping.Thismakesitpossibleforauthenticatedattackers,withcontributorlevelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage.13368 CVE-TheWPShortcodesPlugin-ShortcodesUltimatepluginforWordPressisvulnerabletoStoredCross-SiteScriptinginallversionsupto,andincluding,7.4.7.Thisisduetoinsufficientinputsanitizationandoutputescapinginthe'src'attributeofthe2026-sulightboxshortcode.Thismakesitpossibleforauthenticatedattackers,withcontributorlevelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage.0737 CVE-TheUltimateMember-UserProfile,Registration,Login,MemberDirectory,ContentRestriction&MembershipPluginpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheuserdescriptionfieldinallversionsupto,andincluding, 2025-2.11.1duetoinsufficientinputsanitizationandoutputescaping.Thismakesitpossibleforauthenticatedattackers,withsubscriberlevelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesan 15064injectedpage.Thevulnerabilityisonlyexploitablewhen"HTMLsupportforuserdescription"isenabledinUltimateMembersettings. CVE-MyBBMyArcadePlugin1.3containsapersistentcross-sitescriptingvulnerabilitythatallowsauthenticateduserstoinjectmaliciousscriptsthrougharcadegamescorecomments.AttackerscanaddcraftedHTMLandJavaScriptpayloadsinthe2018-commentfieldthatexecutewhenotherusersvieworeditthecomment.25249 CVE-TheWPTravelEngine-TourBookingPlugin-TourOperatorSoftwarepluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheplugin's'wtetriptax'shortcodeinallversionsupto,andincluding,6.7.5duetoinsufficientinput 2026-sanitizationandoutputescapingonusersuppliedattributes.Thismakesitpossibleforauthenticatedattackers,withcontributorlevelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjected 2437page. CVE-TheGutenverse-UltimateWordPressFSEBlocksAddons&EcosystempluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'imageLoad'parameterinversionsupto,andincluding,3.4.6duetoinsufficientinputsanitizationand2026-outputescaping.Thismakesitpossibleforauthenticatedattackers,withcontributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage.2924 CVE-TheWPFunnels-EasyFunnelBuilderToOptimizeBuyerJourneysAndGetMoreLeads&SalespluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'wpfoptinform'shortcodeinallversionsupto,andincluding,3.7.9dueto 2026-insufficientinputsanitizationandoutputescapingofthe'buttonicon'parameter.Thismakesitpossibleforauthenticatedattackers,withcontributorlevelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauser 0626accessesaninjectedpage. CVE-AraceconditionduringTCPconnectionteardowncancausetcprecv()tooperateonaconnectionthathasalreadybeenreleased.Iftcpconnsearch()returnsNULLwhileprocessingaSYNpacket,aNULLpointerderivedfromstalecontextdatais2026-passedtotcpbacklogisfull()anddereferencedwithoutvalidation,leadingtoacrash.5590 CVE-AnissuethatallowedaSQLinjectionattackvectorrelatedtosavedqueries(introducedinversion4.0.260123.0).ThisisaninstanceofCWE-89:ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection'),andhasan2026-estimatedCVSSscoreofCVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H(6.4Medium).Thisissuewasfixedinversion4.0.260123.1oftherunZeroPlatform.5372 CVE-TheElementsKitElementorAddonsandTemplatespluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'ekittabtitle'parameterintheSimpleTabwidgetinallversionsupto,andincluding,3.7.9duetoinsufficientinput 2026-sanitizationandoutputescapingonusersuppliedattributes.Thismakesitpossibleforauthenticatedattackers,withcontributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjected 2600page. CVE-TheXproAddons--140+WidgetsforElementorpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheIconBoxwidgetinversionsupto,andincluding,1.4.24duetoinsufficientinputsanitizationandoutputescaping.Thismakesit2026-possibleforauthenticatedattackers,withcontributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage.2949 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/zonefw.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026-page.34809 CVE-XenForobefore2.3.10andbefore2.2.19isvulnerabletostoredcross-sitescripting(XSS)instructuredtextmentions,primarilyaffectinglegacyprofilepostcontent.Anattackercaninjectmaliciousscriptsthroughcraftedmentionsthatarestoredand2026-executedwhenotherusersviewthecontent.35057 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viathemimetypesparameterto/cgi-bin/proxypolicy.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026-affectedpage.34812 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/xtaccess.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026-page.34811 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/vpnfw.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026-page.34810 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/outgoingfw.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026-affectedpage.34808 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/incoming.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026-page.34807 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/snat.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected 2026-page. 34806 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/dnat.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026-page.34805 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viathedscpparameterto/manage/qos/rules/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected page.34804 CVE-EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viathenameparameterto/manage/qos/classes/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected page.

34803 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkuserhamspamparameterto/cgi-bin/salearn.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusers viewtheaffectedpage.34802 CVE- AvulnerabilitywasidentifiedinMEPISRM,anindustrialsoftwareproductdevelopedbyMetronik.TheapplicationcontainedahardcodedcryptographickeywithintheMx.Web.ComponentModel.dllcomponent.Whentheoptiontostoredomain 2026- passwordswasenabled,thiskeywasusedtoencryptuserpasswordsbeforestoringthemintheapplication'sdatabase.Anattackerwithsufficientprivilegestoaccessthedatabasecouldextracttheencryptedpasswords,decryptthemusingthe 25601 embeddedkey,andgainunauthorizedaccesstotheassociatedICS/OTenvironment. CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheNAMEparameterto/cgi-bin/uplinkeditor.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026- affectedpage.34800 TheKingAddonsforElementorpluginforWordPressisvulnerabletomultipleContributor+DOM-BasedStoredCross-SiteScriptingvulnerabilitiesinallversionsupto,andincluding,51.1.38.Thisisduetoinsufficientinputsanitizationandoutput CVE- escapingacrossmultiplewidgetsandfeatures.Thepluginusesescattr()andescurl()withinJavaScriptinlineeventhandlers(onclickattributes),whichallowsHTMLentitiestobedecodedbytheDOM,enablingattackerstobreakoutoftheJavaScript 2025- context.Additionally,severalJavaScriptfilesuseunsafeDOMmanipulationmethods(templateliterals,.html(),andwindow.location.hrefwithunvalidatedURLs)withuser-controlleddata.Thismakesitpossibleforauthenticatedattackers,with 13535 Contributor-levelaccessandabove,toinjectarbitrarywebscriptsviaElementorwidgetsettingsthatexecutewhenauseraccessestheinjectedpageorwhenanadministratorpreviewsthepageinElementor'seditor.Thevulnerabilitywaspartially patchedinversion5.1.51. CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/manage/dnsmasq/hosts/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026- affectedpage.34799 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/cgi-bin/routing.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026- page.34798 CVE- 2026- Shynetbefore0.14.0allowsHostheaderinjectioninthepasswordresetflow. 35507 CVE- TheWebmentionpluginforWordPressisvulnerabletoServer-SideRequestForgeryinallversionsupto,andincluding,5.6.2viathe'Tools::read'function.Thismakesitpossibleforauthenticatedattackers,withSubscriber-levelaccessandabove,to2026- makewebrequeststoarbitrarylocationsoriginatingfromthewebapplicationandcanbeusedtoqueryandmodifyinformationfrominternalservices.0688 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheuserparameterto/cgi-bin/proxyuser.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026- page.34813 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/manage/dhcp/fixedleases/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026- affectedpage.34801 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/manage/ipsec/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewtheaffected2026- page.34820 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/manage/password/web/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026- affectedpage.34823 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viathenewcertnameparameterto/manage/ca/certificate/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersview2026- theaffectedpage.34822 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/manage/vpnauthentication/user/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersview2026- theaffectedpage.34821 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheREMARKparameterto/cgi-bin/openvpnclient.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026- affectedpage.34819 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheremarkparameterto/manage/dnsmasq/localdomains/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersview2026- theaffectedpage.34818 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheADDRESSBCCparameterto/cgi-bin/smtprouting.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersview2026- theaffectedpage.34817 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viathedomainparameterto/manage/smtpscan/domainrouting/.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusers2026- viewtheaffectedpage.34816

CVE- 2026- XenForobefore2.3.9isvulnerabletostoredcross-sitescripting(XSS)relatedtoBBcoderendering.AnattackercaninjectmaliciousscriptsthroughBBcodethatarestoredandexecutedwhenotherusersviewthecontent. 35054 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viatheDOMAINparameterto/cgi-bin/smtpdomains.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe2026- affectedpage.34815 CVE- EndianFirewallversion3.3.25andpriorallowstoredcross-sitescripting(XSS)viathegroupparameterto/cgi-bin/proxygroup.cgi.AnauthenticatedattackercaninjectarbitraryJavaScriptthatisstoredandexecutedwhenotherusersviewthe affectedpage.34814

CVE- AsecurityflawhasbeendiscoveredinAutohomeCorpfrostmourneupto1.0.AffectedisthefunctionhttpTestofthefile/api/monitor-api/alarm/previewDataofthecomponentAlarmPreview.Themanipulationresultsinsqlinjection.Theattackcanbe launchedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.

CVE- AsecurityvulnerabilityhasbeendetectedinTextpatternupto4.9.1.AffectedbythisvulnerabilityisthefunctionmtuploadImageofthefilerpc/TXPRPCServer.phpofthecomponentXML-RPCHandler.Themanipulationoftheargumentfile.name leadstopathtraversal.Remoteexploitationoftheattackispossible.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorconfirmedtheissueandwillprovideafixintheupcomingrelease.5344 CVE- Asecurityvulnerabilityhasbeendetectedinbadlogicpi-monoupto0.58.4.ThisvulnerabilityaffectsthefunctiondiscoverAndLoadExtensionsofthefilepackages/coding-agent/src/core/extensions/loader.ts.Themanipulationleadstocodeinjection.2026- Remoteexploitationoftheattackispossible.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5556 CVE- AvulnerabilitywasdeterminedinCampcodesCompletePOSManagementandInventorySystemupto4.0.6.Thisaffectsanunknownfunctionofthefileapp/Http/Controllers/SettingsController.phpofthecomponentEnvironmentVariableHandler.2026- Executingamanipulationcanleadtoinjection.Itispossibletolaunchtheattackremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized.5561 CVE- Aflawhasbeenfoundinitsourcecodesanitizeorvalidatethisinput1.0.Thisimpactsanunknownfunctionofthefile/borrowedequip.phpofthecomponentParameterHandler.Thismanipulationoftheargumentempidcausessqlinjection.The2026- attackispossibletobecarriedoutremotely.Theexploithasbeenpublishedandmaybeused.5681 CVE- AvulnerabilitywasfoundinPHPGurukulOnlineShoppingPortalProject2.1.Theimpactedelementisanunknownfunctionofthefile/payment-method.phpofthecomponentParameterHandler.Performingamanipulationoftheargumentpaymethod2026- resultsinsqlinjection.Itispossibletoinitiatetheattackremotely.Theexploithasbeenmadepublicandcouldbeused.5560 CVE- AvulnerabilitywasfoundinCodeAstroOnlineClassroom1.0.Thisvulnerabilityaffectsunknowncodeofthefile/OnlineClassroom/addassessment.phpofthecomponentParameterHandler.Performingamanipulationoftheargumentdeleteidresults2026- insqlinjection.Theattackispossibletobecarriedoutremotely.Theexploithasbeenmadepublicandcouldbeused.5578 CVE- AvulnerabilitywasdeterminedinCodeAstroOnlineClassroom1.0.Thisissueaffectssomeunknownprocessingofthefile/OnlineClassroom/updatedetailsfromfaculty.php?myfid=108ofthecomponentParameterHandler.Executingamanipulationof2026- theargumentfnamecanleadtosqlinjection.Theattackmaybeperformedfromremote.Theexploithasbeenpubliclydisclosedandmaybeutilized.5579 CVE- AvulnerabilityhasbeenfoundinAntaresMugishoPyBlade0.1.8-alpha/0.1.9-alpha.Theaffectedelementisthefunctionissafeastofthefilesandbox.pyofthecomponentASTValidation.Suchmanipulationleadstoimproperneutralizationofspecial2026- elementsusedinatemplateengine.Theattackmaybeperformedfromremote.Theexploithasbeendisclosedtothepublicandmaybeused.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5559 CVE- AflawhasbeenfoundinPHPGurukulPHPGurukulOnlineShoppingPortalProjectupto2.1.Impactedisanunknownfunctionofthefile/pending-orders.phpofthecomponentParameterHandler.ThismanipulationoftheargumentIDcausessql2026- injection.Theattackispossibletobecarriedoutremotely.Theexploithasbeenpublishedandmaybeused.5558 CVE- AvulnerabilitywasidentifiedinCodeAstroOnlineClassroom1.0.Impactedisanunknownfunctionofthefile/OnlineClassroom/addvideos.phpofthecomponentParameterHandler.Themanipulationoftheargumentvideotitleleadstosqlinjection.It2026- ispossibletoinitiatetheattackremotely.Theexploitispubliclyavailableandmightbeused.5580 CVE- Avulnerabilitywasdetectedinbadlogicpi-monoupto0.58.4.Thisissueaffectssomeunknownprocessingofthefilepackages/mom/src/slack.tsofthecomponentpi-momSlackBot.Themanipulationresultsinauthenticationbypassusingalternate2026- channel.Theattackcanbeexecutedremotely.Theexploitisnowpublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5557 CVE- AvulnerabilitywasfoundinPHPGurukulOnlineShoppingPortalProject2.1.Theimpactedelementisanunknownfunctionofthefile/admin/update-image1.phpofthecomponentParameterHandler.Themanipulationoftheargumentfilenameresults2026- insqlinjection.Theattackmaybeperformedfromremote.Theexploithasbeenmadepublicandcouldbeused.5641 CVE- AvulnerabilitywasidentifiedinitsourcecodeOnlineCellphoneSystem1.0.Affectedbythisvulnerabilityisanunknownfunctionalityofthefile/cp/available.phpofthecomponentParameterHandler.SuchmanipulationoftheargumentNameleadsto2026- sqlinjection.Theattackcanbelaunchedremotely.Theexploitispubliclyavailableandmightbeused.5553 CVE- AweaknesshasbeenidentifiedinPHPGurukulOnlineShoppingPortalProject2.1.Thisissueaffectssomeunknownprocessingofthefile/sub-category.phpofthecomponentParameterHandler.Thismanipulationoftheargumentpidcausessql2026- injection.Remoteexploitationoftheattackispossible.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5552 CVE- AvulnerabilityhasbeenfoundinTendaAC1016.03.10.10multiTDE01.AffectedisthefunctionformAddMacfilterRuleofthefile/bin/httpd.Suchmanipulationleadstooscommandinjection.Itispossibletolaunchtheattackremotely.Multiple2026- endpointsmightbeaffected.5547 CVE- Avulnerabilitywasdeterminedinzhongyu09openchatbiupto0.2.1.TheimpactedelementisanunknownfunctionofthecomponentMulti-stageText2SQLWorkflow.Executingamanipulationoftheargumentkeywordscanleadtosqlinjection.The2026- attackmaybelaunchedremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5586 CVE- AflawhasbeenfoundinCampcodesCompleteOnlineLearningManagementSystem1.0.Thisimpactsthefunctionaddlessonofthefile/application/models/Crudmodel.php.Thismanipulationcausesunrestrictedupload.Itispossibletoinitiatethe2026- attackremotely.Theexploithasbeenpublishedandmaybeused.5546 CVE- AvulnerabilitywasidentifiedinPHPGurukulUserRegistration&LoginandUserManagementSystem3.3.Theaffectedelementisanunknownfunctionofthefile/admin/yesterday-reg-users.php.ThemanipulationoftheargumentIDleadstosql2026- injection.Remoteexploitationoftheattackispossible.Theexploitispubliclyavailableandmightbeused.5543

CVE- AflawhasbeenfoundinitsourcecodeConstructionManagementSystem1.0.Thisaffectsanunknownfunctionofthefile/borrowedtool.php.Executingamanipulationoftheargumentcodecanleadtosqlinjection.Itispossibletolaunchtheattack2026- remotely.Theexploithasbeenpublishedandmaybeused.5719 CVE- AvulnerabilitywasdetectedinQingdaoUOnlineJudgeupto1.6.1.AffectedbythisissueisthefunctionserviceurlofthefileJudgeServer.serviceurlofthecomponentjudgeserverheartbeatEndpoint.Themanipulationresultsinserver-siderequest2026- forgery.Itispossibletolaunchtheattackremotely.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE- AsecurityvulnerabilityhasbeendetectedinhalexCourseSELupto1.1.0.AffectedbythisvulnerabilityisthefunctioncheckselofthefileApps/Index/Controller/IndexController.class.phpofthecomponentHTTPGETParameterHandler.The manipulationoftheargumentseidleadstosqlinjection.Itispossibletoinitiatetheattackremotely.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.

CVE- AsecurityflawhasbeendiscoveredinNothingsstbupto1.22.Thisaffectsthefunctionstartdecoderofthefilestbvorbis.c.Themanipulationresultsinout-of-boundswrite.Theattackmaybeperformedfromremote.Theexploithasbeenreleased tothepublicandmaybeusedforattacks.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.

CVE- AvulnerabilitywasfoundinScrapeGraphAIscrapegraph-aiupto1.74.0.Theaffectedelementisthefunctioncreatesandboxandexecuteofthefilescrapegraphai/nodes/generatecodenode.pyofthecomponentGenerateCodeNodeComponent. Themanipulationresultsinoscommandinjection.Theattackmaybelaunchedremotely.Theexploithasbeenmadepublicandcouldbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5532 CVE- AflawhasbeenfoundinOllamaupto18.1.Thisissueaffectssomeunknownprocessingofthefileserver/download.goofthecomponentModelPullAPI.Executingamanipulationcanleadtoserver-siderequestforgery.Theattackcanbelaunched2026- remotely.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5530 CVE- AsecurityvulnerabilityhasbeendetectedinPHPGurukulOnlineShoppingPortalProject2.1.Thisaffectsanunknownpartofthefile/my-profile.phpofthecomponentParameterHandler.Themanipulationoftheargumentfullnameleadstosql2026- injection.Itispossibletoinitiatetheattackremotely.Theexploithasbeendisclosedpubliclyandmaybeused.5583 AsecurityvulnerabilityhasbeendetectedinTrendnetTEW-657BRM1.00.1.ThisimpactsthefunctionEditofthefile/setup.cgi.Suchmanipulationoftheargumentpcdblistleadstooscommandinjection.Theattackmaybelaunchedremotely.TheCVE- exploithasbeendisclosedpubliclyandmaybeused.Thevendorconfirms,that"[t]heproductinquestion(...)hasbeendiscontinuedandendoflifesinceJune23,2011,thatismorethan14yearsago.Wenolongerprovidesupportforthisproduct,2026- sowearenotabletoconfirmthevulnerabilities.Wewillmakeanannouncementonourwebsite'sproductsupportpageandnotifycustomerswhoregisteredtheirproductswithus."Thisvulnerabilityonlyaffectsproductsthatarenolongersupported5352 bythemaintainer. CVE- AvulnerabilitywasidentifiedinwbbeyourselfMAC-SQLupto31a9df5e0d520be4769be57a4b9022e5e34a14f4.Thisaffectsthefunctionexecutesqlofthefilecore/agents.pyofthecomponentRefinerAgent.Themanipulationleadstosqlinjection. 2026- Remoteexploitationoftheattackispossible.Theexploitispubliclyavailableandmightbeused.Thisproductfollowsarollingreleaseapproachforcontinuousdelivery,soversiondetailsforaffectedorupdatedreleasesarenotprovided.Thevendor 5587 wascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE- 2025- IBMAsperaShares1.9.9through1.11.0doesnotinvalidatesessionafterapasswordresetwhichcouldallowanauthenticatedusertoimpersonateanotheruseronthesystem. 66483 CVE- AflawhasbeenfoundinPHPGurukulOnlineShoppingPortalProject2.1.Impactedisanunknownfunctionofthefile/admin/update-image3.phpofthecomponentParameterHandler.Executingamanipulationoftheargumentfilenamecanleadtosql2026- injection.Theattackcanbeexecutedremotely.Theexploithasbeenpublishedandmaybeused.5639 CVE- AweaknesshasbeenidentifiedinPHPGurukulOnlineShoppingPortalProject2.1.Thisaffectsanunknownpartofthefile/cancelorder.phpofthecomponentParameterHandler.Thismanipulationoftheargumentoidcausessqlinjection.Theattack2026- maybeinitiatedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.5636 CVE- AsecurityflawhasbeendiscoveredinPHPGurukulOnlineShoppingPortalProject2.1.Affectedbythisissueissomeunknownfunctionalityofthefile/categorywise-products.phpofthecomponentParameterHandler.Themanipulationofthe2026- argumentcidresultsinsqlinjection.Theattackcanbelaunchedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.5635 CVE- Avulnerabilityhasbeenfoundincode-projectsOnlineApplicationSystemforAdmission1.0.Thisissueaffectssomeunknownprocessingofthefile/enrollment/admsnform.phpofthecomponentEndpoint.Suchmanipulationleadstosqlinjection.The2026- attackcanbeexecutedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.5649 CVE- Avulnerabilitywasfoundinpytriesdatrieupto0.8.3.TheaffectedelementisthefunctionTrie.load/Trie.read/Trie.setstateofthefilesrc/datrie.pyxofthecomponenttrieFileHandler.Themanipulationresultsindeserialization.Theattackcanbe2026- launchedremotely.Theexploithasbeenmadepublicandcouldbeused.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5659 CVE- AvulnerabilitywasfoundinNASAcFSupto7.0.0.ThisaffectsthefunctionCFEMSGGetSizeofthefileapps/tolab/fsw/src/tolabpassthruencode.cofthecomponentCCSDSPacketHeaderHandler.Performingamanipulationresultsinheap-based2026- bufferoverflow.Theattackermusthaveaccesstothelocalnetworktoexecutetheattack.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5474 CVE- AvulnerabilitywasdeterminedinitsourcecodeConstructionManagementSystem1.0.Theimpactedelementisanunknownfunctionofthefile/borrowedequip.phpofthecomponentParameterHandler.Thismanipulationoftheargumentemp2026- causessqlinjection.Theattackmaybeinitiatedremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized.5660 CVE- AvulnerabilitywasidentifiedinhcengineeringHulyPlatform0.7.382.Thisaffectsanunknownpartofthefileserver/front/src/index.tsofthecomponentImportEndpoint.Suchmanipulationleadstoserver-siderequestforgery.Theattackcanbe2026- launchedremotely.Theexploitispubliclyavailableandmightbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5623 CVE- AvulnerabilityhasbeenfoundinitsourcecodeConstructionManagementSystem1.0.Affectedisanunknownfunctionofthefile/borrowedequipreport.phpofthecomponentParameterHandler.ThemanipulationoftheargumentHomeleadstosql2026- injection.Itispossibletoinitiatetheattackremotely.Theexploithasbeendisclosedtothepublicandmaybeused.5620 CVE- AvulnerabilitywasfoundinCyber-IIIStudent-Management-Systemupto1a938fa61e9f735078e9b291d2e6215b4942af3f.Thisissueaffectsthefunctionmoveuploadedfileofthefile/AssignmentSection/submission/upload.php.Performinga 2026- manipulationoftheargumentFileresultsinunrestrictedupload.Theattackcanbeinitiatedremotely.Theexploithasbeenmadepublicandcouldbeused.Continiousdeliverywithrollingreleasesisusedbythisproduct.Therefore,noversiondetails 5670 ofaffectednorupdatedreleasesareavailable.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet. CVE- Anout-of-boundsaccessissuewasaddressedwithimprovedboundschecking.ThisissueisfixediniOS18.6andiPadOS18.6,iPadOS17.7.9,macOSSequoia15.6,macOSSonoma14.7.7,macOSVentura13.7.7,tvOS18.6,visionOS2.6,watchOS2025- 11.6.Processingamaliciouslycraftedmediafilemayleadtounexpectedappterminationorcorruptprocessmemory.43210 CVE- Asecurityvulnerabilityhasbeendetectedinimprvhubmcp-browser-agentupto0.8.0.ThisimpactsthefunctionCallToolRequestSchemaofthefilesrc/handlers.tsofthecomponentURLParameterHandler.Themanipulationoftheargument 2026- request.params.name/request.params.argumentsleadstoserver-siderequestforgery.Theattackispossibletobecarriedoutremotely.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyaboutthisdisclosure 5607 butdidnotrespondinanyway. CVE- AweaknesshasbeenidentifiedinpremAI-iopremsqlupto0.2.1.Affectedisthefunctionevalofthefilepremsql/agents/baseline/workers/followup.py.Thismanipulationoftheargumentresultcausescodeinjection.Theattackispossibletobecarried2026- outremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5594 CVE- AsecurityflawhasbeendiscoveredinPHPGurukulOnlineShoppingPortalProject2.1.Theaffectedelementisanunknownfunctionofthefile/order-details.phpofthecomponentParameterHandler.Themanipulationoftheargumentorderidresults2026- insqlinjection.Itispossibletolaunchtheattackremotely. AvulnerabilityhasbeenfoundinTrendnetTEW-657BRM1.00.1.Affectedbythisissueisthefunctionvpndropofthefile/setup.cgi.Themanipulationoftheargumentpolicynameleadstooscommandinjection.TheattackispossibletobecarriedCVE- outremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Thevendorconfirms,that"[t]heproductinquestion(...)hasbeendiscontinuedandendoflifesinceJune23,2011,thatismorethan14yearsago.Wenolongerprovide supportforthisproduct,sowearenotabletoconfirmthevulnerabilities.Wewillmakeanannouncementonourwebsite'sproductsupportpageandnotifycustomerswhoregisteredtheirproductswithus."Thisvulnerabilityonlyaffectsproductsthat

arenolongersupportedbythemaintainer. CVE-Aflawhasbeenfoundingriptape-aigriptape0.19.4.Thisaffectsanunknownpartofthefilegriptape\tools\computer\tool.pyofthecomponentComputerTool.Executingamanipulationoftheargumentfilenamecanleadtopathtraversal.Itis possibletolaunchtheattackremotely.Theexploithasbeenpublishedandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE-Avulnerabilitywasdetectedingriptape-aigriptape0.19.4.Affectedbythisissueissomeunknownfunctionalityofthefilegriptape/tools/sql/tool.pyofthecomponentSqlTool.Performingamanipulationresultsinsqlinjection.Itispossibletoinitiate2026-theattackremotely.Theexploitisnowpublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5596 AflawhasbeenfoundinTrendnetTEW-657BRM1.00.1.Affectedbythisvulnerabilityisthefunctionvpnconnectofthefile/setup.cgi.Executingamanipulationoftheargumentpolicynamecanleadtooscommandinjection.TheattackcanbeCVE-executedremotely.Theexploithasbeenpublishedandmaybeused.Thevendorconfirms,that"[t]heproductinquestion(...)hasbeendiscontinuedandendoflifesinceJune23,2011,thatismorethan14yearsago.Wenolongerprovidesupport2026-forthisproduct,sowearenotabletoconfirmthevulnerabilities.Wewillmakeanannouncementonourwebsite'sproductsupportpageandnotifycustomerswhoregisteredtheirproductswithus."Thisvulnerabilityonlyaffectsproductsthatareno5354longersupportedbythemaintainer. AvulnerabilitywasdetectedinTrendnetTEW-657BRM1.00.1.Affectedisthefunctionpingtestofthefile/setup.cgi.Performingamanipulationoftheargumentc4IPAddrresultsinoscommandinjection.Remoteexploitationoftheattackispossible.CVE-Theexploitisnowpublicandmaybeused.Thevendorconfirms,that"[t]heproductinquestion(...)hasbeendiscontinuedandendoflifesinceJune23,2011,thatismorethan14yearsago.Wenolongerprovidesupportforthisproduct,soweare2026-notabletoconfirmthevulnerabilities.Wewillmakeanannouncementonourwebsite'sproductsupportpageandnotifycustomerswhoregisteredtheirproductswithus."Thisvulnerabilityonlyaffectsproductsthatarenolongersupportedbythe5353maintainer. CVE-AvulnerabilitywasfoundinitsourcecodeConstructionManagementSystem1.0.Thisaffectsanunknownpartofthefile/borrowedtool.phpofthecomponentParameterHandler.Themanipulationoftheargumentempresultsinsqlinjection.Itis2026-possibletolaunchtheattackremotely.Theexploithasbeenmadepublicandcouldbeused.5675 CVE-AvulnerabilityhasbeenfoundinPHPGurukulOnlineShoppingPortalProject2.1.Theaffectedelementisanunknownfunctionofthefile/admin/update-image2.phpofthecomponentParameterHandler.Themanipulationoftheargumentfilename2026-leadstosqlinjection.Theattackispossibletobecarriedoutremotely.Theexploithasbeendisclosedtothepublicandmaybeused.5640 Aweaknesshasbeenidentifiedinshsuishangmodulithshopupto829bac71f507e84684c782b9b062b8bf3b5585d6.TheimpactedelementisthefunctionlistItemofthefileCVE-src/main/java/com/suisung/shopsuite/pt/service/impl/ProductIndexServiceImpl.javaofthecomponentProductItemDaoInterface.Executingamanipulationoftheargumentsidx/sortcanleadtosqlinjection.Theattackmaybeperformedfromremote.2026-Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.Thisproductutilizesarollingreleasesystemforcontinuousdelivery,andassuch,versioninformationforaffectedorupdatedreleasesisnotdisclosed.Thispatchis5328called42bcb9463425d1be906c3b290cf29885eb5a2324.Apatchshouldbeappliedtoremediatethisissue. CVE-Asecurityflawhasbeendiscoveredinefforthyefast-filesystem-mcpupto3.5.1.TheaffectedelementisthefunctionhandleGetDiskUsageofthefilesrc/index.ts.Performingamanipulationresultsincommandinjection.Theattackispossibletobe2026-carriedoutremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5327 CVE-Asecurityvulnerabilityhasbeendetectedingriptape-aigriptape0.19.4.Affectedbythisvulnerabilityisthefunctionloadfilesfromdisk/listfilesfromdisk/savecontenttofile/savememoryartifactstodiskofthecomponentFileManagerTool.2026-Suchmanipulationleadstopathtraversal.Theattackmaybeperformedfromremote.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5595 CVE-AsecurityvulnerabilityhasbeendetectedinMoussaabBadlacode-screenshot-mcpupto0.1.0.ThisaffectsanunknownpartofthecomponentHTTPInterface.Suchmanipulationleadstooscommandinjection.Itispossibletolaunchtheattack2026-remotely.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5528 AweaknesshasbeenidentifiedinTrendnetTEW-657BRM1.00.1.Thisaffectsthefunctionaddwpsclientofthefile/setup.cgi.Thismanipulationoftheargumentwlenroleepincausesoscommandinjection.Theattackmaybeinitiatedremotely.CVE-Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks.Thevendorconfirms,that"[t]heproductinquestion(...)hasbeendiscontinuedandendoflifesinceJune23,2011,thatismorethan14yearsago.Wenolonger2026-providesupportforthisproduct,sowearenotabletoconfirmthevulnerabilities.Wewillmakeanannouncementonourwebsite'sproductsupportpageandnotifycustomerswhoregisteredtheirproductswithus."Thisvulnerabilityonlyaffects5351productsthatarenolongersupportedbythemaintainer. CVE-HimmelblauisaninteroperabilitysuiteforMicrosoftAzureEntraIDandIntune.Fromversions2.0.0-alphatobefore2.3.9and3.0.0-alphatobefore3.1.1,thereisaconditionallocalprivilegeescalationvulnerabilityinanedge-casenamingcollision. 2026-OnlyauthenticatedhimmelblauuserswhosemappedCN/shortnameexactlymatchesaprivilegedlocalgroupname(e.g.,"sudo","wheel","docker","adm")cancausetheNSSmoduletoresolvethatgroupnametotheirfakeprimarygroup.Ifthe 34397systemusesNSSresultsforgroup-basedauthorizationdecisions(sudo,polkit,etc.),thiscangranttheattackertheprivilegesofthatgroup.Thisissuehasbeenpatchedinversions2.3.9and3.1.1. CVE-Avulnerabilityhasbeenfoundingougucms4.08.18.Thisaffectsthefunctionregsubmitofthefilegougucms-master\app\home\controller\Login.phpofthecomponentUserRegistrationHandler.Suchmanipulationoftheargumentlevelleadsto2026-dynamically-determinedobjectattributes.Theattackmaybeperformedfromremote.Theexploithasbeendisclosedtothepublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5248 CVE-AvulnerabilitywasdeterminedinAutohomeCorpfrostmourneupto1.0.Theaffectedelementisanunknownfunctionofthefilefrostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.javaofthecomponent2026-AlarmPreview.Executingamanipulationcanleadtoserver-siderequestforgery.Theattackmaybeperformedfromremote.Theexploithasbeenpubliclydisclosedandmaybeutilized.5259 CVE- 2026-UseafterfreeinCSSinGoogleChromepriorto146.0.7680.178allowedaremoteattackertoexecutearbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 5273 CVE-AflawhasbeenfoundinProjectsAndProgramsSchoolManagementSystemupto6b6fae5426044f89c08d0dd101c7fa71f9042a59.Theaffectedelementisanunknownfunctionofthefile/adminpanel/settings.phpofthecomponentProfilePicture 2026-Handler.ThismanipulationoftheargumentFilecausesunrestrictedupload.Remoteexploitationoftheattackispossible.Theexploithasbeenpublishedandmaybeused.Thisproductfollowsarollingreleaseapproachforcontinuousdelivery,so 5472versiondetailsforaffectedorupdatedreleasesarenotprovided. CVE-LibreChatisaChatGPTclonewithadditionalfeatures.Priorto0.8.4,LibreChattruststhenamefieldreturnedbytheexecutecodesandboxwhenpersistingcode-generatedartifacts.Ondeploymentsusingthedefaultlocalfilestrategy,amalicious 2026-artifactfilenamecontainingtraversalsequences(forexample,../../../../../app/client/dist/poc.txt)isconcatenatedintotheserver-sidedestinationpathandwrittenwithfs.writeFileSync()withoutsanitization.Thisgivesanyuserwhocantrigger 34371executecodeanarbitraryfilewriteprimitiveastheLibreChatserveruser.Thisvulnerabilityisfixedin0.8.4. AsecurityvulnerabilityhasbeendetectedinmixelpixxGoogle-Research-MCP1e062d7bd887bfe5f6e582b6cc288bb897b35cf2/ca613b736ab787bc926932f59cddc69457185a83.ThisissueaffectsthefunctionextractContentofthefileCVE-src/services/content-extractor.service.tsofthecomponentModelContextProtocolHandler.ThemanipulationoftheargumentURLleadstoserver-siderequestforgery.Theattackmaybeinitiatedremotely.Theexploithasbeendisclosedpubliclyand2026-maybeused.Thisproductusesarollingreleasemodeltodelivercontinuousupdates.Asaresult,specificversioninformationforaffectedorupdatedreleasesisnotavailable.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespond5470inanyway. CVE-XenForobefore2.2.17and2.3.1allowsopenredirectviaaspeciallycraftedURL.ThegetDynamicRedirect()functiondoesnotadequatelyvalidatetheredirecttarget,allowingattackerstoredirectuserstoarbitraryexternalsitesusingcraftedURLs2024-containingnewlines,usercredentials,orhostmismatches.58342 CVE-Avulnerabilitywasidentifiedinz-9527admin1.0/2.0.Thisimpactsanunknownfunctionofthefile/server/routes/user.jsofthecomponentUserUpdateEndpoint.SuchmanipulationoftheargumentisAdminwiththeinput1leadstodynamically- determinedobjectattributes.Itispossibletolaunchtheattackremotely.Theexploitispubliclyavailableandmightbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE-AvulnerabilitywasdetectedinHarvardUniversityIQSSDataverseupto6.8.Thisaffectsanunknownfunctionofthefile/ThemeAndWidgets.xhtmlofthecomponentThemeCustomization.PerformingamanipulationoftheargumentuploadLogo resultsinunrestrictedupload.Remoteexploitationoftheattackispossible.Theexploitisnowpublicandmaybeused.Upgradingtoversion6.10mitigatesthisissue.Youshouldupgradetheaffectedcomponent.Thevendorwascontactedearly,

1879 respondedinaveryprofessionalmannerandquicklyreleasedafixedversionoftheaffectedproduct. CVE- Watchr1.1.0.0containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbysubmittinganexcessivelylongstringtothesearchfunctionality.Attackerscanpasteabufferof8145charactersintothesearchbarand triggerasearchoperationtocausetheapplicationtocrash.25240 CVE- OneSearch1.1.0.0containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbysubmittingexcessivelylonginputstringstothesearchfunctionality.Attackerscanpasteabufferof950ormorecharactersintothe2018- searchbartotriggeranunhandledexceptionthatcrashestheapplication.25242 CVE- FastTube1.0.1.0containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbysubmittinganexcessivelylongstringtothesearchfunctionality.Attackerscanpasteabufferof1900charactersintothesearchbarand2018- triggeracrashwhenthesearchoperationisexecuted.25243 CVE- SpotAuditor3.6.7containsalocalbufferoverflowvulnerabilityintheBase64PasswordDecodercomponentthatallowsattackerstocrashtheapplication.AttackerscansupplyanoversizedBase64stringthroughthedecoderinterfacetotriggera2019- denialofservicecondition.25666 CVE- EcoSearch1.0.2.0containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbysubmittinganexcessivelylongstringtothesearchfunctionality.Attackerscanpasteabufferof950ormorecharactersintothesearch2018- barandtriggeracrashbyinitiatingasearchoperation.25244 CVE- 2025- Anintegeroverflowwasaddressedwithimprovedinputvalidation.ThisissueisfixedinmacOSSequoia15.6,macOSSonoma14.7.7,macOSVentura13.7.7.Anappmaybeabletocauseunexpectedsystemtermination. 43238 CVE- VSCO1.1.1.0containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbysubmittinganexcessivelylongstringthroughthesearchfunctionality.Attackerscanpasteabufferof5000charactersintothesearchbar2018- andnavigatebacktotriggeranapplicationcrash.25238 CVE- TaskInfo8.2.0.280containsalocalbufferoverflowvulnerabilitythatallowsattackerstocrashtheapplicationbysupplyingoversizedinputtoregistrationfields.AttackerscanpasteexcessivelylongstringsintotheNewUserNameorNewSerial2019- NumbertextboxesintheHelpmenu'sregistrationdialogtotriggeradenialofservicecondition.25667 CVE- FTPVoyager16.2.0containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbyinjectingoversizedbufferdataintothesiteprofileIPfield.Attackerscancreateamalicioussiteprofilecontaining500bytesof2018- repeatedcharactersandpasteitintotheIPfieldtotriggerabufferoverflowthatcrashestheFTPVoyagerprocess.25252 CVE- Termite3.4containsabufferoverflowvulnerabilityintheUserinterfacelanguagesettingsfieldthatallowslocalattackerstocauseadenialofservicebysupplyinganexcessivelylongstring.Attackerscanpastea2000-bytepayloadintotheSettings2018- Userinterfacelanguagefieldtocrashtheapplication.25253 CVE- FileZilla3.40.0containsadenialofservicevulnerabilityinthelocalsearchfunctionalitythatallowslocalattackerstocrashtheapplicationbysupplyingamalformedpathstring.Attackerscantriggerthecrashbyenteringacraftedpathcontaining2019- 384'A'charactersfollowedby'BBBB'and'CCCC'sequencesinthesearchdirectoryfieldandinitiatingalocalsearchoperation.25683 CVE- InonHeaderDecodedofLocalImageResolver.java,thereisapossiblepersistentdenialofserviceduetoresourceexhaustion.Thiscouldleadtolocaldenialofservicewithnoadditionalexecutionprivilegesneeded.Userinteractionisnotneededfor2026- exploitation.0049 CVE- SmartVPN1.1.3.0containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbysubmittingoversizedinputthroughthesearchinterface.Attackerscanpasteabufferof2100charactersintothetoprightsearchbarto2018- triggeranunhandledexceptionthatcrashestheapplication.25239 CVE- 2026- Indexout-of-rangewhenencounteringabranchpagewithzeroelementsingo.etcd.io/bbolt 33817 CVE- RiverPastRingtoneConverter2.7.6.1601containsalocalbufferoverflowvulnerabilitythatallowsattackerstocrashtheapplicationbysupplyingoversizedinputtoactivationfields.Attackerscanpaste300bytesofdataintotheEmailtextboxand2019- ActivationcodetextareaviatheHelpmenu'sActivatedialogtotriggeradenialofservicecondition.25665 CVE- ASPRunnerProfessional6.0.766containsalocalbufferoverflowvulnerabilitythatallowsattackerstocauseadenialofservicebysupplyinganexcessivelylongprojectname.Attackerscanpaste180ormorecharactersintotheProjectnamefield2019- duringprojectcreationtotriggeranapplicationcrash.25659 CVE- Aardvark-dnsisanauthoritativednsserverforA/AAAAcontainerrecords.From1.16.0to1.17.0,atruncatedTCPDNSqueryfollowedbyaconnectionresetcausesaardvark-dnstoenteranunrecoverableinfiniteerrorloopat100%CPU.This2026- vulnerabilityisfixedin1.17.1.35406 CVE- 2025- IBMConcert1.0.0through2.2.0createstemporaryfileswithpredictablenames,whichallowslocaluserstooverwritearbitraryfilesviaasymlinkattack. 13044 CVE- Adoublefreevulnerabilityexistsinlibrz/bin/format/le/le.cinthefunctionleloadfixuprecord().WhenprocessingmalformedorcircularLEfixupchains,relocationentriesmaybefreedmultipletimesduringerrorhandling.AspeciallycraftedLE2026- binarycantriggerheapcorruptionandcausetheapplicationtocrash,resultinginadenial-of-servicecondition.Anattackerwithacraftedbinarycouldcauseadenialofservicewhenthetoolisintegratedonaservicepipeline.31053 CVE- WinRAR5.61containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbyplacingamalformedwinrar.lnglanguagefileintheinstallationdirectory.Attackerscantriggerthecrashbyopeninganarchiveandpressing2019- thetestbutton,causinganaccessviolationatmemoryaddress004F1DB8whentheapplicationattemptstoreadinvaliddata.25677 CVE- XenForobefore2.3.7allowsinformationdisclosurevialocalaccountpagecachingonsharedsystems.Onsystemswheremultipleusersshareabrowserormachine,cachedaccountpagescouldexposesensitiveuserinformationtootherlocalusers. 71280 CVE- NetSchedScan1.0containsabufferoverflowvulnerabilityinthescanHostname/IPfieldthatallowslocalattackerstocrashtheapplicationbysupplyinganoversizedinputstring.Attackerscanpasteacraftedpayloadcontaining388bytesofdata followedby4bytesofEIPoverwriteintotheHostname/IPfieldtotriggeradenialofservicecondition.

20050 CVE- LanHelper1.74containsalocalbufferoverflowvulnerabilitythatallowsattackerstocrashtheapplicationbysendingexcessivelylonginputstrings.AttackerscanexploittheFormSendMessagefeaturebypasting6000bytesofdataintothe Messagetextfieldtotriggeradenialofservicecondition.25660 CVE- TheapplicationdoesnotdetectorguardagainstcyclicPDFobjectreferenceswhilehandlingJavaScriptinPDF.Whenpagesandannotationsarecraftedthatreferenceeachotherinaloop,passingthedocumenttoAPIs(e.g.,SOAP)thatperformdeep2026- traversalcancauseuncontrolledrecursion,stackexhaustion,andapplicationcrashes.3778 CVE- RemoteProcessExplorer1.0.0.16containsalocalbufferoverflowvulnerabilitythatallowsattackerstocauseadenialofservicebysendingacraftedpayloadtotheAddComputerdialog.Attackerscanpasteamaliciousstringintothecomputername2019- textboxandtriggeracrashbyconnectingtotheaddedcomputer,overwritingtheSEHchainandcorruptingexceptionhandlers.25661 CVE- go-ipld-primeisanimplementationoftheInterPlanetaryLinkedData(IPLD)specinterfaces,abatteries-includedcodecimplementationsofIPLDforCBORandJSON,andtoolingforbasicoperationsonIPLDobjects.Priorto0.22.0,theDAG-CBOR 2026- decoderusescollectionsizesdeclaredinCBORheadersasGopreallocationhintsformapsandlists.Thedecoderdoesnotcapthesesizehintsoraccountfortheircostinitsallocationbudget,allowingsmallpayloadstocauseexcessivememory 35480 allocation.Thisvulnerabilityisfixedin0.22.0. SymCryptisthecorecryptographicfunctionlibrarycurrentlyusedbyWindows.From103.5.0tobefore103.11.0,TheSymCryptXmssSignfunctionpassesa64-bitleafcountvaluetoahelperfunctionthatacceptsa32-bitparameter.ForXMSS^MT parametersetswithtotaltreeheight>=32(whichincludesstandardpredefinedparameters),thiscausessilenttruncationtozero,resultinginadrasticallyundersizedscratchbufferallocationfollowedbyaheapbufferoverflowduringsignatureCVE- computation.ExploitingthisissuewouldrequireanapplicationusingSymCrypttoperformanXMSS^MTsignatureusinganattacker-controlledparameterset.Itisuncommonforapplicationstoallowtheuseofattacker-controlledparametersetsfor2026- signing,sincesigningisaprivatekeyoperation,andprivatekeysmustbetrustedbydefinition.Additionally,XMSS(^MT)signingshouldonlybeperformedinaHardwareSecurityModule(HSM).XMSS(^MT)signingisprovidedinSymCryptonlyfor35199 testingpurposes.ThisisageneralruleirrespectiveofthisCVE;XMSS(^MT)andotherstatefulsignatureschemesareonlycryptographicallysecurewhenitisguaranteedthatthesamestatecannotbereusedfortwodifferentsignatures,which cannotbeguaranteedbysoftwarealone.Forthisreason,XMSS(^MT)signingisalsonotFIPSapprovedwhenperformedoutsideofanHSM.Fixedinversion103.11.0. CVE- AReflectedCross-SiteScripting(XSS)vulnerabilityexistsinSourceCodesterZooManagementSystemv1.0.Thevulnerabilityislocatedintheloginpage,specificallywithinthemsgparameter.Theapplicationreflectsthecontentofthemsg2026- parameterbacktotheuserwithoutproperHTMLencodingorsanitization.ThisallowsremoteattackerstoinjectarbitrarywebscriptorHTMLviaacraftedURL.30526 CVE- Multiplereflectedcross-sitescripting(XSS)vulnerabilitiesinthelogin.phpendpointofInterzenConsultingS.r.lZenShareSuitev17.0allowsattackerstoexecutearbitraryJavascriptinthecontextoftheuser'sbrowserviaacraftedURLinjectedinto2026- thecodiceaziendaandredurlparameters.30252 CVE- Areflectedcross-sitescripting(XSS)vulnerabilityintheloginnewpwd.phpendpointofInterzenConsultingS.r.lZenShareSuitev17.0allowsattackerstoexecutearbitraryJavascriptinthecontextoftheuser'sbrowserviaacraftedURLinjectedinto2026- thecodiceaziendaparameter.30251 CVE- AvulnerabilityinCiscoNexusDashboardandCiscoNexusDashboardInsightscouldallowanunauthenticated,remoteattackertoconductaserver-siderequestforgery(SSRF)attackthroughanaffecteddevice. 2026- inputvalidationforspecificHTTPrequests.Anattackercouldexploitthisvulnerabilitybypersuadinganauthenticateduserofthedevicemanagementinterfacetoclickacraftedlink.Asuccessfulexploitcouldallowtheattackertosendarbitrary 20041 networkrequeststhataresourcedfromtheaffecteddevicetoanattacker-controlledserver.Theattackercouldthenexecutearbitraryscriptcodeinthecontextoftheaffectedinterfaceoraccesssensitivebrowser-basedinformation. CVE- 2026- AnissuewasdiscoveredinRoundcubeWebmailbefore1.5.14and1.6.14.XSSexistsbecauseofinsufficientHTMLattachmentsanitizationinpreviewmode.Avictimmustpreviewatext/htmlattachment. 35539 CVE- 2026- XSSvulnerabilityincveInterface.jsallowsforinjectHTMLtobepassedtodisplay,ascveInterfacetrustsinputfromCVEAPIservices 35466 CVE- 2026- Emlogisanopensourcewebsitebuildingsystem.Priortoversion2.6.8,thereisastoredcross-sitescripting(XSS)vulnerabilityinemlogcommentmoduleviaURIschemevalidationbypass.Thisissuehasbeenpatchedinversion2.6.8. 34229 CVE- phpMyFAQisanopensourceFAQwebapplication.Priortoversion4.1.1,anunauthenticatedattackercansubmitaguestFAQwithanemailaddressthatissyntacticallyvalidperRFC5321(quotedlocalpart)yetcontainsrawHTML--forexample" 2026- "@evil.com.PHP'sFILTERVALIDATEEMAILacceptsthisemailasvalid.TheemailisstoredinthedatabasewithoutHTMLsanitizationandlaterrenderedintheadminFAQeditortemplateusingTwig's|rawfilter,which 32629 bypassesauto-escapingentirely.Thisissuehasbeenpatchedinversion4.1.1. CVE- 2026- phpMyFAQisanopensourceFAQwebapplication.Priortoversion4.1.1,thereisastoredXSSvulnerabilityviaRegexBypassinFilter::removeAttributes().Thisissuehasbeenpatchedinversion4.1.1. 34729 CVE- 2025- AnopenredirectinAscertiaSigningHubUserv10.0allowsattackerstoredirectuserstoamalicioussiteviaacraftedURL. 61166 CVE- Areflectedcross-sitescripting(XSS)vulnerabilityinthedashboardsearchfunctionalityoftheVertiGISFMsolutionallowsattackerstocraftamaliciousURL,thatifvisitedbyanauthenticatedvictim,willexecutearbitraryJavaScriptinthevictim's2026- context.SuchaURLcouldbedeliveredthroughvariousmeans,forinstance,bysendingalinkorbytrickingvictimstovisitapagecraftedbytheattacker.3877 CVE- Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.16.1,anopenredirectvulnerabilityexistsintheloginredirectionlogic.TheisLoginRedirectAllowedfunctionfailstocorrectlyidentifycertainmalformed2026- URLsasexternal,allowingattackerstobypassredirectallow-listvalidationandredirectuserstoarbitraryexternaldomainsuponsuccessfulauthentication.Thisvulnerabilityisfixedin11.16.1.35410

CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.1,thereisStoredXSSingroupremovecontrolandfamilyeditorstate/country.Thisisprimarilyanadmin-to-adminstoredXSSpathwhenwritableentityfieldsareabused.This2026- vulnerabilityisfixedin7.1.1.39335 CVE- ChurchCRMisanopen-sourcechurchmanagementsystem.Priorto7.1.0,astoredcross-sitescriptingissueaffectstheDirectoryReportsformfieldssetfromconfig,Personeditordefaultsrenderedintoaddressfields,andexternalself-registration2026- formdefaults.Thisisprimarilyanadmin-to-adminstoredXSSpathwherewritableconfigurationfieldsareabused.Thisvulnerabilityisfixedin7.1.0.39336 CVE- FrappeLearningManagementSystem(LMS)isalearningsystemthathelpsusersstructuretheircontent.Fromversion2.27.0tobeforeversion2.48.0,FrappeLMSwasvulnerabletostoredXSS.Thisissuehasbeenpatchedinversion2.48.0. 34606 CVE- WorkbenchisasuiteoftoolsforadministratorsanddeveloperstointeractwithSalesforce.comorganizationsviatheForce.comAPIs.Priorto65.0.0,Workbenchcontainsareflectedcross-sitescriptingvulnerabilityviathefooterScriptsparameter, whichdoesnotsanitizeuser-suppliedinputbeforerenderingitinthepageresponse.Improperneutralizationofinputduringwebpagegeneration('cross-sitescripting')vulnerabilityinWorkbenchallowsXSSTargetingErrorPages.Thisvulnerabilityis 34951 fixedin65.0.0.

CVE- Zulipisanopen-sourceteamcollaborationtool.Fromversion1.4.0tobeforeversion11.6,./manage.pyimportreadsarbitraryfilesfromtheserverfilesystemviapathtraversalinuploads/records.json.Acraftedexporttarballcausestheserverto copyanyfilethezulipusercanreadintotheuploadsdirectoryduringimport.Thisissuehasbeenpatchedinversion11.6.26058 CVE- XenForobefore2.3.9andbefore2.2.18isvulnerabletocross-sitescripting(XSS)relatedtolightboxusageinposts.Anattackercaninjectmaliciousscriptsthatexecutewhenusersinteractwithpostcontentdisplayedinthelightbox. 35055 CVE- Pi-holeAdminInterfaceisawebinterfaceformanagingPi-hole,anetwork-leveladandinternettrackerblockingapplication.From6.0tobefore6.5,areflectedDOM-basedXSSvulnerabilityintaillog.jsallowsanunauthenticatedattackertoinject 2026- arbitraryHTMLintothePi-holeadmininterfacebycraftingamaliciousURL.ThefilequeryparameterisinterpolatedintoaninnerHTMLassignmentwithoutescaping.BecausetheContent-Security-Policyismissingtheform-actiondirective,injected 33403

elementscanexfiltratecredentialstoanexternalorigin.Thisvulnerabilityisfixedin6.5. CVE- SignalKServerisaserverapplicationthatrunsonacentralhubinaboat.Priortoversion2.24.0,SignalKServercontainsacode-levelvulnerabilityinitsOIDCloginandlogouthandlerswheretheunvalidatedHTTPHostheaderisusedtoconstruct 2026- theOAuth2redirecturi.BecausetheredirectUriconfigurationissilentlyunsetbydefault,anattackercanspooftheHostheadertostealOAuthauthorizationcodesandhijackusersessionsinrealisticdeploymentsasTheOIDCproviderwillthensend 34083 theauthorizationcodetowhateverdomainwasinjected.Thisissuehasbeenpatchedinversion2.24.0. CVE- Avulnerabilityintheweb-basedmanagementinterfaceofCiscoIMCcouldallowanunauthenticated,remoteattackertoconductareflectedXSSattackagainstauseroftheinterface. 2026- attackercouldexploitthisvulnerabilitybypersuadingauserofanaffectedinterfacetoclickacraftedlink.Asuccessfulexploitcouldallowtheattackertoexecutearbitraryscriptcodeinthebrowserofthetargeteduseroraccesssensitive,browser- 20085 basedinformation. CVE- BulwarkWebmailisaself-hostedwebmailclientforStalwartMailServer.Priorto1.4.11,thereverseproxy(proxy.ts)settheContent-Security-Policy-Report-OnlyheaderinsteadoftheenforcingContent-Security-Policyheader.Thismeanscross-site 2026- scripting(XSS)attackswereloggedbutnotblocked.Anyuserwhocouldinjectscriptcontent(e.g.,viacraftedemailHTML)couldexecutearbitraryJavaScriptinthecontextoftheapplication,potentiallystealingsessiontokensorperformingactions 35390 onbehalfoftheuser.Thisvulnerabilityisfixedin1.4.11. CVE- MyBBLikePlugin3.0.0containsacross-sitescriptingvulnerabilitythatallowsattackerstoinjectmaliciousscriptsbycreatingpostsorthreadswithunvalidatedsubjectcontent.Attackerscancraftpostsubjectscontainingscripttagsthatexecute2018- whenotherusersviewtheattacker'sprofile,wherelikedpostsaredisplayedwithoutsanitization.25247 CVE- FTLDNS(pihole-FTL)providesaninteractiveAPIandalsogeneratesstatisticsforPi-hole'sWebinterface.From6.0tobefore6.6,Pi-holeFTLsupportsaCLIpasswordfeature(webserver.api.clipw)thatcreates"CLI"APIsessionsintendedtoberead- 2026- onlyforconfigurationchanges.While/api/configcorrectlyblocksCLIsessionsfrommutatingconfiguration,/api/teleporterallowedTeleporterimportsforCLIsessions,enablingaCLI-scopedsessiontooverwriteconfigurationviaaTeleporterarchive 35491 (authorizationbypass).Thisvulnerabilityisfixedin6.6. Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priorto39.8.5,40.8.5,41.1.0,and42.0.0-alpha.5,whenarenderercallswindow.open()withatargetname,Electrondidnotcorrectlyscopethe CVE- named-windowlookuptotheopener'sbrowsingcontextgroup.Arenderercouldnavigateanexistingchildwindowthatwasopenedbyadifferent,unrelatedrendererifbothusedthesametargetname.Ifthatexistingchildwascreatedwithmore 2026- permissivewebPreferences(viasetWindowOpenHandler'soverrideBrowserWindowOptions),contentloadedbythesecondrendererinheritsthosepermissions.Appsareonlyaffectediftheyopenmultipletop-levelwindowswithdifferingtrustlevels 34765 andusesetWindowOpenHandlertograntchildwindowselevatedwebPreferencessuchasaprivilegedpreloadscript.Appsthatdonotelevatechildwindowprivileges,orthatuseasingletop-levelwindow,arenotaffected.Appsthatadditionally grantnodeIntegration:trueorsandbox:falsetochildwindows(contrarytothesecurityrecommendations)maybeexposedtoarbitrarycodeexecution.Thisvulnerabilityisfixedin39.8.5,40.8.5,41.1.0,and42.0.0-alpha.5. Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.3,40.8.3,and41.0.3,appsthatregistercustomprotocolhandlersviaprotocol.handle()/CVE- protocol.registerSchemesAsPrivileged()ormodifyresponseheadersviawebRequest.onHeadersReceivedmaybevulnerabletoHTTPresponseheaderinjectionifattacker-controlledinputisreflectedintoaresponseheadernameorvalue.Anattacker2026- whocaninfluenceaheadervaluemaybeabletoinjectadditionalresponseheaders,affectingcookies,contentsecuritypolicy,orcross-originaccesscontrols.Appsthatdonotreflectexternalinputintoresponseheadersarenotaffected.Thisissue34767 hasbeenpatchedinversions38.8.6,39.8.3,40.8.3,and41.0.3. CVE- RackisamodularRubywebserverinterface.Priortoversions2.2.23,3.1.21,and3.2.6,Rack::Sendfile#mapaccelpathinterpolatesthevalueoftheX-Accel-MappingrequestheaderdirectlyintoaregularexpressionwhenrewritingfilepathsforX- 2026- Accel-Redirect.Becausetheheadervalueisnotescaped,anattackerwhocansupplyX-Accel-MappingtothebackendcaninjectregexmetacharactersandcontrolthegeneratedX-Accel-Redirectresponseheader.IndeploymentsusingRack::Sendfile 34830 withx-accel-redirect,thiscanallowanattackertocausenginxtoserveunintendedfilesfromconfiguredinternallocations.Thisissuehasbeenpatchedinversions2.2.23,3.1.21,and3.2.6. CVE- Anon-defaultconfigurationinSageDPW202506004allowsunauthenticatedaccesstodiagnosticendpointswithintheDatabaseMonitorfeature,exposingsensitiveinformationsuchashashesandtablenames.Thisfeatureisdisabledbydefaultin2025- allinstallationsandneveravailableinSageDPWCloud.Itwasforciblydisabledagaininversion202506003.67805 CVE- 2025- IBMAsperaShares1.9.9through1.11.0usesweakerthanexpectedcryptographicalgorithmsthatcouldallowanattackertodecrypthighlysensitiveinformation 13916 CVE- vLLMisaninferenceandservingengineforlargelanguagemodels(LLMs).Fromversion0.5.5tobeforeversion0.18.0,Librosadefaultstousingnumpy.meanformonodownmixing(tomono),whiletheinternationalstandardITU-RBS.775-4specifies 2026- aweighteddownmixingalgorithm.Thisdiscrepancyresultsininconsistencybetweenaudioheardbyhumans(e.g.,throughheadphones/regularspeakers)andaudioprocessedbyAImodels(WhichinfraviaLibrosa,suchasvllm,transformer).This 34760 issuehasbeenpatchedinversion0.18.0. CVE- LTIJupyterHubAuthenticatorisaJupyterHubauthenticatorforLTI.Priortoversion1.6.3,theLTI1.1validatorstoresOAuthnoncesinaclass-leveldictionarythatgrowswithoutbounds.Noncesareaddedbeforesignaturevalidation,soanattacker2026- withknowledgeofavalidconsumerkeycansendrepeatedrequestswithuniquenoncestograduallyexhaustservermemory,causingadenialofservice.Thisissuehasbeenpatchedinversion1.6.3.34052 CVE- Anissuethatcouldpreventsessioninactivitytimeoutsfromtriggeringduetoautomaticpagereloadinghasbeenresolved.ThisisaninstanceofCWE-613:InsufficientControlofResourcesAfterExpirationorRelease,andhasanestimatedCVSS2026- scoreofCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N(5.9Medium).Thisissuewasfixedinversion4.0.260203.0oftherunZeroPlatform.5376 CVE- TheleancryptolibraryisacryptographiclibrarythatexclusivelycontainsonlyPQC-resistantcryptographicalgorithms.Priortoversion1.7.1,lcx509extractnamesegment()castssizetvlentouint8twhenstoringtheCommonName(CN)length. 2026- AnattackerwhocraftsacertificatewithCN=victim'sCN+256bytespaddinggetscnsize=(uint8t)(256+N)=N,whereNisthevictim'sCNlength.ThefirstNbytesoftheattacker'sCNarethevictim'sidentity.Afterparsing,theattacker's 34610 certificatehasanidenticalCNtothevictim's--enablingidentityimpersonationinPKCS#7verification,certificatechainmatching,andcodesigning.Thisissuehasbeenpatchedinversion1.7.1. OpenEXRprovidesthespecificationandreferenceimplementationoftheEXRfileformat,animagestorageformatforthemotionpictureindustry.From3.2.0tobefore3.2.7,3.3.9,and3.4.9,asignedintegeroverflowexistsinundopxr24impl()in CVE- src/lib/OpenEXRCore/internalpxr24.catline377.Theexpression(uint64t)(w3)computesw3asasigned32-bitintegerbeforecastingtouint64t.Whenwislarge,thismultiplicationconstitutesundefinedbehaviorundertheCstandard.On 2026- testedbuilds(clang/gccwithoutsanitizers),two's-complementwraparoundcommonlyoccurs,andforspecificvaluesofwthewrappedresultisasmallpositiveinteger,whichmayallowthesubsequentboundschecktopassincorrectly.Ifthecheckis 34380 bypassed,thedecodingloopproceedstowritepixeldatathroughdout,potentiallyextendingfarbeyondtheallocatedoutputbuffer.Thisvulnerabilityisfixedin3.2.7,3.3.9,and3.4.9. CVE- Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.1,40.8.1,and41.0.0,aserviceworkerrunninginasessioncouldspoofreplymessagesontheinternalIPCchannel 2026- usedbywebContents.executeJavaScript()andrelatedmethods,causingthemain-processpromisetoresolvewithattacker-controlleddata.Appsareonlyaffectediftheyhaveserviceworkersregisteredandusetheresultof 34778 webContents.executeJavaScript()(orwebFrameMain.executeJavaScript())insecurity-sensitivedecisions.Thisissuehasbeenpatchedinversions38.8.6,39.8.1,40.8.1,and41.0.0. CVE- DiscountisanimplementationofJohnGruber'sMarkdownmarkuplanguageinC.From1.3.1.1tobefore2.2.7.4,asignedlengthtruncationbugcausesanout-of-boundsreadinthedefaultMarkdownparsepath.InputslargerthanINTMAXare2026- truncatedtoasignedintbeforeenteringthenativeparser,allowingtheparsertoreadpasttheendofthesuppliedbufferandcrashtheprocess.Thisvulnerabilityisfixedin2.2.7.4.35201 CVE- Anissuethatcouldallowacredentialtobeupdatedandusedforataskfromoutsideoftheauthorizedorganizationscopehasbeenresolved.ThisisaninstanceofCWE-863:IncorrectAuthorization,andhasanestimatedCVSSscoreof CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N(5.8Medium).Thisissuewasfixedinversion4.0.26021.0oftherunZeroPlatform.

CVE- ThewhisperXAPIisatoolforenhancingandanalyzingaudiocontent.From0.3.1to0.5.0,FileService.downloadfromurl()inapp/services/fileservice.pycallsrequests.get(url)withzeroURLvalidation.ThefileextensioncheckoccursAFTERtheHTTP requestisalreadymade,andcanbebypassedbyappending.mp3toanyinternalURL.The/speech-to-text-urlendpointisunauthenticated.Thisvulnerabilityisfixedin0.6.0. 34981 CVE- Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.0,40.7.0,and41.0.0-beta.8,appsthatallowdownloadsandprogrammaticallydestroysessionsmaybevulnerable toause-after-free.Ifasessionistorndownwhileanativesave-filedialogisopenforadownload,dismissingthedialogdereferencesfreedmemory,whichmayleadtoacrashormemorycorruption.Appsthatdonotdestroysessionsatruntime,or 34772 thatdonotpermitdownloads,arenotaffected.Thisissuehasbeenpatchedinversions38.8.6,39.8.0,40.7.0,and41.0.0-beta.8. CVE- EllaCoreisa5Gcoredesignedforprivatenetworks.Priortoversion1.8.0,EllaCorepanicswhenprocessingaNGAPhandoverfailuremessage.AnattackerabletocauseagNodeBtosendNGAPhandoverfailuremessagestoEllaCorecancrashthe2026- process,causingservicedisruptionforallconnectedsubscribers.Thisissuehasbeenpatchedinversion1.8.0.34761 CVE- AnissuethatallowedMCPagentstoaccessremediationandassetinformationfromoutsideoftheauthorizedorganizationscopehasbeenresolved.ThisisaninstanceofCWE-863:IncorrectAuthorization,andhasanestimatedCVSSscoreof2026- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N(5.8Medium).Thisissuewasfixedinversion4.0.260202.0oftherunZeroPlatform.5374 CVE- Anissuethatallowedadministratorstocreateandupdateusersoutsideoftheirauthorizedorganizationscopehasbeenresolved.ThisisaninstanceofCWE-863:IncorrectAuthorization,andhasanestimatedCVSSscoreof2026- CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N(5.8Medium).Thisissuewasfixedinversion4.0.260203.0oftherunZeroPlatform.5378 CVE- 2025- NokiaMantaRayNMisvulnerabletoaRelativePathTraversalvulnerabilityduetoimpropervalidationofinputparameteronthefilesysteminSoftwareManagerapplication. 24819 CocoaMQTTisaMQTT5.0clientlibraryforiOSandmacOSwritteninSwift.Priortoversion2.2.2,avulnerabilityexistsinthepacketparsinglogicofCocoaMQTTthatallowsanattacker(oracompromised/maliciousMQTTbroker)toremotelycrashtheCVE- hostiOS/macOS/tvOSapplication.Ifanattackerpublishesthe4-bytemalformedpayloadtoasharedtopicwiththeRETAINflagsettotrue,theMQTTbrokerwillpersistthepayload.Anytimeavulnerableclientconnectsandsubscribestothattopic,2026- thebrokerwillautomaticallypushthemalformedpacket.Theappwillinstantlycrashinthebackgroundbeforetheusercaneveninteractwithit.Thiseffectively"bricks"themobileapplication(apersistentDoS)untiltheretainedmessageis30867 manuallywipedfromthebrokerdatabase.Thisissuehasbeenpatchedinversion2.2.2. CVE- AvulnerabilitywasfoundinCesantaMongooseupto7.20.Thisimpactsthefunctionhandlemdnsrecordofthefilemongoose.cofthecomponentmDNSRecordHandler.Performingamanipulationoftheargumentbufresultsinstack-basedbuffer 2026- overflow.Remoteexploitationoftheattackispossible.Ahighdegreeofcomplexityisneededfortheattack.Theexploitabilityissaidtobedifficult.Theexploithasbeenmadepublicandcouldbeused.Upgradingtoversion7.21willfixthisissue. 5245 Thepatchisnamed0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1.Youshouldupgradetheaffectedcomponent.Thevendorwascontactedearly,respondedinaveryprofessionalmannerandquicklyreleasedafixedversionoftheaffectedproduct. CVE- Avulnerabilitywasdetectedinkalcaddlekodboxupto1.64.ThisaffectsanunknownfunctionofthecomponentshareMake/shareCheck.PerformingamanipulationoftheargumentsiteFrom/siteToresultsinserver-siderequestforgery.Theattackis2026- possibletobecarriedoutremotely.Thecomplexityofanattackisratherhigh.Theexploitabilityisreportedasdifficult.Theexploitisnowpublicandmaybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway.5618 CVE- AvulnerabilitywasdeterminedinCesantaMongooseupto7.20.Affectedisthefunctionmgtlsverifycertsignatureofthefilemongoose.cofthecomponentP-384PublicKeyHandler.Executingamanipulationcanleadtoauthorizationbypass.The 2026- attackcanbeexecutedremotely.Attacksofthisnaturearehighlycomplex.Theexploitabilityistoldtobedifficult.Theexploithasbeenpubliclydisclosedandmaybeutilized.Upgradingtoversion7.21isabletoaddressthisissue.Thispatchis 5246 called0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1.Theaffectedcomponentshouldbeupgraded.Thevendorwascontactedearly,respondedinaveryprofessionalmannerandquicklyreleasedafixedversionoftheaffectedproduct. CVE- Aflawwasfoundinlibtheora.Thisheap-basedout-of-boundsreadvulnerabilityexistswithintheAVI(AudioVideoInterleave)parser,specificallyintheaviparseinputfile()function.Alocalattackercouldexploitthisbytrickingauserintoopeninga2026- speciallycraftedAVIfilecontainingatruncatedheadersub-chunk.Thiscouldleadtoadenial-of-service(applicationcrash)orpotentiallyleaksensitiveinformationfromtheheap.5673 CVE- AvulnerabilitywasfoundinTendaCX12L16.03.53.12.AffectedbythisvulnerabilityisthefunctionfromP2pListFilterofthefile/goform/P2pListFilter.Performingamanipulationoftheargumentpageresultsinstack-basedbufferoverflow.Theattack2026- mustoriginatefromthelocalnetwork.Theexploithasbeenmadepublicandcouldbeused.5683 CVE- Theapplicationdoesnotvalidatethepresenceofrequiredappearance(AP)databeforeaccessingstampannotationresources.WhenaPDFcontainsastampannotationmissingitsAPentry,thecodecontinuestodereferencetheassociatedobject2026- withoutapriornullorvaliditycheck,whichallowsacrafteddocumenttotriggeranullpointerdereferenceandcrashtheapplication,resultingindenialofservice.3776 CVE- AvahiisasystemwhichfacilitatesservicediscoveryonalocalnetworkviathemDNS/DNS-SDprotocolsuite.Priortoversion0.9-rc4,anyunprivilegedlocalusercancrashavahi-daemonbysendingasingleD-Busmethodcallwithconflictingpublish2026- flags.Thisissuehasbeenpatchedinversion0.9-rc4.34933 CVE- AnyBurn4.3x86containsadenialofservicevulnerabilitythatallowslocalattackerstocrashtheapplicationbysupplyinganexcessivelylongstringtotheimageconversionfunction.Attackerscanpastealargebufferintothesourceordestination2019- imagefilefieldsandclickConvertNowtotriggeracrash.25657 CVE- a-MacAddressChange5.4containsalocalbufferoverflowvulnerabilitythatallowslocalattackerstocrashtheapplicationbysupplyingoversizedinputtoregistrationformfields.Attackerscanpaste212bytesofdataintothe'YourName','Your2019- Company',or'RegisterCode'fieldsandclicktheRegisterbuttontotriggeradenialofservicecrash.25658 CVE- AvulnerabilitywasdeterminedinNASAcFSupto7.0.0.ThisimpactsthefunctionCFESBTransmitMsgofthefilecfesbpriv.cofthecomponentCCSDSHeaderSizeHandler.Executingamanipulationcanleadtomemorycorruption.Theprojectwas2026- informedoftheproblemearlythroughanissuereportbuthasnotrespondedyet.5475 CVE- 2025- IBMAsperaShares1.9.9through1.11.0isvulnerabletostoredcross-sitescripting.ThisvulnerabilityallowsuserstoembedarbitraryJavaScriptcodeintheWebUIthusalteringtheintendedfunctionalitypotentiallyleadingtocredentialsdisclosure 66484 withinatrustedsession.

CVE- Aflawwasfoundinlibarchive.ANULLpointerdereferencevulnerabilityexistsintheACLparsinglogic,specificallywithinthearchiveaclfromtextnl()function.WhenprocessingamalformedACLstring(suchasabare"d"or"default"tagwithout 2026- subsequentfields),thefunctionfailstoperformadequatevalidationbeforeadvancingthepointer.Anattackercanexploitthisbyprovidingamaliciouslycraftedarchive,causinganapplicationutilizingthelibarchiveAPI(suchasbsdtar)tocrash, 5745 resultinginaDenialofService(DoS). CVE- OpenNeuralNetworkExchange(ONNX)isanopenstandardformachinelearninginteroperability.Priortoversion1.21.0,thereisasymlinktraversalvulnerabilityinexternaldataloadingallowsreadingfilesoutsidethemodeldirectory.Thisissuehas2026- beenpatchedinversion1.21.0.34447 CVE- IPTOOLS2.50containsalocalbufferoverflowvulnerabilityintheSNMPScannercomponentthatallowslocalattackerstocrashtheapplicationbysupplyingoversizedinput.Attackerscanpastemaliciousdataintothe'FromAddr'and'ToAddr'fields andtriggerthecrashbyclickingtheStartbutton,causingdenialofserviceandSEHoverwrite.25256 CVE- CopierisalibraryandCLIappforrenderingprojecttemplates.Priortoversion9.14.1,Copier'sexternaldatafeatureallowsatemplatetoloadYAMLfilesusingtemplate-controlledpaths.Ifuntrustedtemplatesareinscope,amalicioustemplatecan readattacker-chosenYAML-parseablelocalfilesthatareaccessibletotheuserrunningCopierandexposetheircontentsinrenderedoutput.Thisissuehasbeenpatchedinversion9.14.1.34730

BufferOverflowVulnerabilityinJP1/ITDesktopManagement2-ManageronWindows,JP1/ITDesktopManagement2-OperationsDirectoronWindows,JobManagementPartner1/ITDesktopManagement2-ManageronWindows,JP1/ITDesktop Management-ManageronWindows,JobManagementPartner1/ITDesktopManagement-ManageronWindows,JP1/NETM/DMManageronWindows,JP1/NETM/DMClientonWindows,JobManagementPartner1/SoftwareDistributionManageron CVE-Windows,JobManagementPartner1/SoftwareDistributionClientonWindows.ThisissueaffectsJP1/ITDesktopManagement2-Manager:from13-50before13-50-02,from13-11before13-11-04,from13-10before13-10-07,from13-01before13- 01-07,from13-00before13-00-05,from12-60before12-60-12,from10-50through12-50-11;JP1/ITDesktopManagement2-OperationsDirector:from13-50before13-50-02,from13-11before13-11-04,from13-10before13-10-07,from13-01 65116before13-01-07,from13-00before13-00-05,from12-60before12-60-12,from10-50through12-50-11;JobManagementPartner1/ITDesktopManagement2-Manager:from10-50through10-50-11;JP1/ITDesktopManagement-Manager:from 09-50through10-10-16;JobManagementPartner1/ITDesktopManagement-Manager:from09-50through10-10-16;JP1/NETM/DMManager:from09-00through10-20-02;JP1/NETM/DMClient:from09-00through10-20-02;JobManagementPartner 1/SoftwareDistributionManager:from09-00through09-51-13;JobManagementPartner1/SoftwareDistributionClient:from09-00through09-51-13. CVE-TheapplicationdoesnotproperlyvalidatethelifetimeandvalidityofinternalviewcachepointersafterJavaScriptchangesthedocumentzoomandpagestate.Whenascriptmodifiesthezoompropertyandthentriggersapagechange,theoriginal2026-viewobjectmaybedestroyedwhilestalepointersarestillkeptandlaterdereferenced,whichundercraftedJavaScriptanddocumentstructurescanleadtoause-after-freeconditionandpotentiallyallowarbitrarycodeexecution.3777 CVE-AsecurityvulnerabilityhasbeendetectedinTotolinkA3300R17.0.0cu.557B20221024.TheimpactedelementisthefunctionvsetTr069Cfgofthefile/cgi-bin/cstecgi.cgi.Themanipulationoftheargumentstunpassleadstooscommandinjection.2026-Theexploithasbeendisclosedpubliclyandmaybeused.5679 CVE- 2026-Anauthenticatedstoredcross-sitescripting(XSS)vulnerabilityinthecreation/editingmoduleofFeehiCMSv2.1.1allowsattackerstoexecutearbitrarywebscriptsorHTMLviainjectingacraftedpayloadintotheContentfield. 31313 CVE- 2026-MissingAuthorizationvulnerabilityinOceanWPOceanExtraallowsExploitingIncorrectlyConfiguredAccessControlSecurityLevels.ThisissueaffectsOceanExtra:fromn/athrough2.5.3. 34903 CVE-Pi-holeAdminInterfaceisawebinterfaceformanagingPi-hole,anetwork-leveladandinternettrackerblockingapplication.From6.0tobefore6.5,configurationvaluesfromthe/api/configendpointareplaceddirectlyintoHTMLvalue=""attributes 2026-withoutescapinginsettings-advanced.js,enablingHTMLattributeinjection.Adoublequoteinanyconfigvaluebreaksoutoftheattributecontext.JavaScriptexecutionisblockedbytheserver'sCSP(script-src'self'),butinjectedattributescanalter 33406elementstylingforUIredressing.Theprimaryattackvectorisimportingamaliciousteleporterbackup,whichbypassesper-fieldserver-sidevalidation.Thisvulnerabilityisfixedin6.5. CVE-Payloadisafreeandopensourceheadlesscontentmanagementsystem.Priortoversion3.79.1,aCross-SiteRequestForgery(CSRF)vulnerabilityexistsintheauthenticationflow.Undercertainconditions,theconfiguredCSRFprotectioncouldbe2026-bypassed,allowingcross-siterequeststobemade.Thisissuehasbeenpatchedinversion3.79.1.34749 CVE- 2026-hoppscotchisanopensourceAPIdevelopmentecosystem.Priortoversion2026.3.0,thereisastoredXSSvulnerabilityintheteammemberoverflowtooltipviadisplayname.Thisissuehasbeenpatchedinversion2026.3.0. 34848 CVE-HirschmannHiLCOSproductsOpenBAT,BAT450,WLC,BAT867containsafirewallfilteringvulnerabilitythatfailstocorrectlyfilterIPv4multicastandbroadcasttrafficwhenmanagementIPaddressfilteringisdisabled,allowingconfiguredfilterrules2017-tobebypassed.Attackerswithnetworkaccesscaninjectorobservemulticastandbroadcastpacketsthatshouldhavebeenblockedbythefirewall.20233 CVE- 2026-Anauthenticatedstoredcross-sitescripting(XSS)vulnerabilityinFeehiCMSv2.1.1allowsattackerstoexecutearbitrarywebscriptsorHTMLviainjectingacraftedpayloadintothePageSignparameter. 31350 CVE- 2026-Astoredcross-sitescripting(XSS)vulnerabilityinBynderv0.1.394allowsattackerstoexecutearbitrarywebscriptsorHTMLviaacraftedpayload. 31153 CVE-IBMAsperaShares1.9.9through1.11.0isvulnerabletoHTTPheaderinjection,causedbyimpropervalidationofinputbytheHOSTheaders.Thiscouldallowanattackertoconductvariousattacksagainstthevulnerablesystem,includingcross-site2025-scripting,cachepoisoningorsessionhijacking.66485 CVE-OpenSourcePointofSaleisawebbasedpoint-of-saleapplicationwritteninPHPusingCodeIgniterframework.Priorto3.4.3,aStoredCross-SiteScripting(XSS)vulnerabilityexistsintheDailySalesmanagementtable.Thecustomernamecolumnis 2026-configuredwithescape:falseinthebootstrap-tablecolumnconfiguration,causingcustomernamestoberenderedasrawHTML.AnattackerwithcustomermanagementpermissionscaninjectarbitraryJavaScriptintoacustomer'sfirstnameor 32712lastnamefield,whichexecutesinthebrowserofanyuserviewingtheDailySalespage.Thisvulnerabilityisfixedin3.4.3. CVE- 2026-Anauthenticatedstoredcross-sitescripting(XSS)vulnerabilityintheRoleManagementmoduleofFeehiCMSv2.1.1allowsattackerstoexecutearbitrarywebscriptsorHTMLviainjectingacraftedpayloadintotheRoleNameparameter. 31352 CVE-Multiplestoredcross-sitescripting(XSS)vulnerabilitiesinthesubmitadd_user.aspendpointofDDSNInteractiveAcoraCMSv10.7.1allowattackerstoexecutearbitrarywebscriptsorHTMLviainjectingacraftedpayloadintotheFirstNameandLast2026-Nameparameters.29598 CVE- 2026-Anauthenticatedstoredcross-sitescripting(XSS)vulnerabilityintheCategorymoduleofFeehiCMSv2.1.1allowsattackerstoexecutearbitrarywebscriptsorHTMLviainjectingacraftedpayloadintotheNameparameter. 31353 CVE-OCSInventoryNGServerversion2.12.3andpriorcontainastoredcross-sitescriptingvulnerabilitythatallowsunauthenticatedattackerstoexecutearbitraryJavaScriptbysubmittingmaliciousUser-AgentHTTPheaderstothe/ocsinventoryendpoint. 2026-AttackerscanregisterrogueagentsorcraftrequestswithmaliciousUser-Agentvaluesthatarestoredwithoutsanitationandrenderedwithinsufficientencodinginthewebconsole,leadingtoarbitraryJavaScriptexecutioninthebrowsersof 22675authenticatedusersviewingthestatisticsdashboard. Electronisaframeworkforwritingcross-platformdesktopapplicationsusingJavaScript,HTMLandCSS.Priortoversions38.8.6,39.8.1,40.8.1,and41.0.0,whenaniframerequestsfullscreen,pointerLock,keyboardLock,openExternal,ormediaCVE-permissions,theoriginpassedtosession.setPermissionRequestHandler()wasthetop-levelpage'soriginratherthantherequestingiframe'sorigin.AppsthatgrantpermissionsbasedontheoriginparameterorwebContents.getURL()may2026-inadvertentlygrantpermissionstoembeddedthird-partycontent.ThecorrectrequestingURLremainsavailableviadetails.requestingUrl.Appsthatalreadycheckdetails.requestingUrlarenotaffected.Thisissuehasbeenpatchedinversions38.8.6,3477739.8.1,40.8.1,and41.0.0. CVE-Multipleauthenticatedstoredcross-sitescripting(XSS)vulnerabilitiesinthePermissionsmoduleofFeehiCMSv2.1.1allowsattackerstoexecutearbitrarywebscriptsorHTMLviainjectingacraftedpayloadintotheGroup,CategoryorDescription2026-parameters.31354 CVE-OpenClawversionspriortocommit8aceaf5containapreflightvalidationbypassvulnerabilityinshell-bleedprotectionthatallowsattackerstoexecuteblockedscriptcontentbyusingpipedorcomplexcommandformsthattheparserfailsto recognize.Attackerscancraftcommandssuchaspipedexecution,commandsubstitution,orsubshellinvocationtobypassthevalidateScriptFileForShellBleed()validationchecksandexecutearbitraryscriptcontentthatwouldotherwisebeblocked.34425 CVE-IBMVerifyIdentityAccessContainer11.0through11.0.2andIBMSecurityVerifyAccessContainer10.0through10.0.9.1andIBMVerifyIdentityAccess11.0through11.0.2andIBMSecurityVerifyAccess10.0through10.0.9.1allowscertificate listingsretrievedviaabrowsersessiontoreturnaJSONpayloadwhileincorrectlyspecifyingtheresponseContent-Typeastext/html.BecausethecontentisdeliveredwithanHTMLMIMEtype,browsersmayinterprettheJSONdataasexecutable scriptundercertainconditions.ThiscreatesanopportunityforJavaScriptinjection,potentiallyleadingtocross-sitescripting(XSS).

CVE- TandoorRecipesisanapplicationformanagingrecipes,planningmeals,andbuildingshoppinglists.Priorto2.6.4,TandoorRecipesallowsauthenticateduserstoinjectarbitrary