SingCERT Security Bulletin Lists Critical Vulnerabilities from NIST NVD

SecurityBulletin22April2026

Generatedon22April2026

SingCERT'sSecurityBulletinsummarisesthelistofvulnerabilitiescollatedfromtheNationalInstituteofStandardsandTechnology(NIST)'sNational VulnerabilityDatabase(NVD)inthepastweek. Thevulnerabilitiesaretabledbasedonseverity,inaccordancetotheirCVSSv3basescores: vulnerabilitieswithabasescoreof9.0toCritical 10.0 vulnerabilitieswithabasescoreof7.0toHigh 8.9 vulnerabilitieswithabasescoreof4.0toMedium 6.9 vulnerabilitieswithabasescoreof0.1toLow 3.9 None vulnerabilitieswithabasescoreof0.0 ForthosevulnerabilitieswithoutassignedCVSSscores,pleasevisitNVDfortheupdatedCVSSvulnerabilityentries.

CRITICALVULNERABILITIES

CVE Base Description ReferenceNumber Score

Net::Dropbearversionsbefore0.14forPerlcontainsavulnerableversionoflibtomcrypt.Net::DropbearversionsCVE-2025-before0.14includesversionsofDropbear2019.78orearlier.Theseincludeversionsoflibtomcryptv1.18.1orearlier, 10.0 MoreDetails15638whichisaffectedbyCVE-2016-6129andCVE-2018-12437. WWBNAVideoisanopensourcevideoplatform.Inversions29.0andprior,theYPTSocketplugin'sWebSocketserver relaysattacker-suppliedJSONmessagebodiestoeveryconnectedclientwithoutsanitizingthemsgorcallback fields.Ontheclientside,plugin/YPTSocket/script.jscontainstwoeval()sinksfeddirectlybythoserelayedfields CVE-2026-(json.msg.autoEvalCodeOnHTMLatline568andjson.callbackatline95).Becausetokensaremintedfor 10.0 MoreDetails40911anonymousvisitorsandneverrevalidatedbeyonddecryption,anunauthenticatedattackercanbroadcastarbitrary JavaScriptthatexecutesintheoriginofeverycurrently-connecteduser(includingadministrators),resultingin universalaccounttakeover,sessiontheft,andprivilegedactionexecution.Commit c08694bf6264eb4decceb78c711baee2609b4efdcontainsafix. Storableversionsbefore3.05forPerlhasastackoverflow.Theretrieve_hookfunctionstoredthelengthoftheclassCVE-2017-nameintoasignedintegerbutinreadoperationstreatedthelengthasunsigned.Thisallowedanattackertocraft 10.0 MoreDetails20230datathatcouldtriggertheoverflow. Flowiseisadrag&dropuserinterfacetobuildacustomizedlargelanguagemodelflow.Priorto3.1.0,duetounsafe serializationofstdiocommandsintheMCPadapter,anauthenticatedattackercanaddanMCPstdioserverwithan arbitrarycommand,achievingcommandexecution.Thevulnerabilityliesinabugintheinputsanitizationfromthe CVE-2026-"CustomMCP"configurationinhttp://localhost:3000/canvas-whereanyusercanaddanewMCP,whendoingso- 9.9 MoreDetails40933addinganewMCPusingstdio,theusercanaddanycommand,eventhoughyourcodehaveinputsanitizationchecks suchasvalidateCommandInjectionandvalidateArgsForLocalFileAccess,andalistofpredefinedspecificsafe commands-thesecommands,forexample"npx"canbecombinedwithcodeexecutionarguments("-ctouch /tmp/pwn")thatenabledirectcodeexecutionontheunderlyingOS.Thisvulnerabilityisfixedin3.1.0. Spinnakerisanopensource,multi-cloudcontinuousdeliveryplatform.Inversionspriorto2026.1.0,2026.0.1, CVE-2026-2025.4.2,and2025.3.2,abadactorcanexecutearbitrarycommandsverysimplyontheclouddriverpods.Thiscan 9.9 MoreDetails32604exposecredentials,removefiles,orinjectresourceseasily.Versions2026.1.0,2026.0.1,2025.4.2,and2025.3.2 containapatch.Asaworkaround,disablethegitrepoartifacttypes. Spinnakerisanopensource,multi-cloudcontinuousdeliveryplatform.Echolikesomeotherservices,usesSPeL (SpringExpressionLanguage)toprocessinformation-specificallyaroundexpectedartifacts.Inversionspriorto CVE-2026-2026.1.0,2026.0.1,2025.4.2,and2025.3.2,unlikeorca,itwasNOTrestrictingthatcontexttoasetoftrusted 9.9 MoreDetails32613classes,butallowingFULLJVMaccess.Thisenabledausertousearbitraryjavaclasseswhichallowdeepaccessto thesystem.Thisenabledtheabilitytoinvokecommands,accessfiles,etc.Versions2026.1.0,2026.0.1,2025.4.2, and2025.3.2containapatch.Asaworkaround,disableechoentirely. OpenClawbefore2026.3.31containsasandboxbypassvulnerabilityallowingattackerstoescalateprivilegesviaCVE-2026-heartbeatcontextinheritanceandsenderIsOwnerparametermanipulation.Attackerscanexploitimpropercontext 9.9 MoreDetails41329validationtobypasssandboxrestrictionsandachieveunauthorizedprivilegeescalation.

externalenginepluginloaderconcatenatesauser-suppliedenginenameintoafilesystempathwithoutfilteringpath

CVE-2026- separatorsor..components.AnauthenticateduserwithCREATEFUNCTIONprivilegescanuseacraftedENGINE 9.9 MoreDetails 40342 nametoloadanarbitrarysharedlibraryfromanywhereonthefilesystemviapathtraversal.Thelibrary'sinitialization codeexecutesimmediatelyduringloading,beforeFirebirdvalidatesthemodule,achievingcodeexecutionasthe server'sOSaccount.Thisissuehasbeenfixedinversions5.0.4,4.0.7and3.0.14. ImproperaccesscontrolinDoormanv0.1.0andv1.0.2allowsanyauthenticatedusertoupdatetheirownaccountCVE-2026- roletoanon-adminprivilegedrolevia/platform/user/{username}.Therolefieldisacceptedbytheupdatemodel 9.9 MoreDetails30269 withoutamanageuserspermissioncheckforself-updates,enablingprivilegeescalationtohigh-privilegedroles. AvulnerabilityinCiscoIdentityServicesEngine(ISE)couldallowanauthenticated,remoteattackertoexecute arbitrarycommandsontheunderlyingoperatingsystemofanaffecteddevice.Toexploitthisvulnerability,the attackermusthaveatleastReadOnlyAdmincredentials.Thisvulnerabilityisduetoinsufficientvalidationofuser- CVE-2026- suppliedinput.AnattackercouldexploitthisvulnerabilitybysendingacraftedHTTPrequesttoanaffecteddevice.A 9.9 MoreDetails20186 successfulexploitcouldallowtheattackertoobtainuser-levelaccesstotheunderlyingoperatingsystemandthen elevateprivilegesto root.Insingle-nodeISEdeployments,successfulexploitationofthesevulnerabilitiescould causetheaffectedISEnodetobecomeunavailable,resultinginadenialofservice(DoS)condition.Inthatcondition, endpointsthathavenotalreadyauthenticatedwouldbeunabletoaccessthenetworkuntilthenodeisrestored. OpenRemoteisanopen-sourceIoTplatform.Versions1.21.0andbelowcontaintwointerrelatedexpressioninjection vulnerabilitiesintherulesenginethatallowarbitrarycodeexecutionontheserver.TheJavaScriptrulesengine executesuser-suppliedscriptsviaNashorn'sScriptEngine.eval()withoutsandboxing,classfiltering,oraccess restrictions,andtheauthorizationcheckinRulesResourceImplonlyrestrictsGroovyrulestosuperuserswhileleaving CVE-2026- JavaScriptrulesunrestrictedforanyuserwiththewrite:rulesrole.Additionally,theGroovyrulesenginehasa 9.9 MoreDetails39842 GroovyDenyAllFiltersecurityfilterthatisdefinedbutneverregistered,astheregistrationcodeiscommentedout, renderingtheSandboxTransformerineffectiveforsuperuser-createdGroovyrules.Anon-superuserattackerwiththe write:rulesrolecancreateJavaScriptrulesetsthatexecutewithfullJVMaccess,enablingremotecodeexecutionas root,arbitraryfileread,environmentvariabletheftincludingdatabasecredentials,andcompletemulti-tenant isolationbypasstoaccessdataacrossallrealms.Thisissuehasbeenfixedinversion1.22.0. AvulnerabilityinCiscoIdentityServicesEngine(ISE)couldallowanauthenticated,remoteattackertoexecute arbitrarycommandsontheunderlyingoperatingsystemofanaffecteddevice.Toexploitthisvulnerability,the attackermusthaveatleastReadOnlyAdmincredentials.Thisvulnerabilityisduetoinsufficientvalidationofuser- CVE-2026- suppliedinput.AnattackercouldexploitthisvulnerabilitybysendingacraftedHTTPrequesttoanaffecteddevice.A 9.9 MoreDetails20180 successfulexploitcouldallowtheattackertoobtainuser-levelaccesstotheunderlyingoperatingsystemandthen elevateprivilegesto root.Insingle-nodeISEdeployments,successfulexploitationofthesevulnerabilitiescould causetheaffectedISEnodetobecomeunavailable,resultinginadenialofservice(DoS)condition.Inthatcondition, endpointsthathavenotalreadyauthenticatedwouldbeunabletoaccessthenetworkuntilthenodeisrestored. AvulnerabilityinCiscoISEandCiscoISE-PICcouldallowanauthenticated,remoteattackertoexecutearbitrary commandsontheunderlyingoperatingsystemofanaffecteddevice.Toexploitthisvulnerability,theattackermust havevalidadministrativecredentials.Thisvulnerabilityisduetoinsufficientvalidationofuser-suppliedinput.An CVE-2026- attackercouldexploitthisvulnerabilitybysendingacraftedHTTPrequesttoanaffecteddevice.Asuccessfulexploit 9.9 MoreDetails20147 couldallowtheattackertoobtainuser-levelaccesstotheunderlyingoperatingsystemandthenelevateprivilegesto root.Insingle-nodeISEdeployments,successfulexploitationofthisvulnerabilitycouldcausetheaffectedISEnodeto becomeunavailable,resultinginadenialofservice(DoS)condition.Inthatcondition,endpointsthathavenot alreadyauthenticatedwouldbeunabletoaccessthenetworkuntilthenodeisrestored. ElectricisaPostgressyncengine.From1.1.12tobefore1.5.0,theorderbyparameterintheElectricSQL/v1/shape CVE-2026- APIisvulnerabletoerror-basedSQLinjection,allowinganyauthenticatedusertoread,write,anddestroythefull 9.9 MoreDetails40906 contentsoftheunderlyingPostgreSQLdatabasethroughcraftedORDERBYexpressions.Thisvulnerabilityisfixedin 1.5.0.

Priortocommit45d48d1f2e8e0d73e80bc1fd5310cb57f4547302,theTGAcodec'sRLEdecoderintga.chasan CVE-2026-asymmetricboundscheckvulnerability.Therun-packetpath(line297)correctlyclampstherepeatcounttothe 40494remainingbufferspace,buttheraw-packetpath(line305-311)hasnoequivalentboundscheck.Thisallowswriting upto496bytesofattacker-controlleddatapasttheendofaheapbuffer.Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302patchestheissue. DagAuthors,whonormallyshouldnotbeabletoexecutecodeinthewebservercontextcouldcraftXCompayloadCVE-2026-causingthewebservertoexecutearbitrarycode.SinceDagAuthorsarealreadyhighlytrusted,severityofthisissue25917isLow.UsersarerecommendedtoupgradetoApacheAirflow3.2.0,whichfixestheissue. NEMUcontainsanimplementationflawinitsRISC-VHypervisorCSRhandlingwherehenvcfg[7:4](CBIE/CBCFE/CBZE- relatedfields)isincorrectlymasked/updatedbasedonmenvcfg[7:4],soamachine-modewritetomenvcfgcanCVE-2026-implicitlymodifythehypervisor'senvironmentconfiguration.Thiscanleadtoincorrectenforcementofvirtualization29649configurationandmaycauseunexpectedtrapsordenialofservicewhenexecutingcache-blockmanagement instructionsinvirtualizedcontexts(V=1). CVE-2026-EasyFlow.NETdevelopedbyDigiwinhasaSQLInjectionvulnerability,allowingunauthenticatedremoteattackersto 5963injectarbitrarySQLcommandstoread,modify,anddeletedatabasecontents. CVE-2026-EasyFlow.NETdevelopedbyDigiwinhasaSQLInjectionvulnerability,allowingunauthenticatedremoteattackersto 5964injectarbitrarySQLcommandstoread,modify,anddeletedatabasecontents. SGLang'srerankingendpoint(/v1/rerank)achievesRemoteCodeExecution(RCE)whenamodelfilecontainingaCVE-2026-malcioustokenizer.chat_templateisloaded,astheJinja2chattemplatesarerenderedusinganunsandboxed jinja2.Environment(). Vvvebpriorto1.0.8.1containsacodeinjectionvulnerabilityintheinstallationendpointwherethesubdirPOST CVE-2026-parameteriswrittenunsanitizedintotheenv.phpconfigurationfilewithoutescapingorvalidation.Attackerscan

39918 injectarbitraryPHPcodebybreakingoutofthestringcontextinthedefinestatementtoachieveunauthenticated remotecodeexecutionasthewebserveruser.

Priortocommit36aa5c7ec8a2bb35f6fb867a1177a6f141156b02,theXWDcodecresolvespixelformatbasedon pixmap_depthbutthebyte-swapcodeusesbits_per_pixelindependently.Whenpixmap_depth=8CVE-2026-(BPP8INDEXED,1byte/pixelbuffer)but`bitsperpixel=32,thebyte-swaploopaccessesmemoryasuint32t*, 9.8 MoreDetails40492reading/writing4xtheallocatedbuffersize.ThisisadifferentvulnerabilityfromthepreviouslyreportedGHSA-3g38- x2pj-mv55(CVE-2026-27168),whichaddressedbytesperline`validation.Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02containsapatch.

CVE-2026- SD-330ACandAMCManagerprovidedbysilextechnology,Inc.containaheap-basedbufferoverflowvulnerabilityin 32956 processingtheredirectURLs.Arbitrarycodemaybeexecutedonthedevice. CVE-2026- NewSoftOAdevelopedbyNewSofthasanOSCommandInjectionvulnerability,allowingunauthenticatedlocal 5965 attackerstoinjectarbitraryOScommandsandexecutethemontheserver. InOpenXiangShanNEMUpriorto55295c4,whenrunningwithRVH(Hypervisorextension)enabled,aVS-modeguest CVE-2026- writetothesupervisorinterrupt-enableCSR(sie)maybehandledincorrectlyandcaninfluencemachine-level 29646 interruptenablestate(mie).Thisbreaksprivilege/virtualizationisolationandcanleadtodenialofserviceorprivilege- boundaryviolationinenvironmentsrelyingonNEMUforcorrectinterruptvirtualization. Callingthescanffamilyoffunctionswitha%mc(malloc'dcharactermatch)intheGNUCLibraryversion2.7toCVE-2026- version2.43withaformatwidthspecifierwithanexplicitwidthgreaterthan1024couldresultinaonebyteheap5450 bufferoverflow. CVE-2026- UninitializedmemoryintheAudio/Video:WebCodecscomponent.ThisvulnerabilitywasfixedinFirefox150,Firefox 6748 CVE-2026- MitigationbypassintheNetworking:Cookiescomponent.ThisvulnerabilitywasfixedinFirefox150andThunderbird 6768 150. CVE-2026- MitigationbypassintheDOM:Securitycomponent.ThisvulnerabilitywasfixedinFirefox150,FirefoxESR140.10, 6771 CrowdStrikehasreleasedsecurityupdatestoaddressacriticalunauthenticatedpathtraversalvulnerability(CVE- 2026-40050)inLogScale.Thisvulnerabilityonlyrequiresmitigationbycustomersthathostspecificversionsof LogScaleanddoesnotaffectNext-GenSIEMcustomers.ThevulnerabilityexistsinaspecificclusterAPIendpoint that,ifexposed,allowsaremoteattackertoreadarbitraryfilesfromtheserverfilesystemwithoutauthentication.CVE-2026- Next-GenSIEMcustomersarenotaffectedanddonotneedtotakeanyaction.CrowdStrikemitigatedthe40050 vulnerabilityforLogScaleSaaScustomersbydeployingnetwork-layerblockstoallclustersonApril7,2026.Wehave proactivelyreviewedalllogdataandthereisnoevidenceofexploitation.LogScaleSelf-hostedcustomersshould upgradetoapatchedversionimmediatelytoremediatethevulnerability.CrowdStrikeidentifiedthisvulnerability duringcontinuousandongoingproducttesting. goshsisaSimpleHTTPServerwritteninGo.Priorto2.0.0-beta.6,goshscontainsanSFTPauthenticationbypasswhen thedocumentedempty-usernamebasic-authsyntaxisused.Iftheserverisstartedwith-b':pass'togetherwith-sftp,CVE-2026- goshsacceptsthatconfigurationbutdoesnotinstallanySFTPpasswordhandler.Asaresult,anunauthenticated40884 networkattackercanconnecttotheSFTPserviceandaccessfileswithoutapassword.Thisvulnerabilityisfixedin 2.0.0-beta.6. CVE-2026- AnincorrectprivilegeassignmentvulnerabilityexistsinEsriPortalforArcGIS11.5inWindowsandLinuxthatallows 33518 highlyprivilegeduserstocreatedevelopercredentialsthatmaygrantmoreprivilegesthanexpected. CVE-2026- AnincorrectauthorizationvulnerabilityexistsinEsriPortalforArcGIS11.4,11.5and12.0onWindows,Linuxand 33519 Kubernetesthatdidnotcorrectlycheckpermissionsassignedtodevelopercredentials. VulnerabilityintheOracleAdvancedInboundTelephonyproductofOracleE-BusinessSuite(component:Setupand Administration).Supportedversionsthatareaffectedare12.2.3-12.2.15.Easilyexploitablevulnerabilityallows CVE-2026- unauthenticatedattackerwithnetworkaccessviaHTTPtocompromiseOracleAdvancedInboundTelephony. 34275 SuccessfulattacksofthisvulnerabilitycanresultintakeoverofOracleAdvancedInboundTelephony.CVSS3.1Base Score9.8(Confidentiality,IntegrityandAvailabilityimpacts).CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). FastGPTisanAIAgentbuildingplatform.Inversionspriorto4.14.9.5,thepassword-basedloginendpointuses CVE-2026- TypeScripttypeassertionwithoutruntimevalidation,allowinganunauthenticatedattackertopassaMongoDBquery 40351 operatorobject(e.g.,{"$ne":""})asthepasswordfield.ThisNoSQLinjectionbypassesthepasswordcheck,enabling loginasanyuserincludingtherootadministrator.Thisissuehasbeenfixedinversion4.14.9.5. TheWebStackthemeforWordPressisvulnerabletoarbitraryfileuploadsduetomissingfiletypevalidationintheCVE-2026- ioimgupload()functioninallversionsupto,andincluding,1.2024.Thismakesitpossibleforunauthenticated1555 attackerstouploadarbitraryfilesontheaffectedsite'sserverwhichmaymakeremotecodeexecutionpossible. Thegoodoneuz/pay-uzLaravelpackage(<=2.2.24)containsacriticalvulnerabilityinthe /payment/api/editable/updateendpointthatallowsunauthenticatedattackerstooverwriteexistingPHPpayment hookfiles.TheendpointisexposedviaRoute::any()withoutauthenticationmiddleware,enablingremoteaccessCVE-2026- withoutcredentials.User-controlledinputisdirectlywrittenintoexecutablePHPfilesusingfileputcontents().These31843 filesarelaterexecutedviarequire()duringnormalpaymentprocessingworkflows,resultinginremotecode executionunderdefaultapplicationbehavior.Thepaymentsecrettokenmentionedbythevendorisunrelatedtothis endpointanddoesnotmitigatethevulnerability.

DataEaseisanopensourcedatavisualizationanalysistool.Versions2.10.20andbelowcontainaSQLinjection vulnerabilityinthedatasetexportfunctionality.TheexpressionTreeparameterinPOST /de2api/datasetTree/exportDatasetisdeserializedintoafilteringobjectandpassedtoWhereTree2Str.transFilterTreesCVE-2026-forSQLtranslation,whereuser-controlledvaluesin"like"filtertermsaredirectlyconcatenatedintoSQLfragments33082withoutsanitization.AnattackercaninjectarbitrarySQLcommandsbyescapingthestringliteralinthefiltervalue, enablingblindSQLinjectionthroughtechniquessuchastime-basedextractionofdatabaseinformation.Thisissue hasbeenfixedinversion2.10.21. TheVisaAcceptanceSolutionspluginforWordPressisvulnerabletoAuthenticationBypassinallversionsupto,and including,2.1.0.Thisisduetotheexpress_pay_product_page_pay_for_order()functionloggingusersinbasedsolely CVE-2026-onauser-suppliedbillingemailaddressduringguestcheckoutforsubscriptionproducts,withoutverifyingemail 3461ownership,requiringapassword,orvalidatingaone-timetoken.Thismakesitpossibleforunauthenticatedattackers tologinasanyexistinguser,includingadministrators,byprovidingthetargetuser'semailaddressinthe billingdetailsparameter,resultingincompleteaccounttakeoverandsitecompromise. Upsonic0.71.6containsaremotecodeexecutionvulnerabilityinitsMCPserver/taskcreationfunctionality.The applicationallowsuserstodefineMCPtaskswitharbitrarycommandandargsvalues.Althoughanallowlistexists, CVE-2026-certainallowedcommands(npm,npx)acceptargumentflagsthatenableexecutionofarbitraryOScommands. 30625MaliciouslycraftedMCPtasksmayleadtoremotecodeexecutionwiththeprivilegesoftheUpsonicprocess.In version0.72.0UpsonicaddedawarningaboutusingStdioserversbeingabletoexecutecommandsdirectlyonthe machine. Avulnerabilityintheintegrationofsinglesign-on(SSO)withControlHubinCiscoWebexServicescouldhaveallowed anunauthenticated,remoteattackertoimpersonateanyuserwithintheservice.ThisvulnerabilityexistedbecauseofCVE-2026-impropercertificatevalidation.Priortothisvulnerabilitybeingaddressed,anattackercouldhaveexploitedthis20184vulnerabilitybyconnectingtoaserviceendpointandsupplyingacraftedtoken.Asuccessfulexploitcouldhave allowedtheattackertogainunauthorizedaccesstolegitimateCiscoWebexservices. CVE-2026-SlahCMSv1.5.0andbelowwasdiscoveredtocontainaremotecodeexecution(RCE)vulnerabilityinthesession() 30993functionatconfig.php.Thisvulnerabilityisexploitableviaacraftedinput. TheBarcodeScanner(+MobileApp)-Inventorymanager,Orderfulfillmentsystem,POS(PointofSale)pluginfor WordPressisvulnerabletoprivilegeescalationviainsecuretoken-basedauthenticationinallversionsupto,and including,1.11.0.Thisisduetotheplugintrustingauser-suppliedBase64-encodeduserIDinthetokenparametertoCVE-2026-identifyusers,leakingvalidauthenticationtokensthroughthe'barcodeScannerConfigs'action,andlackingmeta-key4880restrictionsonthe'setUserMeta'action.Thismakesitpossibleforunauthenticatedattackerstoescalatetheir privilegestothatofanadministratorbyfirstspoofingtheadminuserIDtoleaktheirauthenticationtoken,thenusing thattokentoupdateanyuser's'wpcapabilities'metatogainfulladministrativeaccess. CreolabsGravitybefore0.9.6containsaheapbufferoverflowvulnerabilityinthegravityvmexecfunctionthat CVE-2026-allowsattackerstowriteout-of-boundsmemorybycraftingscriptswithmanystringliteralsatglobalscope.Attackers 40504canexploitinsufficientboundscheckingingravityfiberreassign()tocorruptheapmetadataandachievearbitrary codeexecutioninapplicationsthatevaluateuntrustedscripts. CVE-2026-MailGates/MailAuditdevelopedbyOpenfindhasaStack-basedBufferOverflowvulnerability,allowing 6350unauthenticatedremoteattackerstocontroltheprogram'sexecutionflowandexecutearbitrarycode. TheRiaxeProductCustomizerpluginforWordPressisvulnerabletoPrivilegeEscalationinallversionsupto,and including,2.1.2.ThepluginregistersanunauthenticatedAJAXaction('wpajaxnoprivinstall-imprint')thatmapsto theinkpdaddoption()function.Thisfunctionreads'option'and'optvalue'from$POST,thencallsdeleteoption()CVE-2026-followedbyaddoption()usingtheseattacker-controlledvalueswithoutanynonceverification,capabilitychecks,or3596optionnameallowlist.ThismakesitpossibleforunauthenticatedattackerstoupdatearbitraryWordPressoptions, whichcanbeleveragedforprivilegeescalationbyenablinguserregistrationandsettingthedefaultuserroleto administrator. CVE-2026-AnvizCX2LiteandCX7arevulnerabletounauthenticatedfirmwareuploads.Thiscausescraftedarchivestobe 35546accepted,enablingattackerstoplantandexecutecodeandobtainareverseshell. CVE-2026- 37339/music/viewgenre.php. CVE-2026- 37340/music/editmusic.php. CVE-2026- 37345/parking/manage_park.php.

Priortocommitc930284445ea3ff94451ccd7a57c999eca3bc979,thePSDcodeccomputesbytes-per-pixel(bpp) CVE-2026-fromrawheaderfieldschannels*depth,butthepixelbufferisallocatedbasedontheresolvedpixelformat.For 40493LABmodewithchannels=3,depth=16,bpp=(3*16+7)/8=6,buttheformatBPP40_CIE_LABallocatesonly5 bytesperpixel.Everypixelwriteovershoots,causingadeterministicheapbufferoverflowoneveryrow.Commit c930284445ea3ff94451ccd7a57c999eca3bc979containsapatch. AllpluginsbyEssentialpluginforWordPressarevulnerabletoaninjectedbackdoorinvariousversions.ThisisduetoCVE-2026-thepluginbeingsoldtoamaliciousthreatactorthatembeddedabackdoorinalloftheplugin'stheyacquired.This makesitpossibleforthethreatactortomaintainapersistentbackdoorandinjectspamintotheaffectedsites. DataEaseisanopen-sourcedatavisualizationandanalyticsplatform.Versions2.10.20andbelowcontainaSQL injectionvulnerabilityintheAPIdatasourceupdateprocess.Whenanewtabledefinitionisaddedduringa datasourceupdatevia/de2api/datasource/update,thedeTableNamefieldfromtheuser-submittedconfigurationis

passedtoDatasourceSyncManage.createEngineTable,whereitissubstitutedintoaCREATETABLEstatementCVE-2026- 33122templatewithoutanysanitizationoridentifierescaping.AnauthenticatedattackercaninjectarbitrarySQL commandsbycraftingadeTableNamethatbreaksoutofidentifierquoting,enablingerror-basedSQLinjectionthat canextractdatabaseinformation.Thisissuehasbeenfixedinversion2.10.21. CVE-2026-ASQLinjectionvulnerabilityinCodeAstroSimpleAttendanceManagementSystemv1.0allowsremote 37749unauthenticatedattackerstobypassauthenticationviatheusernameparameterinindex.php. CVE-2026-AnSQLinjectionvulnerabilityexistsinCubeCartpriorto6.6.0,whichmayallowanattackertoexecuteanarbitrary 34018SQLstatementontheproduct. CVE-2026-HeapbufferoverflowinANGLEinGoogleChromepriorto147.0.7727.101allowedaremoteattackertopotentially 9.6 MoreDetails6296performasandboxescapeviaacraftedHTMLpage.(Chromiumsecurityseverity:Critical) DgraphisanopensourcedistributedGraphQLdatabase.Versions25.3.1andpriorcontainanunauthenticated credentialdisclosurevulnerabilitywherethe/debug/pprof/cmdlineendpointisregisteredonthedefaultmuxand reachablewithoutauthentication,exposingthefullprocesscommandlineincludingtheadmintokenconfiguredvia CVE-2026-the--security"token=..."startupflag.AnattackercanretrievetheleakedtokenandreuseitintheX-Dgraph- 9.4 MoreDetails40173AuthTokenheadertogainunauthorizedaccesstoadmin-onlyendpointssuchas/admin/config/cachemb,bypassing theadminAuthHandlertokenvalidation.Thisenablesunauthorizedprivilegedadministrativeaccessincluding configurationchangesandoperationalcontrolactionsinanydeploymentwheretheAlphaHTTPportisreachableby untrustedparties.Thisissuehasbeenfixedinversion25.3.2. CVE-2026- 9.4 MoreDetails37338/music/viewuser.php. excel-mcp-serverisaModelContextProtocolserverforExcelfilemanipulation.Apathtraversalvulnerabilityexistsin excel-mcp-serverversionsuptoandincluding0.1.7.WhenrunninginSSEorStreamable-HTTPtransportmode(the documentedwaytousethisserverremotely),anunauthenticatedattackeronthenetworkcanread,write,and overwritearbitraryfilesonthehostfilesystembysupplyingcraftedfilepathargumentstoanyofthe25exposedMCP CVE-2026-toolhandlers.TheserverisintendedtoconfinefileoperationstoadirectorysetbytheEXCELFILESPATH 9.4 MoreDetails40576environmentvariable.Thefunctionresponsibleforenforcingthisboundary--getexcelpath()--failstodosodueto twoindependentflaws:itpassesabsolutepathsthroughwithoutanycheck,anditjoinsrelativepathswithout resolvingorvalidatingtheresult.Combinedwithzeroauthenticationonthedefaultnetwork-facingtransportanda defaultbindaddressof0.0.0.0(allinterfaces),thisallowstrivialremoteexploitation.Thisvulnerabilityisfixedin 0.1.8. SQLInjectionvulnerabilityinApartmentVisitorsManagementSystemApartmentVisitorsManagementSystemV1.1CVE-2026-withintheusernameparameteroftheloginpage(index.php).Thisallowsanunauthenticatedattackertomanipulate 9.4 MoreDetails39109backendSQLqueriesduringauthenticationandretrievesensitivedatabasecontents. CVE-2026-Luanti5before5.15.2,whenLuaJITisused,allowsaLuasandboxescapeviaacraftedmod. 9.3 MoreDetails40959 NovumOSisacustom32-bitoperatingsystemwritteninZigandx86Assembly.Inversionspriorto0.24,Syscall12 (JumpToUser)acceptsanarbitraryentrypointaddressfromuser-spaceregisterswithoutvalidation,allowinganyRing CVE-2026-3user-modeprocesstojumptokerneladdressesandexecutearbitrarycodeinRing0context,resultinginlocal 9.3 MoreDetails40317privilegeescalation.Thisissuehasbeenfixedinversion0.24.Ifdevelopersareunabletoimmediatelyupdate,they shouldrestrictsyscallaccessbyrunningthesysteminsingle-usermodewithoutRing3,anddisableuser-mode processesbyonlyrunningkernelshellwithnouserprocesses.Thisissuehasbeenfixedinversion0.24.

supportedversionthatisaffectedis12.2.1.4.0.Easilyexploitablevulnerabilityallowsunauthenticatedattackerwith networkaccessviaHTTPStocompromiseOracleIdentityManagerConnector.SuccessfulattacksofthisvulnerabilityCVE-2026-canresultinunauthorizedcreation,deletionormodificationaccesstocriticaldataorallOracleIdentityManager34285ConnectoraccessibledataaswellasunauthorizedaccesstocriticaldataorcompleteaccesstoallOracleIdentity ManagerConnectoraccessibledata.CVSS3.1BaseScore9.1(ConfidentialityandIntegrityimpacts).CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). VulnerabilityintheOracleEnterpriseManagerBasePlatformproductofOracleEnterpriseManager(component: EventManagement).Supportedversionsthatareaffectedare13.5and24.1.Easilyexploitablevulnerabilityallows highprivilegedattackerwithnetworkaccessviaHTTPtocompromiseOracleEnterpriseManagerBasePlatform. CVE-2026-WhilethevulnerabilityisinOracleEnterpriseManagerBasePlatform,attacksmaysignificantlyimpactadditional 34279products(scopechange).SuccessfulattacksofthisvulnerabilitycanresultintakeoverofOracleEnterpriseManager BasePlatform.CVSS3.1BaseScore9.1(Confidentiality,IntegrityandAvailabilityimpacts).CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

FreeScoutisafreeself-hostedhelpdeskandsharedmailbox.Priortoversion1.8.215,FreeScout'smoduleinstallationCVE-2026-featureextractsZIParchiveswithoutvalidatingfilepaths,allowinganauthenticatedadmintowritefilesarbitrarilyon41193theserverfilesystemviaaspeciallycraftedZIP.Version1.8.215fixesthevulnerability.

supportedversionthatisaffectedis12.2.1.4.0.Easilyexploitablevulnerabilityallowsunauthenticatedattackerwith networkaccessviaHTTPStocompromiseOracleIdentityManagerConnector.SuccessfulattacksofthisvulnerabilityCVE-2026-canresultinunauthorizedcreation,deletionormodificationaccesstocriticaldataorallOracleIdentityManager34286ConnectoraccessibledataaswellasunauthorizedaccesstocriticaldataorcompleteaccesstoallOracleIdentity ManagerConnectoraccessibledata.CVSS3.1BaseScore9.1(ConfidentialityandIntegrityimpacts).CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). ChurchCRMisanopen-sourcechurchmanagementsystem.Inversionspriorto7.2.0,thedatabasebackuprestore

functionalityextractsuploadedarchivecontentsandcopiesfilesfromtheImages/directoryintotheweb-accessible documentrootusingrecursiveCopyDirectory(),whichperformsnofileextensionfiltering.AnauthenticatedCVE-2026- administratorcanuploadacraftedbackuparchivecontainingaPHPwebshellinsidetheImages/directory,whichis40484 thenwrittentoapubliclyaccessiblepathandexecutableviaHTTPrequests,resultinginremotecodeexecutionas thewebserveruser.TherestoreendpointalsolacksCSRFtokenvalidation,enablingexploitationthroughcross-site requestforgerytargetinganauthenticatedadministrator.Thisissuehasbeenfixedinversion7.2.0. goshsisaSimpleHTTPServerwritteninGo.Priorto2.0.0-beta.6,goshshasanArtiPACKEDvulnerability.ArtiPACKEDCVE-2026-canleadtoleakageoftheGITHUBTOKENthroughworkflowartifacts,eventhoughthetokenisnotpresentinthe40903repositorysourcecode.Thisvulnerabilityisfixedin2.0.0-beta.6. Vendureisanopen-sourceheadlesscommerceplatform.Startinginversion1.7.4andpriortoversions2.3.4,3.5.7, and3.6.2,anunauthenticatedSQLinjectionvulnerabilityexistsintheVendureShopAPI.Auser-controlledquery stringparameterisinterpolateddirectlyintoarawSQLexpressionwithoutparameterizationorvalidation,allowingan attackertoexecutearbitrarySQLagainstthedatabase.Thisaffectsallsupporteddatabasebackends(PostgreSQL, MySQL/MariaDB,SQLite).TheAdminAPIisalsoaffected,thoughexploitationthererequiresauthentication.VersionsCVE-2026-2.3.4,3.5.7,and3.6.2containapatch.Forthosewhoareunabletoupgradeimmediately,Vendurehasmadeahotfix40887availablethatusesRequestContextService.getLanguageCodetovalidatethelanguageCodeinputatthe boundary.Thisblocksinjectionpayloadsbeforetheycanreachanyquery.Thehotfixreplacestheexisting getLanguageCodemethodinpackages/core/src/service/helpers/request-context/request-context.service.ts. Invalidvaluesaresilentlydroppedandthechannel'sdefaultlanguageisusedinstead.Thepatchedversions additionallyconvertthevulnerableSQLinterpolationtoaparameterizedqueryasdefenseindepth. Pyroscopeisanopen-sourcecontinuousprofilingdatabase.Thedatabasesupportsvariousstoragebackends, includingTencentCloudObjectStorage(COS).IfthedatabaseisconfiguredtouseTencentCOSasthestorage backend,anattackercouldextractthesecretkeyconfigurationvaluefromthePyroscopeAPI.ToexploitthisCVE-2025-vulnerability,anattackerneedsdirectaccesstothePyroscopeAPI.Wehighlyrecommendlimitingthepublicinternet41118exposureofallourdatabases,suchthattheyareonlyaccessiblebytrustedusersorinternalsystems.This vulnerabilityisfixedinversions:1.15.x:1.15.2andabove.1.16.x:1.16.1andabove.1.17.x:1.17.0andabove(i.e.all versions).ThankstoThéoCusnirforreportingthisvulnerabilitytousviaourbugbountyprogram.

supportedversionthatisaffectedis12.2.1.4.0.Easilyexploitablevulnerabilityallowsunauthenticatedattackerwith networkaccessviaHTTPStocompromiseOracleIdentityManagerConnector.SuccessfulattacksofthisvulnerabilityCVE-2026-canresultinunauthorizedcreation,deletionormodificationaccesstocriticaldataorallOracleIdentityManager34287ConnectoraccessibledataaswellasunauthorizedaccesstocriticaldataorcompleteaccesstoallOracleIdentity ManagerConnectoraccessibledata.CVSS3.1BaseScore9.1(ConfidentialityandIntegrityimpacts).CVSSVector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). @fastify/expressv4.0.4andearliercontainsapathhandlingbugintheonRegisterfunctionthatcausesmiddleware pathstobedoubledwheninheritedbychildplugins.Whenachildpluginisregisteredwithaprefixthatmatchesa CVE-2026-middlewarepath,themiddlewarepathisprefixedasecondtime,causingittonevermatchincomingrequests.This 33807resultsincompletebypassofExpressmiddlewaresecuritycontrols,includingauthentication,authorization,andrate limiting,forallroutesdefinedwithinaffectedchildpluginscopes.Nospecialconfigurationorrequestcraftingis required.Upgradeto@fastify/expressv4.0.5orlater. CVE-2026-ImproperverificationofcryptographicsignatureinASP.NETCoreallowsanunauthorizedattackertoelevate 40372privilegesoveranetwork. HotChocolateisanopen-sourceGraphQLserver.Priortoversions12.22.7,13.9.16,14.3.1,and15.1.14,Hot Chocolate'srecursivedescentparserUtf8GraphQLParserhasnorecursiondepthlimit.AcraftedGraphQLdocument withdeeplynestedselectionsets,objectvalues,listvalues,orlisttypescantriggeraStackOverflowExceptionon payloadsassmallas40KB.BecauseStackOverflowExceptionisuncatchablein.NET(since.NET2.0),theentire workerprocessisterminatedimmediately.Allin-flightHTTPrequests,backgroundIHostedServicetasks,andopen WebSocketsubscriptionsonthatworkeraredropped.Theorchestrator(Kubernetes,IIS,etc.)mustrestartthe process.Thisoccursbeforeanyvalidationrulesrun--MaxExecutionDepth,complexityanalyzers,persistedquery allow-lists,andcustomIDocumentValidatorRuleimplementationscannotinterceptthecrashbecauseCVE-2026-Utf8GraphQLParser.Parseisinvokedbeforevalidation.TheMaxAllowedFields=2048limitdoesnothelpbecause40324thecrashingpayloadscontainveryfewfields.Thefixinversions12.22.7,13.9.16,14.3.1,and15.1.14addsa MaxAllowedRecursionDepthoptiontoParserOptionswithasafedefault,andenforcesitacrossallrecursiveparser methods(ParseSelectionSet,ParseValueLiteral,ParseObject,ParseList,ParseTypeReference,etc.).When thelimitisexceeded,acatchableSyntaxExceptionisthrowninsteadofoverflowingthestack.Thereisno application-levelworkaround.StackOverflowExceptioncannotbecaughtin.NET.Theonlymitigationistoupgrade toapatchedversion.Operatorscanreduce(butnoteliminate)riskbylimitingHTTPrequestbodysizeatthereverse proxyorloadbalancerlayer,thoughthesmallestcrashingpayload(40KB)iswellbelowmostdefaultbodysizelimits andishighlycompressible(~fewhundredbytesviagzip). ApossiblesecurityvulnerabilityhasbeenidentifiedinApacheKafka.Bydefault,thebrokerproperty sasl.oauthbearer.jwt.validator.classissettoorg.apache.kafka.common.security.oauthbearer.DefaultJwtValidator. ItacceptsanyJWTtokenwithoutvalidatingitssignature,issuer,oraudience.AnattackercangenerateaJWTtokenCVE-2026-fromanyissuerwiththepreferred_usernamesettoanyuser,andthebrokerwillacceptit.WeadvisetheKafka33557usersusingkafkav4.1.0orv4.1.1tosettheconfigsasl.oauthbearer.jwt.validator.classto org.apache.kafka.common.security.oauthbearer.BrokerJwtValidatorexplicitlytoavoidthisvulnerability.SinceKafka v4.1.2andv4.2.0andlater,theissueisfixedandwillcorrectlyvalidatetheJWTtoken. AflawwasfoundinArgoCDImageUpdater.Thisvulnerabilityallowsanattacker,withpermissionstocreateormodify anImageUpdaterresourceinamulti-tenantenvironment,tobypassnamespaceboundaries.ByexploitinginsufficientCVE-2026-validation,theattackercantriggerunauthorizedimageupdatesonapplicationsmanagedbyothertenants.This leadstocross-namespaceprivilegeescalation,impactingapplicationintegritythroughunauthorizedapplication updates.

OpenVikingpriortoversion0.3.9containsanauthenticationbypassvulnerabilityintheVikingBotOpenAPIHTTProute surfacewheretheauthenticationcheckfailsopenwhentheapikeyconfigurationvalueisunsetorempty.RemoteCVE-2026-attackerswithnetworkaccesstotheexposedservicecaninvokeprivilegedbot-controlfunctionalitywithoutproviding40525avalidX-API-Keyheader,includingsubmittingattacker-controlledprompts,creatingorusingbotsessions,and accessingdownstreamtools,integrations,secrets,ordataaccessibletothebot. AnattackerwithnetworkaccesstothePLCisabletobruteforcediscoverpasswordstogainunauthorizedaccesstoCVE-2026-systemsandservices.Thelimitedpasswordcomplexityandnopasswordinputlimitersmakesbruteforcepassword6284enumerationpossible. TheobsoletenislocalprincipalfunctionintheGNUCLibraryversion2.43andoldermayoverflowabufferinthe datasection,whichcouldallowanattackertospoofacraftedresponsetoaUDPrequestgeneratedbythisfunctionCVE-2026-andoverwriteneighboringstaticdataintherequestingapplication.NISsupportisobsoleteandhasbeendeprecated5358intheGNUCLibrarysinceversion2.26andisonlymaintainedforlegacyusage.Applicationsshouldportawayfrom NIStomoremodernidentityandaccessmanagementservices. @fastify/middieversions9.3.1andearlierdonotregisterinheritedmiddlewaredirectlyonchildpluginengine instances.WhenaFastifyapplicationregistersauthenticationmiddlewareinaparentscopeandthenregisterschildCVE-2026-pluginswith@fastify/middie,thechildscopedoesnotinherittheparentmiddleware.Thisallowsunauthenticated6270requeststoreachroutesdefinedinchildpluginscopes,bypassingauthenticationandauthorizationchecks.Upgrade to@fastify/middie9.3.2tofixthisissue.Therearenoworkarounds. VvvebCMSv1.0.8containsaremotecodeexecutionvulnerabilityinitsmediamanagementfunctionalitywherea missingreturnstatementinthefilerenamehandlerallowsauthenticatedattackerstorenamefilestoblockedCVE-2026-extensions.phpor.htaccess.Attackerscanexploitthislogicflawbyfirstuploadingatextfileandrenamingitto6257.htaccesstoinjectApachedirectivesthatregisterPHP-executableMIMEtypes,thenuploadinganotherfileand renamingitto.phptoexecutearbitraryoperatingsystemcommandsasthewww-datauser. CVE-2026-SourceCodesterPayrollManagementandInformationSystemv1.0isvulnerabletoSQLInjectioninthefile 37347/payroll/viewemployee.php. TheGrampsWebAPIisaPythonRESTAPIforthegenealogicalresearchsoftwareGramps.Versions1.6.0through 3.11.0haveapathtraversalvulnerability(ZipSlip)inthemediaarchiveimportfeature.Anauthenticateduserwith CVE-2026-owner-levelprivilegescancraftamaliciousZIPfilewithdirectory-traversalfilenamestowritearbitraryfilesoutside 40258theintendedtemporaryextractiondirectoryontheserver'slocalfilesystem.Startiginversion3.11.1,ZIPentry namesarenowvalidatedagainsttheresolvedrealpathofthetemporarydirectorybeforeextraction.Anyentry whoseresolvedpathfallsoutsidethetemporarydirectoryraisesanerrorandabortstheimport. CVE-2026-AninsecuredirectobjectreferencevulnerabilityintheUsersAPIcomponentofCraftyControllerallowsaremote, 9.0 MoreDetails5652authenticatedattackertoperformusermodificationactionsviaimproperAPIpermissionsvalidation. FreeScoutisafreeself-hostedhelpdeskandsharedmailbox.Versionspriorto1.8.213haveamassassignment vulnerabilityinthemailboxconnectionsettingsendpointsofFreeScout(connectionIncomingSave()at app/Http/Controllers/MailboxesController.php:468andconnectionOutgoingSave()atline398).Bothmethodspass $request->all()directlyto$mailbox->fill()withoutanyfieldallowlisting,allowinganauthenticatedadminto overwriteanyofthe32fieldsintheMailboxmodel's$fillablearray--includingsecurity-criticalfieldsthatdonot belongtotheconnectionsettingsform,suchasauto_bcc,out_server,out_password,signature, auto_reply_enabled,andauto_reply_message.ValidationinconnectionIncomingSave()isentirelycommented out,andthevalidatorinconnectionOutgoingSave()onlychecksvalueformatsforSMTPfieldswithoutstripping extraparameters.Anauthenticatedadminusercanexploitthisbyappendinghiddenparameters(e.g.,CVE-2026- 9.0 MoreDetailsauto_bcc=attacker@evil.com)toalegitimateconnectionsettingssaverequest.Becausetheauto_bccfieldisnot40569 displayedontheconnectionsettingsform(itonlyappearsonthegeneralmailboxsettingspage),theinjectionis invisibletootheradministratorsreviewingconnectionsettings.Onceset,everyoutgoingemailfromtheaffected mailboxissilentlyBCC'dtotheattackerviatheSendReplyToCustomerjob.Thesamemechanismallowsredirecting outgoingSMTPthroughanattacker-controlledserver,injectingtrackingpixelsorphishinglinksintoemailsignatures, andenablingattacker-craftedauto-replies--allfromasingleHTTPrequest.Thisisparticularlydangerousinmulti- adminenvironmentswhereoneadmincansilentlysurveilmailboxesmanagedbyothers,andwhenanadminsession iscompromisedviaaseparatevulnerability(e.g.,XSS),theattackergainspersistentemailexfiltrationthatsurvives sessionexpiry.Version1.8.213fixestheissue.

NovumOSisacustom32-bitoperatingsystemwritteninZigandx86Assembly.Inversionspriorto0.24,Syscall15 (MemoryMapRange)allowsRing3user-modeprocessestomaparbitraryvirtualaddressrangesintotheiraddressCVE-2026-spacewithoutvalidatingagainstforbiddenregions,includingcriticalkernelstructuressuchastheIDT,GDT,TSS,and 9.0 MoreDetails40572pagetables.Alocalattackercanexploitthistomodifykernelinterrupthandlers,resultinginprivilegeescalationfrom usermodetokernelcontext.Thisissuehasbeenfixedinversion0.24. Thymeleafisaserver-sideJavatemplateengineforwebandstandaloneenvironments.Versions3.1.3.RELEASEand priorcontainasecuritybypassvulnerabilityinthetheexpressionexecutionmechanisms.Althoughthelibrary CVE-2026-providesmechanismstopreventexpressioninjection,itfailstoproperlyneutralizespecificsyntaxpatternsthatallow 9.0 MoreDetails40478fortheexecutionofunauthorizedexpressions.Ifanapplicationdeveloperpassesunvalidateduserinputdirectlyto thetemplateengine,anunauthenticatedremoteattackercanbypassthelibrary'sprotectionstoachieveServer-Side TemplateInjection(SSTI).Thisissuehasbenfixedinversion3.1.4.RELEASE. SiYuanisanopen-sourcepersonalknowledgemanagementsystem.Inversions3.6.3andbelow,Mermaiddiagrams arerenderedwithsecurityLevelsetto"loose",andtheresultingSVGisinjectedintotheDOMviainnerHTML.This CVE-2026-allowsattacker-controlledjavascript:URLsinMermaidcodeblockstosurviveintotherenderedoutput.Ondesktop 9.0 MoreDetails40322buildsusingElectron,windowsarecreatedwithnodeIntegrationenabledandcontextIsolationdisabled,escalatingthe storedXSStoarbitrarycodeexecutionwhenavictimopensanotecontainingamaliciousMermaidblockandclicks therendereddiagramnode.Thisissuehasbeenfixedinversion3.6.4.

OpenAEVisanopensourceplatformallowingorganizationstoplan,scheduleandconductcyberadversarysimulation campaignandtests.Startinginversion1.0.0andpriortoversion2.0.13,OpenAEV'spasswordresetimplementation containsmultiplesecurityweaknessesthattogetherallowreliableaccounttakeover.Theprimaryissueisthat passwordresettokensdonotexpire.Onceatokenisgenerated,itremainsvalidindefinitely,evenifsignificanttime haspassedorifnewertokensareissuedforthesameaccount.Thisallowsanattackertoaccumulatevalidpassword resettokensovertimeandreusethematanypointinthefuturetoresetavictim'spassword.Asecondaryweakness isthatpasswordresettokensareonly8digitslong.Whilean8-digitnumerictokenprovides100,000,000possible combinations(whichissecureenough),theabilitytogeneratelargenumbersofvalidtokensdrasticallyreducesthe requirednumberofattemptstoguessavalidpasswordresettoken.Forexample,ifanattackergenerates2,000valid tokens,thebrute-forceeffortisreducedtoapproximately50,000attempts,whichisatriviallyachievablenumberof requestsforanautomatedattack.(100requestspersecondcanmathematicallyfindavalidpasswordresettokenin CVE-2026-500seconds.)Bycombiningtheseflaws,anattackercanmass-generatevalidpasswordresettokensandthenbrute- 9.0 MoreDetails24467forcethemefficientlyuntilamatchisfound,allowingtheattackertoresetthevictim'spasswordtoavalueoftheir choosing.Theoriginalpasswordisnotrequired,andtheattackcanbeperformedentirelywithoutauthentication.This vulnerabilityenablesfullaccounttakeoverthatleadstoplatformcompromise.Anunauthenticatedremoteattacker canresetthepasswordofanyregistereduseraccountandgaincompleteaccesswithoutauthentication.Because useremailaddressesareexposedtootherusersbydesign,asingleguessedorobservedemailaddressissufficient tocompromiseevenadministratoraccountswithnon-guessableemailaddresses.Thisdesignflawresultsinareliable andscalableaccounttakeovervulnerabilitythataffectsanyregistereduseraccountinthesystem.Note:The vulnerabilitydoesnotrequireOpenAEVtohavetheemailserviceconfigured.Theexploitdoesnotdependonthe targetemailaddresstobearealemailaddress.ItjustneedstoberegisteredtoOpenAEV.Successfulexploitation allowsanunauthenticatedremoteattackertoaccesssensitivedata(suchastheFindingssectionofasimulation), modifypayloadsexecutedbydeployedagentstocompromiseallhostswhereagentsareinstalled(thereforethe Scopeischanged).Usersshouldupgradetoversion2.0.13toreceiveafix. Thymeleafisaserver-sideJavatemplateengineforwebandstandaloneenvironments.Versions3.1.3.RELEASEand priorcontainasecuritybypassvulnerabilityintheexpressionexecutionmechanisms.Althoughthelibraryprovides CVE-2026-mechanismstopreventexpressioninjection,itfailstoproperlyrestrictthescopeofaccessibleobjects,allowing 9.0 MoreDetails40477specificpotentiallysensitiveobjectstobereachedfromwithinatemplate.Ifanapplicationdeveloperpasses unvalidateduserinputdirectlytothetemplateengine,anunauthenticatedremoteattackercanbypassthelibrary's protectionstoachieveServer-SideTemplateInjection(SSTI).Thisissuehasbenfixedinversion3.1.4.RELEASE.

OTHERVULNERABILITIES

CVE Base Description ReferenceNumber Score

AStoredCross-SiteScriptingvulnerabilitywasdiscoveredintheAssetsandNodesfunctionalityduetoimpropervalidationof CVE-aninputparameter.Anauthenticateduserwithcustomfieldsprivilegescandefineamaliciouscustomfieldcontaininga More2025-JavaScriptpayload.WhenthevictimviewstheAssetsorNodespages,theXSSexecutesintheirbrowsercontext,allowingthe 8.9 Details40899attackertoperformunauthorizedactionsasthevictim,suchasmodifyapplicationdata,disruptapplicationavailability,and accesslimitedsensitiveinformation. PostizisanAIsocialmediaschedulingtool.Priortoversion2.21.6,afileuploadvalidationbypassallowsanyauthenticated CVE-usertouploadarbitraryHTML,SVG,orotherexecutablefiletypestotheserverbyspoofingtheContent-Typeheader.The More2026-uploadedfilesarethenservedbynginxwithaContent-Typederivedfromtheiroriginalextension(text/html, 8.9 Details40487image/svg+xml),enablingStoredCross-SiteScripting(XSS)inthecontextoftheapplication'sorigin.Thiscanleadto sessionriding,accounttakeover,andfullcompromiseofotherusers'accounts.Version2.21.6containsafix. DataEaseisanopen-sourcedatavisualizationandanalyticsplatform.Versions2.10.20andbelowshipthelegacyvelocity- 1.7.jar,whichpullsincommons-collections-3.2.1.jarcontainingtheInvokerTransformerdeserializationgadgetchain.Quartz 2.3.2,alsobundledintheapplication,deserializesjobdataBLOBsfromtheqrtzjobdetailstableusingObjectInputStreamCVE-withnodeserializationfilterorclassallowlist.AnauthenticatedattackerwhocanwritetotheQuartzjobtable,suchas More2026- 8.8throughthepreviouslydescribedSQLinjectioninpreviewSql,canreplaceascheduledjob'sJOBDATAwithamalicious Details40901CommonsCollections6gadgetchainpayload.WhentheQuartzcrontriggerfires,thepayloadisdeserializedandexecutes arbitrarycommandsasrootinsidethecontainer,achievingfullremotecodeexecution.Thisissuehasbeenfixedinversion 2.10.21. CVE-UseafterfreeinPrerenderinGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycodevia More2026- 8.8acraftedHTMLpage.(Chromiumsecurityseverity:Critical) Details6299 EmissaryisaP2Pbaseddata-drivenworkflowengine.Inversions8.42.0andbelow,Executrix.getCommand()isvulnerableto OScommandinjectionbecauseitinterpolatestemporaryfilepathsintoa/bin/sh-cshellcommandstringwithoutany escapingorinputvalidation.TheINFILEENDINGandOUTFILE_ENDINGconfigurationkeysflowdirectlyintothesepaths, CVE-allowingaplaceauthorwhocanwriteormodifya.cfgfiletoinjectarbitraryshellmetacharactersthatexecuteOScommands More2026-intheJVMprocess'ssecuritycontext.TheframeworkalreadysanitizesplaceNameviaanallowlistbeforeembeddingitinthe 8.8 Details35582sameshellstring,butappliesnoequivalentsanitizationtofileendingvalues.Noruntimeprivilegesbeyondplace configurationauthorship,andnoAPIornetworkaccess,arerequiredtoexploitthisvulnerability.Thisisaframework-level defectwithnosafemitigationavailabletodownstreamimplementors,asExecutrixprovidesneitherescapingnor documentedpreconditionsagainstmetacharactersinfileendinginputs.Thisissuehasbeenfixedinversion8.43.0.

CVE- usercanaccesstheuser-managementendpoints/settings/usersandusethemtoenumerateallusersandcreateanew More administratoraccount.Thishappensbecausetheroutedefinitionsdonotenforceadmin-onlymiddleware,andthecontroller- 8.8 Details40350 levelauthorizationcheckusesabrokenbooleancondition.Asaresult,anyuserwithavalidwebsessioncookiecanreach functionalitythatshouldberestrictedtoadministrators.Version0.71.1patchestheissue.

KissFFTbeforecommit8a8e66econtainsanintegeroverflowvulnerabilityinthekissfftndralloc()functioninkissfftndr.cCVE- MorewheretheallocationsizecalculationdimOther(dimReal+2)sizeof(kissfftscalar)overflowssigned32-bitintegerarithmetic 8.8 Detailsbeforebeingwidenedtosizet,causingmalloc()toallocateanundersizedbuffer.Attackerscantriggerheapbufferoverflow41445 byprovidingcrafteddimensionsthatcausethemultiplicationtoexceedINTMAX,allowingwritesbeyondtheallocatedbuffer regionwhenkissfftndr()processesthedata. CVE-InproductsoftheMSE6product-familybyFestoaremoteauthenticated,lowprivilegedattackercouldusefunctionsof More2023- 8.8undocumentedtestmodewhichcouldleadtoacompletelossofconfidentiality,integrityandavailability. Details3634 CVE-SD-330ACandAMCManagerprovidedbysilextechnology,Inc.containastack-basedbufferoverflowvulnerabilityin More2026- 8.8processingtheredirectURLs.Arbitrarycodemaybeexecutedonthedevice. Details32955 CVE-Weblateisawebbasedlocalizationtool.Inversionspriorto5.17,theuserpatchingAPIendpointdidn'tproperlylimitthe More2026- 8.8scopeofedits.Thisissuehasbeenfixedinversion5.17. Details34393 VvvebCMS1.0.8containsaremotecodeexecutionvulnerabilityinitsmediauploadhandlerthatallowsauthenticatedCVE-attackerstoexecutearbitraryoperatingsystemcommandsbyuploadingaPHPwebshellwitha.phtmlextension.Attackers More2026- 8.8canbypasstheextensiondeny-listanduploadmaliciousfilestothepubliclyaccessiblemediadirectory,thenrequestthefile Details6249overHTTPtoachievefullservercompromise. CVE-usercanescalatetheirownaccounttoadministratorbysendingisAdmin=truetoPUT/settings/users/{userId}fortheir More2026- 8.8ownuserID.Theendpointisintendedtoletauseredittheirownprofile,butitupdatesthesensitiveisAdminfieldwithout Details40349anyadmin-onlyauthorizationcheck.Version0.71.1patchestheissue. CVE-InOpenXiangShanNEMU,whenSmstateenisenabled,clearingmstateen0.ENVCFGdoesnotcorrectlyrestrictaccessto More2026-henvcfgandsenvcfg.Asaresult,less-privilegedcodemayreadorwritetheseCSRswithouttherequiredexception, 8.8 Details29648potentiallybypassingintendedstate-enablebasedisolationcontrolsinvirtualizedormulti-privilegeenvironments. CVE-PAC4JisvulnerabletoLDAPInjectioninmultiplemethods.Alow-privilegedremoteattackercaninjectcraftedLDAPsyntax More2026-intoID-basedsearchparameters,potentiallyresultinginunauthorizedLDAPqueriesandarbitrarydirectoryoperations.This 8.8 Details40459issuewasfixedinPAC4Jversions4.5.10,5.7.10and6.4.1 CVE-AvulnerabilitywasdeterminedinTendaF4511.0.0.7cnsvn7958.ImpactedisthefunctionfromwebExcptypemanFilterof More2026-thefile/goform/webExcptypemanFilterofthecomponenthttpd.Executingamanipulationoftheargumentpagecanleadto 8.8 Details6631bufferoverflow.Theattackmaybelaunchedremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized. CVE-AvulnerabilitywasfoundinTendaF4511.0.0.7cnsvn7958.ThisissueaffectsthefunctionfromGstDhcpSetSerofthefile More2026-/goform/GstDhcpSetSerofthecomponenthttpd.Performingamanipulationoftheargumentdipsresultsinbufferoverflow. 8.8 Details6630Theattackmaybeinitiatedremotely.Theexploithasbeenmadepublicandcouldbeused. IntheWebsitemoduleofDolibarrERP&CRM22.0.4andbelow,theapplicationusesblacklist-basedfilteringtorestrictCVE-dangerousPHPfunctionsrelatedtosystemcommandexecution.AnauthenticateduserwithpermissiontoeditPHPcontent More2026- 8.8canbypassthisfiltering,resultinginfullremotecodeexecutionwiththeabilitytoexecutearbitraryoperatingsystem Details31019commandsontheserver. CVE-InDolibarrERP&CRM<=22.0.4,PHPcodedetectionandeditingpermissionenforcementintheWebsitemoduleisnot More2026-appliedconsistentlytoallinputparameters,allowinganauthenticateduserrestrictedtoHTML/JavaScripteditingtoinjectPHP 8.8 Details31018codethroughunprotectedinputsduringwebsitepagecreation. TheAcyMailingpluginforWordPressisvulnerabletoprivilegeescalationinallversionsFrom9.11.0upto,andincluding, CVE-10.8.1duetoamissingcapabilitycheckonthewp_ajax_acymailing_routerAJAXhandler.Thismakesitpossiblefor More2026-authenticatedattackers,withSubscriber-levelaccessandabove,toaccessadmin-onlycontrollers(includingconfiguration 8.8 Details3614management),enabletheautologinfeature,createamaliciousnewslettersubscriberwithaninjectedcms_idpointingto anyWordPressuser,andthenusetheautologinURLtoauthenticateasthatuser,includingadministrators. FastGPTisanAIAgentbuildingplatform.Inversionspriorto4.14.9.5,thepasswordchangeendpointisvulnerabletoNoSQL CVE-injection.Anauthenticatedattackercanbypassthe"oldpassword"verificationbyinjectingMongoDBqueryoperators.This More2026-allowsanattackerwhohasgainedalow-privilegedsessiontochangethepasswordoftheiraccount(orothersifcombined 8.8 Details40352withIDmanipulation)withoutknowingthecurrentone,leadingtofullaccounttakeoverandpersistence.Thisissuehasbeen fixedinversion4.14.9.5. CVE-OpenClawbefore2026.3.28containsanauthorizationbypassvulnerabilityinDiscordtextapprovalcommandsthatallows More2026-non-approverstoresolvependingexecapprovals.AttackerscansendDiscordtextcommandstobypassthe 8.8 Details41303channels.discord.execApprovals.approversallowlistandapprovependinghostexecutionrequests. TheLivemeshAddonsforElementorpluginforWordPressisvulnerabletoLocalFileInclusioninallversionsupto,and including,9.0.Thisisduetoinsufficientsanitizationofthetemplatenameparameterinthelae_get_template_part()CVE-function,whichusesaninadequatestr_replace()approachthatcanbebypassedusingrecursivedirectorytraversal More2026- 8.8patterns.Thismakesitpossibleforauthenticatedattackers,withContributor-levelaccessandabove,toincludeandexecute Details1620arbitraryfilesontheserver,allowingtheattackertoincludeandexecutelocalfilesviathewidget'stemplateparameter grantedtheycantrickanadministratorintoperforminganactionorinstallElementor. AvulnerabilitywasdetectedinH3CMagicB1upto100R004.AffectedbythisvulnerabilityisthefunctionCVE-SetMobileAPInfoByIdofthefile/goform/aspForm.Performingamanipulationoftheargumentparamresultsinbufferoverflow. More 8.8Remoteexploitationoftheattackispossible.Theexploitisnowpublicandmaybeused.Thevendorwascontactedearly Details

Nekoisaaself-hostedvirtualbrowserthatrunsinDockerandusesWebRTCInversions3.0.0through3.0.10and3.1.0

through3.1.1,anyauthenticatedusercanimmediatelyobtainfulladministrativecontroloftheentireNekoinstance(member management,roomsettings,broadcastcontrol,sessiontermination,etc.).Thisresultsinacompletecompromiseofthe instance.Thevulnerabilityhasbeenpatchedinv3.0.11andv3.1.2.Ifupgradingisnotimmediatelypossible,thefollowingCVE-mitigationscanreducerisk:Restrictaccesstotrustedusersonly(avoidgrantingaccountstountrustedparties);ensureall More 8.8userpasswordsarestrongandonlysharedwithtrustedindividuals;runtheinstanceonlywhenneeded;avoidleavingit Details39386continuouslyexposed;placetheinstancebehindauthenticationlayerssuchasareverseproxywithadditionalaccess controls;disableorrestrictaccesstothe/api/profileendpointiffeasible;and/ormonitorforsuspiciousprivilegechangesor unexpectedadministrativeactions.Notethatthesearetemporarymitigationsanddonotfullyeliminatethevulnerability. Upgradingisstronglyrecommended. WeGIAisawebmanagerforcharitableinstitutions.Versionspriorto3.6.10containaSQLinjectionvulnerabilityin CVE-dao/memorando/UsuarioDAO.php.ThecpfusuarioPOSTparameteroverwritesthesession-storeduseridentityvia More2026-extract($REQUEST)inDespachoControle::verificarDespacho(),andtheattacker-controlledvalueistheninterpolateddirectly 8.8 Details40285intoarawSQLquery,allowinganyauthenticatedusertoquerythedatabaseunderanarbitraryidentity.Version3.6.10fixes theissue. CVE-AvulnerabilitywasidentifiedinTendaF4511.0.0.7cnsvn7958.TheaffectedelementisthefunctionfromSafeClientFilterof More2026-thefile/goform/SafeClientFilterofthecomponenthttpd.Themanipulationoftheargumentmenufacturer/Goleadstobuffer 8.8 Details6632overflow.Remoteexploitationoftheattackispossible.Theexploitispubliclyavailableandmightbeused. CVE-UseafterfreeinCSSinGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycodeinsidea More2026- 8.8sandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details6300 CVE-TypeConfusioninTurbofaninGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycode More2026- 8.8insideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details6301 CVE-UseafterfreeinFileSysteminGoogleChromepriorto147.0.7727.101allowedaremoteattackertopotentiallyexploitobject More2026- 8.8corruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details6360 OpenHarnesspriortocommitdd1d235containsacommandinjectionvulnerabilitythatallowsremotegatewayuserswith CVE-chataccesstoinvokesensitiveadministrativecommandsbyexploitinginsufficientdistinctionbetweenlocal-onlyandremote- More2026-safecommandsinthegatewayhandler.Attackerscanexecuteadministrativecommandssuchas/permissionsfullauto 8.8 Details40502throughremotechatsessionstochangepermissionmodesofarunningOpenHarnessinstancewithoutoperator authorization. CVE-releaseversions7.13.1.0through7.13.1.60containamissingauthenticationforcriticalfunctionvulnerability.An More2026- 8.8unauthenticatedattackerwithremoteaccesscouldpotentiallyexploitthisvulnerability,leadingtoarbitrarycommand Details26944executionwithrootprivileges.Exploitationrequiresanauthenticatedusertoperformaspecificaction. CVE-Vvvebpriorto1.0.8.1containsaprivilegeescalationvulnerabilityintheadminuserprofilesaveendpointthatallows More2026-authenticateduserstomodifyprivilegedfieldsontheirownprofile.Attackerscaninjectroleid=1intoprofilesaverequests 8.8 Details34427toescalatetoSuperAdministratorprivileges,enablingpluginuploadfunctionalityforremotecodeexecution. OWASPBLTisaQAtestingandvulnerabilitydisclosureplatformthatencompasseswebsites,apps,gitrepositories,andmore. Versionspriorto2.1.1containanRCEvulnerabilityinthe.github/workflows/regenerate-migrations.ymlworkflow.The workflowusesthepullrequesttargettriggertorunwithfullGITHUBTOKENwritepermissions,copiesattacker-controlled filesfromuntrustedpullrequestsintothetrustedrunnerworkspaceviagitshow,andthenexecutespythonmanage.pyCVE-makemigrations,whichimportsDjangomodelmodulesincludingattacker-controlledwebsite/models.pyatruntime.Any More2026- 8.8module-levelPythoncodeintheattacker'smodels.pyisexecutedduringimport,enablingarbitrarycodeexecutioninthe Details40316privilegedCIenvironmentwithaccesstoGITHUBTOKENandrepositorysecrets.Theattackistriggerablebyanyexternal contributorwhocanopenapullrequest,providedamaintainerappliestheregenerate-migrationslabel,potentiallyleadingto secretexfiltration,repositorycompromise,andsupplychainattacks.Apatchforthisissueisexpectedtobereleasedin version2.1.1. AsecurityvulnerabilityhasbeendetectedinH3CMagicB0upto100R002.ThisvulnerabilityaffectsthefunctionCVE-Edit_BasicSSIDofthefile/goform/aspForm.Suchmanipulationoftheargumentparamleadstobufferoverflow.Theattack More2026- 8.8canbeexecutedremotely.Theexploithasbeendisclosedpubliclyandmaybeused.Thevendorwascontactedearlyabout Details6560 HKUDSOpenHarnesspriortoPR#156remediationexposespluginlifecyclecommandsincluding/plugininstall,/pluginCVE-enable,/plugindisable,and/reload-pluginstoremotesendersbydefault.Attackerswhogainaccessthroughthechannel More2026- 8.8layercanremotelymanageplugintrustandactivationstate,enablingunauthorizedplugininstallationandactivationonthe Details6819system. ComposerisadependencymanagerforPHP.Versions1.0through2.2.26and2.3through2.9.5containacommandinjection vulnerabilityinthePerforce::syncCodeBase()method,whichappendsthe$sourceReferenceparametertoashellcommand withoutproperescaping,andadditionallyinthePerforce::generateP4Command()methodasinGHSA-wg36-wvj6-r67p/CVE- 2026-40176,whichinterpolatesuser-suppliedPerforceconnectionparameters(port,user,client)fromthesourceurlfield withoutproperescaping.Anattackercaninjectarbitrarycommandsthroughcraftedsourcereferenceorsourceurlvalues CVE-containingshellmetacharacters,evenifPerforceisnotinstalled.UnlikeCVE-2026-40176,thesourcereferenceandurlare More2026- 8.8providedaspartofpackagemetadata,meaninganycompromisedormaliciousComposerrepositorycanservepackage Details40261metadatadeclaringperforceasasourcetypewithmaliciousvalues.Thisvulnerabilityisexploitablewheninstallingor updatingdependenciesfromsource,includingthedefaultbehaviorwheninstallingdev-prefixedversions.Thisissuehasbeen fixedinComposer2.2.27(2.2LTS)and2.9.6(mainline).Ifdevelopersareunabletoimmediatelyupdate,theycanavoid installingdependenciesfromsourcebyusing--prefer-distorthepreferred-install:distconfigsetting,andonlyusetrusted Composerrepositoriesasaworkaround.

CVE- AnexampleofBashOperatorinAirflowdocumentationsuggestedawayofpassingdagrun.confinthewaythatcouldcause More unsanitizeduserinputtobeusedtoescalateprivilegesofUIusertoallowexecutecodeonworker.Usersshouldreviewifany 8.8 Details30898 oftheirownDAGshaveadoptedthisincorrectadvice. TheCMP-ComingSoon&MaintenancePluginbyNiteoThemespluginforWordPressisvulnerabletoarbitraryfileuploadand remotecodeexecutioninallversionsupto,andincluding,4.1.16viathe`cmpthemeupdateinstallAJAXaction.Thisisdue tothefunctiononlycheckingforthepublishpagescapability(availabletoEditorsandabove)insteadofmanageoptionsCVE- (Administratorsonly),combinedwithalackofpropervalidationontheuser-suppliedfileURLandnoverificationofthe More2026- 8.8 downloadedfile'scontentbeforeextraction.Thismakesitpossibleforauthenticatedattackers,withAdministrator-level Details6518 accessandabove,toforcetheservertodownloadandextractamaliciousZIPfilefromaremoteattacker-controlledURLinto aweb-accessibledirectory(wp-content/plugins/cmp-premium-themes/`),resultinginremotecodeexecution.Duetothelack ofanonceforEditors,theyareunabletoexploitthisvulnerability. CVE- TypeConfusioninV8inGoogleChromepriorto147.0.7727.101allowedaremoteattackertopotentiallyperformoutof More2026- 8.8 boundsmemoryaccessviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details6363 CVE- UseafterfreeinVideoinGoogleChromeonWindowspriorto147.0.7727.101allowedaremoteattackerwhohad More2026- compromisedtherendererprocesstoperformoutofboundsmemoryaccessviaacraftedHTMLpage.(Chromiumsecurity 8.8 Details6359 severity:High) CVE- UseafterfreeinVideoinGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycodeinside More2026- 8.8 asandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details6302 CVE- UseafterfreeinXRinGoogleChromeonAndroidpriorto147.0.7727.101allowedaremoteattackertoperformanoutof More2026- 8.8 boundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:Critical) Details6358 CVE- WinMatrixagentdevelopedbySimoproTechnologyhasaMissingAuthenticationvulnerability,allowingauthenticatedlocal More2026- attackerstoexecutearbitrarycodewithSYSTEMprivilegesonthelocalmachineaswellasonallhostswithinthe 8.8 Details6348 environmentwheretheagentisinstalled. CVE- UseafterfreeinCodecsinGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycodeinside More2026- 8.8 asandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details6318 CVE- UseafterfreeinCastinGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycodeviaa More2026- 8.8 craftedHTMLpage.(Chromiumsecurityseverity:High) Details6317 CVE- UseafterfreeinFormsinGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycodeinside More2026- 8.8 asandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details6316 CVE- UseafterfreeinPermissionsinGoogleChromeonAndroidpriorto147.0.7727.101allowedaremoteattackerwhoconvinced More2026- ausertoengageinspecificUIgesturestoexecutearbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity: 8.8 Details6315 High) CVE- TypeConfusioninTurbofaninGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycode More2026- 8.8 insideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details6307 CVE- HeapbufferoverflowinPDFiuminGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrary More2026- 8.8 codeinsideasandboxviaacraftedPDFfile.(Chromiumsecurityseverity:High) Details6306 CVE- HeapbufferoverflowinPDFiuminGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrary More2026- 8.8 codeinsideasandboxviaacraftedPDFfile.(Chromiumsecurityseverity:High) Details6305 CVE- UseafterfreeinCodecsinGoogleChromepriorto147.0.7727.101allowedaremoteattackertoexecutearbitrarycodeinside More2026- 8.8 asandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details6303 TheWPCustomerAreapluginforWordPressisvulnerabletoarbitraryfilereadanddeletionduetoinsufficientfilepath CVE- validationinthe'ajaxattachfile'functioninallversionsupto,andincluding,8.3.4.Thismakesitpossibleforauthenticated More2026- attackerswitharolethatanadministratorgrantsaccessto(e.g.,Subscriber)totoreadthecontentsofarbitraryfilesonthe 8.8 Details3464 server,whichcancontainsensitiveinformation,ordeletearbitraryfilesontheserver,whichcaneasilyleadtoremotecode executionwhentherightfileisdeleted(suchaswp-config.php). AvulnerabilityhasbeenfoundinH3CMagicB1upto100R004.TheaffectedelementisthefunctionSetAPWifiorLedInfoByIdCVE- ofthefile/goform/aspForm.Themanipulationoftheargumentparamleadstobufferoverflow.Itispossibletoinitiatethe More2026- 8.8 attackremotely.Theexploithasbeendisclosedtothepublicandmaybeused.Thevendorwascontactedearlyaboutthis Details6563 DataEaseisanopen-sourcedatavisualizationandanalyticsplatform.Versions2.10.20andbelowcontainaSQLinjection vulnerabilityintheAPIdatasourcesavingprocess.ThedeTableNamefieldfromtheBase64-encodeddatasourceconfiguration CVE- isusedtoconstructaDDLstatementviasimplestringreplacementwithoutanysanitizationorescapingofthetablename. More 8.8 AnauthenticatedattackercaninjectarbitrarySQLcommandsbycraftingadeTableNamethatbreaksoutofidentifier Details33121 quoting,enablingerror-basedSQLinjectionthatcanextractdatabaseinformationsuchastheMySQLversion.Thisissuehas

beenfixedinversion2.10.21. DataEaseisanopen-sourcedatavisualizationandanalyticsplatform.Versions2.10.20andbelowcontainaSQLinjection vulnerabilityinthesortparameterofthe/de2api/datasetData/enumValueObjendpoint.TheDatasetDataManageservicelayerCVE-directlytransferstheuser-suppliedsortvaluetothesortingmetadataDTO,whichispassedtoOrder2SQLObjwhereitis More 8.8incorporatedintotheSQLORDERBYclausewithoutanywhitelistvalidation,andthenexecutedviaCalciteProvider.An Details33084authenticatedattackercaninjectarbitrarySQLcommandsthroughthesortparameter,enablingtime-basedblindSQL injection.Thisissuehasbeenfixedinversion2.10.21. DataEaseisanopen-sourcedatavisualizationandanalyticsplatform.Versions2.10.20andbelowcontainaSQLinjection vulnerabilityintheorderDirectionparameterusedindataset-relatedendpointsincluding/de2api/datasetData/enumValueDs CVE-and/de2api/datasetTree/exportDataset.TheOrder2SQLObjclassdirectlyassignstherawuser-suppliedorderDirectionvalue More2026-intotheSQLquerywithoutanyvalidationorwhitelistenforcement,andthevalueisrenderedintotheORDERBYclausevia 8.8 Details33083StringTemplatebeforebeingexecutedagainstthedatabase.AnauthenticatedattackercaninjectarbitrarySQLcommands throughthesortingdirectionfield,enablingtime-basedblinddataextractionanddenialofservice.Thisissuehasbeenfixed inversion2.10.21. TheLoginasUserpluginforWordPressisvulnerabletoPrivilegeEscalationinallversionsupto,andincluding,1.0.3.Thisis duetothehandlereturntoadmin()functiontrustingaclient-controlledcookie(oclauporiginaladmin)todeterminewhichCVE-usertoauthenticateas,withoutanyserver-sideverificationthatthecookievaluewaslegitimatelysetduringanadmin- More2026- 8.8initiateduserswitch.Thismakesitpossibleforauthenticatedattackers,withSubscriber-levelaccessandabove,toescalate Details5617theirprivilegestoadministratorbysettingtheoclauporiginaladmincookietoanadministrator'suserIDandtriggeringthe "ReturntoAdmin"functionality. xrdpisanopensourceRDPserver.Inversionsthrough0.10.5,thesessionexecutioncomponentdidnotproperlyhandleanCVE-errorduringtheprivilegedropprocess.Thisimproperprivilegemanagementcouldallowanauthenticatedlocalattackerto More2026- 8.8escalateprivilegestorootandexecutearbitrarycodeonthesystem.Anadditionalexploitwouldbeneededtofacilitatethis. Details32107Thisissuehasbeenfixedinversion0.10.6. CVE-PrivilegeescalationintheDebuggercomponent.ThisvulnerabilitywasfixedinFirefox150,FirefoxESR140.10,Thunderbird More2026- 8.8 Details6769 CVE-AnvizCX2LiteandCX7arevulnerabletounverifiedupdatepackagesthatcanbeuploaded.Thedeviceunpacksand More2026- 8.8executesascriptresultinginunauthenticatedremotecodeexecution. Details40066 DataEaseisanopen-sourcedatavisualizationandanalyticsplatform.Versions2.10.20andbelowcontainaSQLinjection vulnerabilityinthe/datasource/getTableFieldendpoint.ThegetTableFiledSqlmethodinCalciteProvider.javaincorporatesthe CVE-tableNameparameterdirectlyintoSQLquerystringsusingString.formatwithoutparameterizationorsanitization.Although More2026-DatasourceServer.javavalidatesthatthetablenameexistsinthedatasource,anattackercanbypassthisbyfirstregistering 8.8 Details33207anAPIdatasourcewithamaliciousdeTableName,whichisthenreturnedbygetTablesandpassesthevalidationcheck.An authenticatedattackercanexecutearbitrarySQLcommands,enablingerror-basedextractionofsensitivedatabase information.Thisissuehasbeenfixedinversion2.10.21. CVE-AnvizCX2Liteisvulnerabletoanauthenticatedcommandinjectionviaafilenameparameterthatenablesarbitrary More2026- 8.8commandexecution(e.g.,startingtelnetd),resultinginroot‑levelaccess. Details35682 DataEaseisanopen-sourcedatavisualizationandanalyticsplatform.Versions2.10.20andbelowcontainaSQLinjection vulnerabilityinthe/de2api/datasetData/previewSqlendpoint.Theuser-suppliedSQLiswrappedinasubquerywithout CVE-validationthattheinputisasingleSELECTstatement.CombinedwiththeJDBCblocklistbypassthatallowsenabling More2026-allowMultiQueries=true,anattackercanbreakoutofthesubqueryandexecutearbitrarystackedSQLstatements,including 8.8 Details40900UPDATEandotherwriteoperations,againsttheconnecteddatabase.Anauthenticatedattackerwithaccesstovalid datasourcecredentialscanachievefullreadandwriteaccesstotheunderlyingdatabase.Thisissuehasbeenfixedinversion 2.10.21. Let'sEncryptclientandACMElibrarywritteninGo(Lego).Priorto4.34.0,thewebrootHTTP-01challengeproviderinlegoisCVE-vulnerabletoarbitraryfilewriteanddeletionviapathtraversal.AmaliciousACMEservercansupplyacraftedchallenge More2026- 8.8tokencontaining../sequences,causinglegotowriteattacker-influencedcontenttoanypathwritablebythelegoprocess. Details40611Thisvulnerabilityisfixedin4.34.0. TheCareerSectionpluginforWordPressisvulnerabletoCross-SiteRequestForgeryleadingtoPathTraversalandArbitrary CVE-FileDeletioninallversionsupto,andincluding,1.6.Thisisduetomissingnoncevalidationandinsufficientfilepath More2025-validationonthedeleteactioninthe'appformoptionspagehtml'function.Thismakesitpossibleforunauthenticated 8.8 Details14868attackerstodeletearbitraryfilesontheserverviaaforgedrequest,grantedtheycantrickasiteadministratorinto

CVE- ThreatSonarAnti-RansomwaredevelopedbyTeamT5hasanPrivilegeEscalationvulnerability.Authenticatedremote More2026- 8.8 attackerswithshellaccesscaninjectOScommandsandexecutethemwithrootprivileges. Details5967 CVE- PrivilegeescalationintheNetworkingcomponent.ThisvulnerabilitywasfixedinFirefox150,FirefoxESR140.10,Thunderbird More2026- 8.8 Details6761 CVE- PrivilegeescalationintheGraphics:WebRendercomponent.ThisvulnerabilitywasfixedinFirefox150,FirefoxESR115.35, More 8.8 FirefoxESR140.10,Thunderbird150,andThunderbird140.10. Details

VulnerabilityintheOracleHTTPServerproductofOracleFusionMiddleware(component:Core).Supportedversionsthatare

affectedare12.2.1.4.0and14.1.2.0.0.Difficulttoexploitvulnerabilityallowsunauthenticatedattackerwithnetworkaccess CVE-viaHTTPtocompromiseOracleHTTPServer.WhilethevulnerabilityisinOracleHTTPServer,attacksmaysignificantly More 8.7impactadditionalproducts(scopechange).Successfulattacksofthisvulnerabilitycanresultinunauthorizedcreation, Details34291deletionormodificationaccesstocriticaldataorallOracleHTTPServeraccessibledataaswellasunauthorizedaccessto criticaldataorcompleteaccesstoallOracleHTTPServeraccessibledata.CVSS3.1BaseScore8.7(Confidentialityand Integrityimpacts).CVSSVector:(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N). WWBNAVideoisanopensourcevideoplatform.Inversions29.0andprior,thelocalesaveendpoint(locale/save.php) constructsafilepathbydirectlyconcatenating$_POST['flag']intothepathatline30withoutanysanitization.TheCVE-$_POST['code']parameteristhenwrittenverbatimtothatpathviafwrite()atline40.Anadminattacker(oranyuserwho More2026- 8.7canCSRFanadmin,sincenoCSRFtokenischeckedandcookiesuseSameSite=None)cantraverseoutofthelocale/ Details40909directoryandwritearbitrary.phpfilestoanywritablelocationonthefilesystem,achievingRemoteCodeExecution. Commit57f89ffbc27d37c9d9dd727212334846e78ac21afixestheissue. NoteMarkisanopen-sourcenote-takingapplication.Inversions0.19.1andprior,theassetdeliveryhandlerservesuploaded filesinlineandreliesonmagic-bytedetectionforcontenttype,whichdoesnotidentifytext-basedformatssuchasHTML, CVE-SVG,orXHTML.ThesefilesareservedwithanemptyContent-Type,noX-Content-Type-Options:nosniffheader,andinline More2026-disposition,allowingbrowserstosniffandrenderactivecontent.AnauthenticatedusercanuploadanHTMLorSVGfile 8.7 Details40262containingJavaScriptasanoteasset,andwhenavictimnavigatestotheassetURL,thescriptexecutesunderthe application'soriginwithaccesstothevictim'sauthenticatedsessionandAPIactions.Thisissuehasbeenfixedinversion 0.19.2. ApostropheCMSisanopen-sourceNode.jscontentmanagementsystem.Versions4.28.0andpriorcontainastoredcross-site scriptingvulnerabilityinSEO-relatedfields(SEOTitleandMetaDescription),whereuser-controlledinputisrenderedwithout CVE-properoutputencodingintoHTMLcontextsincluding

tags,attributes,andJSON-LDstructureddata.An More2026-attackercaninjectapayloadsuchas"> tobreakoutoftheintendedHTMLcontextand 8.7 Details35569executearbitraryJavaScriptinthebrowserofanyauthenticateduserwhoviewstheaffectedpage.Thiscanbeleveragedto performauthenticatedAPIrequests,accesssensitivedatasuchasusernames,emailaddresses,androlesviainternalAPIs, andexfiltrateittoanattacker-controlledserver.Thisissuehasbeenfixedinversion4.29.0. CVE-SlahCMSv1.5.0andbelowwasdiscoveredtocontainaSQLinjectionvulnerabilityviatheidparameterinthe More2026- 8.6vereador_ver.phpendpoint. Details30995 CVE-OpenClawbefore2026.3.28loadsthecurrentworkingdirectory.envfilebeforetrustedstate-dirconfiguration,allowing More2026-environmentvariableinjection.Attackerscanplaceamalicious.envfileinarepositoryorworkspacetooverrideruntime 8.6 Details41294configurationandsecurity-sensitiveenvironmentsettingsduringOpenClawstartup. CloudFoundryUUAisvulnerabletoabypassthatallowsanattackertoobtainatokenforanyuserandgainaccesstoUAA-CVE-protectedsystems.ThisvulnerabilityexistswhenSAML2.0bearerassertionsareenabledforaclient,astheUAAaccepts More2026- 8.6SAML2.0bearerassertionsthatareneithersignednorencrypted.ThisissueaffectsUUAfromv77.30.0tov78.7.0 Details22734(inclusive)anditaffectsCFDeploymentfromv48.7.0tov54.14.0(inclusive). WWBNAVideoisanopensourcevideoplatform.Inversions29.0andbelow,anincompleteSSRFfixinAVideo'sLiveLinksCVE-proxyaddsisSSRFSafeURL()validationbutleavesDNSTOCTOUvulnerabilitieswhereDNSrebindingbetweenvalidationand More2026- 8.6theactualHTTPrequestredirectstraffictointernalendpoints.Commit8d8fc0cadb425835b4861036d589abcea4d78ee8 Details41055containsanupdatedfix. LangChain-ChatChat0.3.1containsaremotecodeexecutionvulnerabilityinitsMCPSTDIOserverconfigurationand CVE-executionhandling.AremoteattackercanaccessthepubliclyexposedMCPmanagementinterfaceandconfigureanMCP More2026-STDIOserverwithattacker-controlledcommandsandarguments.WhentheMCPserverisstartedandMCPisenabledfor 8.6 Details30617agentexecution,subsequentagentactivitytriggersexecutionofarbitrarycommandsontheserver.Successfulexploitation allowsarbitrarycommandexecutionwithinthecontextoftheLangChain-ChatChatservice. AgentZero0.9.8containsaremotecodeexecutionvulnerabilityinitsExternalMCPServersconfigurationfeature.The CVE-applicationallowsuserstodefineMCPserversusingaJSONconfigurationcontainingarbitrarycommandandargsvalues. More2026-Thesevaluesareexecutedbytheapplicationwhentheconfigurationisappliedwithoutsufficientvalidationorrestriction.An 8.6 Details30624attackermaysupplyamaliciousMCPconfigurationtoexecutearbitraryoperatingsystemcommands,potentiallyresultingin remotecodeexecutionwiththeprivilegesoftheAgentZeroprocess. SiYuanisanopen-sourcepersonalknowledgemanagementsystem.Inversions3.6.3andprior,the CVE-/api/av/removeUnusedAttributeViewendpointconstructsafilesystempathusingtheuser-controlledidparameterwithout More2026-validationorpathboundaryenforcement.Anattackercaninjectpathtraversalsequencessuchas../intotheidvalueto 8.5 Details40318escapetheintendeddirectoryanddeletearbitrary.jsonfilesontheserver,includingglobalconfigurationfilesandworkspace metadata.Thisissuehasbeenfixedinversion3.6.4. VulnerabilityintheOracleLifeSciencesEmpiricaSignalproductofOracleLifeScienceApplications(component:Common Core).Supportedversionsthatareaffectedare9.2.1-9.2.3.Easilyexploitablevulnerabilityallowslowprivilegedattackerwith CVE-networkaccessviaHTTPtocompromiseOracleLifeSciencesEmpiricaSignal.WhilethevulnerabilityisinOracleLifeSciences More2026-EmpiricaSignal,attacksmaysignificantlyimpactadditionalproducts(scopechange).Successfulattacksofthisvulnerability 8.5 Details21997canresultinunauthorizedcreation,deletionormodificationaccesstocriticaldataorallOracleLifeSciencesEmpiricaSignal accessibledataaswellasunauthorizedreadaccesstoasubsetofOracleLifeSciencesEmpiricaSignalaccessibledata.CVSS 3.1BaseScore8.5(ConfidentialityandIntegrityimpacts).CVSSVector:(CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N). FreeScoutisafreeself-hostedhelpdeskandsharedmailbox.Versionspriorto1.8.213haveastoredcross-sitescripting (XSS)vulnerabilityinthemailboxsignaturefeature.ThesanitizationfunctionHelper::stripDangerousTags() (app/Misc/Helper.php:568)usesanincompleteblocklistofonlyfourHTMLtags(script,form,iframe,object)and doesnotremoveeventhandlerattributes.WhenamailboxsignatureissavedviaMailboxesController::updateSave() (app/Http/Controllers/MailboxesController.php:267),HTMLelementssuchas`

,