Joomla Extension - joomlack.fr - Unauthenticated file upload in Page Builder CK extension < 3.6.0

Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

WordPress Paid Videochat Turnkey Site plugin <= 7.4.8 - Arbitrary File Deletion vulnerability

OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources

Microsoft Azure Synapse Elevation of Privilege Vulnerability

OpenProject: Pre-authentication RCE in openproject/openproject Docker image via default `SECRET_KEY_BASE=OVERWRITE_ME` and `cookies_serializer = :marshal`

Cisco Identity Services Engine Multiple Authenticated Remote Code Execution Vulnerability

libceph: Fix potential out-of-bounds access in crush_decode()

Nuance PowerScribe Remote Code Execution Vulnerability

vLLM leaks a heap address when PIL throws an error

Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter

HTTP::Session versions before 0.54 for Perl defaults to using insecurely generated session ids

mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

netfilter: require Ethernet MAC header before using eth_hdr()

WordPress JetEngine plugin <= 3.8.10.2 - SQL Injection vulnerability

Daktronics Controller Firmware Use of Hard-coded Credentials

Daktronics Controller Firmware Path Traversal

pgAdmin 4: Stored XSS via untrusted error and plan-node text rendered through html-react-parser

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

Dokku: OS Command Injection via app.json managed Cron

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM ROX RX1501 (All versions < V2.17.1), RUGGEDCOM ROX RX1510 (All versions < V2.17.1), RUGGEDCOM ROX RX1511 (All versions < V2.17.1), RUGGEDCOM ROX RX1512 (All versions < V2.17.1), RUGGEDCOM ROX RX1524 (All versions < V2.17.1), RUGGEDCOM ROX RX1536 (All versions < V2.17.1), RUGGEDCOM ROX RX5000 (All versions < V2.17.1). Affected devices do not properly sanitize user-supplied input in the Scheduler functionality of the Web UI, allowing commands to be injected into the task scheduling backend. This could allow an authenticated remote attacker to execute arbitrary commands with root privileges on the underlying operating system.

FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()

ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL

Handcrafted repo metadata may cause arbitrary local files to be overwritten by libzypp

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application does not properly restrict unauthenticated connections and is susceptible to resource exhaustion conditions. This could allow an attacker to disrupt normal operations or perform unauthorized actions, potentially impacting system availability and integrity.

Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension

phpUploader < 2.0.2 Unauthenticated Database Exposure via index model

Bootimus 0.1.70 Broken Access Control via JWTMiddleware Authorization Bypass

Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack

Joomla Extension - joomcoder.com - Unauthenticated SQL Injection in JoomCCK extension for Joomla < 6.4.1

BIG-IP SSL/TLS vulnerability

BIG-IP SSL/TLS vulnerability

FrontAccounting < 2.4.20 Path Traversal RCE via attachment upload

BIG-IP SIP profile vulnerability

BIG-IP APM Vulnerability

BIG-IP Advanced WAF and ASM vulnerability

BIG-IP DNS Cache vulnerability

BIG-IP Configuration utility vulnerability

Cudy LT300 3.0 OS Command Injection via NTP Configuration

Undertow: undertow: request smuggling via inconsistent header parsing

Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator

A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0). The affected application is susceptible to resource exhaustion when subjected to high volume of TCP SYN packets This could allow an attacker to render the service unavailable and cause denial-of-service conditions by overwhelming system resources.

Out-of-bounds heap write in Zephyr `recvmsg()` ancillary-data path (`insert_pktinfo` undersizes the control-buffer capacity check)

MyBB - Privilege Escalation from Limited ACP User Management to Administrator

H.VIEW HV-500S6 IP Camera Unrestricted Upload of File with Dangerous Type

H.VIEW HV-500S6 IP Camera OS Command Injection

RustFS Snowball Auto-Extract: Path Traversal allows cross-bucket object injection

Dreamweaver Desktop | Improper Access Control (CWE-284)

Cisco Catalyst SD-WAN Manager XML External Entity Injection Vulnerability

Remote Code Execution in SzafirHost

WordPress Groundhogg plugin <= 4.5 - SQL Injection vulnerability

Budibase: Potential SSRF DNS rebinding bypass in outbound fetch validation

iControl REST and TMSH vulnerability

BIG-IP iControl SOAP vulnerability

BIG-IP scripted monitor vulnerability

BIG-IP and BIG-IQ privilege escalation vulnerability

attr < 2.6.0 Symlink Traversal Privilege Escalation via getfattr/setfattr

acl < 2.4.0 Symlink Traversal Privilege Escalation via libacl Functions

Daktronics Controller Firmware Unrestricted Upload of File with Dangerous Type

libssh2 - Free of Uninitialized Pointer in publickey List Cleanup

libssh2 - Integer Overflow in publickey Subsystem Attribute Allocation

Improper Authorization Vulnerability of Maintenance Utility in Hitachi Virtual Storage Platform

OpenProject: Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name

Gnutls: gnutls: information disclosure via heap overread in rsa key exchange

Spring Framework Unsafe Deserialization via Jackson JMS Converters

ProfilePress < 4.16.17 - Subscriber+ Subscription Cancellation via IDOR

Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File Deletion

Nuance PowerScribe 360 Information Disclosure Vulnerability

Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.

ALSA: timer: Fix UAF at snd_timer_user_params()

Notepad++: CVE-2026-48800 Bypass

ASLR bypass for setuid executables via procctl(2)

Use-after-free bug in the IPV6_MSFILTER socket option handler

Notepad++: Arbitrary Code Execution via config.xml commandLineInterpreter

net/sched: fix pedit partial COW leading to page cache corruption

Multiple vulnerabilities in the sound(4) mmap path

Use After Free in Automotive GPU

Claude Code: Sandbox Escape via Git Worktree Path Confusion Allows Unsandboxed Code Execution

LibreChat: SSRF via User-Provided Custom Endpoint baseURL — no private IP validation on user-configured API base URLs

Acrobat Reader | Uncontrolled Search Path Element (CWE-427)

Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints allows arbitrary file read

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM ROX RX1501 (All versions < V2.17.1), RUGGEDCOM ROX RX1510 (All versions < V2.17.1), RUGGEDCOM ROX RX1511 (All versions < V2.17.1), RUGGEDCOM ROX RX1512 (All versions < V2.17.1), RUGGEDCOM ROX RX1524 (All versions < V2.17.1), RUGGEDCOM ROX RX1536 (All versions < V2.17.1), RUGGEDCOM ROX RX5000 (All versions < V2.17.1). Affected devices do not properly sanitize user-supplied input during the feature key installation process. This could allow an authenticated remote attacker to inject arbitrary commands, resulting in remote code execution with root privileges on the underlying operating system.

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service

Libaom: libaom: heap buffer overflow in av1 encoder first-pass stats buffer via lap mode

Home Assistant: iOS Companion App ignores internal SSID allowlist for connections – possible leak of access token and sensor data

btrfs: only release the dirty pages io tree after successful writes

ceph: put folios not suitable for writeback

libceph: Fix potential null-ptr-deref in decode_choose_args()

libceph: handle rbtree insertion error in decode_choose_args()

fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling

Notepad++ TOCTOU: HMAC Checks Disk, Executes from Memory

Envoy: Stack overflow in destructor of highly nested JSON

Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format

Notepad++: Privilege Escalation in the Installer via Uncontrolled Executable Search Path

Panic decoding image with out-of-bounds strip offset in x/image/tiff in golang.org/x/image

Gnutls: gnutls: denial of service via dtls packet reordering vulnerability

An issue in the DSO::mmap_and_copy function of relibc commit 61f42d allows attackers to cause a Denial of Service (DoS) via loading a crafted shared library.

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.

An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components

Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly

Gnutls: gnutls: denial of service via dtls zero-length fragment

fast-uri vulnerable to host confusion via failed IDN canonicalization

APCu Manager < 4.5.0 - Unauthenticated Stored XSS via Cache Key Pollution

There exists an unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine

Gnutls: gnutls: security bypass due to incorrect name constraint handling

Edimax EW-7478APC POST Request formPPPoESetup stack-based overflow

Edimax EW-7478APC POST Request formL2TPSetup stack-based overflow

Edimax EW-7478APC POST Request formiNICSiteSurvey buffer overflow

D-Link DCS-935L POST Parameter setconf.cgi sub_400E40 os command injection

Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_407504 stack-based overflow

Tenda JD12L NatStaticSetting fromNatStaticSetting stack-based overflow

Tenda JD12L addressNat fromAddressNat stack-based overflow

Tenda JD12L WifiBasicSet formWifiBasicSet stack-based overflow

Tenda JD12L WifiGuestSet fromSetWifiGusetBasic stack-based overflow

Tenda JD12L SetPptpServerCfg formSetPPTPServer stack-based overflow

Use-after-return in `zsock_getaddrinfo()` when a timed-out DNS query is retried without cancellation

A vulnerability has been identified in Solid Edge SE2026 (All versions < V226.0 Update 5). The affected application is vulnerable to uninitialized pointer access while parsing specially crafted PAR files. An attacker could leverage this vulnerability to execute code in the context of the current process.

O+ Connect's lack of authentication for IPC channels led to a local privilege escalation vulnerability.

RustDesk - FileTransfer Session Authorization Scope Bypass

acl < 2.4.0 TOCTOU Symlink Traversal via getfacl/setfacl/chacl

FrontAccounting < 2.4.20 SQL Injection via get_gl_transactions()

FrontAccounting < 2.4.20 SQL Injection via reporting/rep710.php

Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name collision with an existing VPN script link.

WordPress Embed Privacy plugin <= 1.12.3 - Arbitrary File Deletion vulnerability

WordPress ARForms plugin <= 7.1.2 - Reflected Cross Site Scripting (XSS) vulnerability

WordPress Landing Page Builder plugin <= 1.5.3.5 - Cross Site Scripting (XSS) vulnerability

WordPress Jobify theme <= 4.3.2 - Cross Site Scripting (XSS) vulnerability

WordPress Link Whisper Free plugin <= 0.9.4 - Reflected Cross Site Scripting (XSS) vulnerability

WordPress Wallet System for WooCommerce plugin <= 2.7.6 - Broken Access Control vulnerability

WordPress BEAR plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Libaom: libaom: remote code execution via svc layer context handling with attacker-controlled frames

Libaom: libaom: heap-buffer-overflow read via missing bounds check in ctrl_set_layer_id

Libaom: libaom: arbitrary address write via svc layer context oob and cyclic refresh map pointer hijack

Flaw in Linuxulator execution of setugid binaries

Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans

Gnutls: gnutls: authentication bypass via nul character in username

FrontAccounting < 2.4.20 SQL Injection via rep601.php

Yelp: yelp-xsl: overly permissive content security policy in yelp allows host file disclosure from flatpak applications

miniupnpd Integer Underflow SOAPAction Header Parsing

Abrt: event handler scripts follow symlinks when writing output files, allowing arbitrary file overwrites

Multiple vulnerabilities in the sound(4) mmap path

Global Buffer Overflow in GNU gzip

NGINX ngx_quic_module vulnerability

BIG-IP httpd access control vulnerability

The /v1/upload/sbom endpoint extracts the iss claim from the attacker-supplied JWT with signature verification disabled, then interpolates that string into three log statements before any validation gate. Because the configured log format ("%(asctime)s - %(name)s - %(levelname)s - %(message)s") renders newlines literally, an unauthenticated attacker can forge log records that are byte-for-byte indistinguishable from PIA's genuine "Successfully authenticated project" message. PIA is an authentication broker whose logs are explicitly relied upon for incident response (DESIGN.md §5.4 lists "Token verifications" and "Errors" as events to log), so the ability to plant fake auth-success entries directly undermines the audit trail the service exists to produce.

Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function that allows unauthenticated attackers to trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value. Attackers can exploit missing buffer length validation before uint24 reads, memcmp, and memcpy operations during DTLS epoch 0 on both client and server paths to cause denial of service on memory-constrained devices.

Util-linux: util-linux: heap use-after-free in libblkid nested partition probing

ColdFusion | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)

Information exposure vulnerability in Hitachi Storage Navigator

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to an application modification vulnerability

Gnutls: gnutls: use-after-free in gnutls_pkcs11_token_set_pin

WordPress Affiliates Manager plugin <= 2.9.49 - Broken Access Control vulnerability

WordPress FunnelKit Payment Gateway for Stripe WooCommerce plugin <= 1.14.0.3 - Cross Site Request Forgery (CSRF) vulnerability

WordPress Featured Image plugin <= 2.1 - Cross Site Scripting (XSS) vulnerability

WordPress Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin <= 2.9.0 - Insecure Direct Object References (IDOR) vulnerability

WordPress Japanized For WooCommerce plugin <= 2.9.12 - Broken Access Control vulnerability

WordPress Business Directory plugin <= 6.4.23 - Broken Access Control vulnerability

WordPress Ads by WPQuads plugin <= 3.0.3 - Broken Access Control vulnerability

WordPress WP User Frontend plugin <= 4.3.7 - Broken Access Control vulnerability

WordPress MasterStudy LMS plugin <= 3.7.27 - Cross Site Scripting (XSS) vulnerability

WordPress WooCommerce Designer Pro plugin <= 1.9.34 - Cross Site Scripting (XSS) vulnerability

WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability

Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routes

sigqueue(2) missing capability mode restriction

Groundhogg <= 4.5.5 - Authenticated (Sales Rep+) SQL Injection via 'query[select]' Parameter

Remotely triggerable NULL-pointer dereference in Bluetooth LE Audio BAP unicast client QoS-state handling

Gnutls: gnutls: policy bypass due to case-sensitive nameconstraints comparison

Frisbii Pay <= 1.8.9 - Missing Authorization to Authenticated (Subscriber+) Payment Token Modification

OpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"

Page Builder by SiteOrigin <= 2.34.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Custom+) Stored Cross-Site Scripting via Product SKU

nghttp2 nghttpx - HTTP Request/Response Smuggling via Upgrade Request with Content-Length

WordPress MainWP plugin <= 6.1.1 - Broken Access Control vulnerability

BIG-IP BFD vulnerability

A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Tecnomatix Plant Simulation (All versions < V2504.0008). Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks.

WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability

Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)

MaxButtons <= 9.8.5 - Reflected Cross-Site Scripting via 'view' Parameter

A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM ROX RX1501 (All versions < V2.17.1), RUGGEDCOM ROX RX1510 (All versions < V2.17.1), RUGGEDCOM ROX RX1511 (All versions < V2.17.1), RUGGEDCOM ROX RX1512 (All versions < V2.17.1), RUGGEDCOM ROX RX1524 (All versions < V2.17.1), RUGGEDCOM ROX RX1536 (All versions < V2.17.1), RUGGEDCOM ROX RX5000 (All versions < V2.17.1). Affected devices do not properly validate input in the web server's JSON-RPC interface. This could allow an authenticated remote attacker to read arbitrary files from the underlying operating system's filesystem with root privileges.

OpenProject: Business Logic Error on OpenProject through PATCH request to /api/v3/users/me permits to bypass password requirements

Abrt: unsanitized systemd journal content written to dump directory files enables content injection

Lansweeper lsrunase 2.0 and lsencrypt 2.0 use RC4 encryption with a hardcoded 142-byte static key array to encrypt credentials. An 8-character prefix is stored in cleartext alongside the ciphertext. This allows an attacker with local access to recover any encrypted password to plaintext using a single SHA-1 hash and RC4 decryption operation, with no brute force required.

A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Illustrator | NULL Pointer Dereference (CWE-476)

SourceCodester Simple Food Ordering System cart.php logic error

SourceCodester Inventory Management System User Registration Endpoint users_handler.php access control

SourceCodester Class and Exam Timetabling System preview3.php sql injection

SourceCodester Class and Exam Timetabling System edit_class1.php sql injection

code-projects Real State Services single-list_sale.php add sql injection

itsourcecode Online Hotel Management System controller.php add sql injection

itsourcecode Online Hotel Management System controller.php add unrestricted upload

itsourcecode Online Hotel Management System controller.php edit sql injection

itsourcecode Baptism Information Management System editBaptism.php sql injection

itsourcecode Baptism Information Management System delbaptism.php sql injection

Hanwang e-Face General Management Platform upload.do unrestricted upload

Feehi CMS REST API Endpoint articles missing authentication

agentejo Cockpit CMS htaccess config.yaml YAMLLoad file access

YunaiV/zhijiantianya ruoyi-vue-pro AppFileController File Upload Endpoint FileServiceImpl.java generateUploadPath path traversal

SourceCodester Class and Exam Timetabling System preview4.php sql injection

SourceCodester Class and Exam Timetabling System edit_class.php sql injection

SourceCodester Class and Exam Timetabling System preview5.php sql injection

antlr ANTLR4 tokenVocab Grammar Option TokenVocabParser.java getImportedVocabFile path traversal

antlr ANTLR4 Grammar Action Block OutputFile.java code injection

SourceCodester Class and Exam Timetabling System preview7.php sql injection

SourceCodester Class and Exam Timetabling System preview6.php sql injection

SourceCodester Class and Exam Timetabling System preview.php sql injection

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to sensitive data exposure

Libxslt: use-after-free with key data stored cross-rvt

A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)

A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).

WordPress Booking and Rental Manager plugin <= 2.7.1 - Broken Access Control vulnerability

jackson-databind: Case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

LibreChat: IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Filter

Gnutls: gnutls: memory corruption due to off-by-one error in pkcs#12 bag handling

Cisco Identity Services Engine Observable Response Discrepancy Vulnerability

Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter

pgAdmin 4: SQL injection in named restore point endpoint

pgAdmin 4: Open redirect in multi-factor authentication flow via unvalidated 'next' parameter

RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forged PayPal IPN Request

ColdFusion | Insufficiently Protected Credentials (CWE-522)

AutoGPT: There is a DoS vulnerability in ExtractTextInformationBlock

Gnutls: gnutls: denial of service via excessive resource consumption during certificate verification

Libtasn1: inefficient der decoding in libtasn1 leading to potential remote dos

Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Deno: WebSocket API sandbox bypass via missing post-DNS check

Deno: `fetch()` API sandbox bypass via missing DNS resolution check

Spice-vdagent: integer overflow in udscs_write() leading to heap buffer overflow

Notepad++ WM_COPYDATA COPYDATA_FULL_CMDLINE local DoS crash

Adobe Experience Manager Forms JEE | Cross-site Scripting (Stored XSS) (CWE-79)

pgAdmin 4: HTML injection in cloud verify_credentials / deploy endpoints via unsanitised SDK exception text

Shariff for WordPress <= 1.0.11 - Admin+ Stored Cross-Site Scripting

HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials

Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.

HCL BigFix Service Management (SM) does not adequately sanitize or safely render

Spice-vdagent: path traversal in file transfer via unsanitized filename

Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write

Gutenverse <= 3.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fonts[].font.font.value' Parameter

WordPress Simple User Avatar plugin <= 4.9 - Insecure Direct Object References (IDOR) vulnerability

WordPress Nelio Content plugin <= 4.3.4 - Broken Access Control vulnerability

HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information

Deno: Denial of service via non-ASCII bytes in WebSocket response headers

OpenProject: Private work package data disclosure through single meeting agenda item API

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of Resources

OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure

HD Quiz 2.2.0 - 2.2.1 - Cross-Site Request Forgery via Multiple AJAX Handlers

Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification

Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attribute/Group Creation, Modification, and Deletion via 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX Actions

f4 Post Tree < 2.0.5 - Subscriber+ Arbitrary Post Parent/Menu Order Modification

A CWE-552: Files or Directories Accessible to External Parties vulnerability exists in Easergy T300 with firmware V2.7.1 and older that could expose files or directory content when access from an attacker is not restricted or incorrectly restricted.

Out-of-bounds write in Microchip SERCOM-G1 (PIC32CM-JH) async UART RX with 1-byte buffer

An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.

Gnutls: gnutls: information disclosure via timing side-channel in pkcs#7 padding removal

lack of validation for firmware update in Hitachi Virtual Storage

Documenso Google OAuth Login handle-oauth-callback-url.ts improper authentication

YzmCMS index.php sql injection

CherryHQ cherry-studio MCP OAuth Local Callback Server callback.ts improper authorization

SimStudioAI sim Password Protection deployment.ts weak hash

78 xiaozhi-esp32 MQTT Goodbye mqtt_protocol.cc GetInstance denial of service

skypilot-org skypilot User ID server.py username.encode weak hash

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

Flowise - Custom MCP Environment Variable Denylist Bypass via Case Sensitivity

volcengine OpenViking Local VectorDB Primary-key Label str_to_uint64.py str_to_uint64 data authenticity

itsourcecode Hospital Management System patientchangepassword.php sql injection

itsourcecode Hospital Management System patientdetail.php sql injection

itsourcecode Hospital Management System insertbillingrecord.php sql injection

code-projects Online Music Site POST Request Feedback.php cross site scripting

Edimax EW-7478APC POST Request formiNICbasic os command injection

Edimax EW-7478APC POST Request formAccept os command injection

itsourcecode Online Hotel Management System POST Request controller.php add cross site scripting

itsourcecode Online Hotel Management System POST Request controller.php edit cross site scripting

itsourcecode Online Hotel Management System POST Request controller.php add cross site scripting

CodeAstro Complaint Management System Report Endpoint Report.php deletereport authorization

itsourcecode Hospital Management System doctortimings.php sql injection

Feehi CMS API users access control

itsourcecode Hospital Management System doctorprofile.php sql injection

itsourcecode Hospital Management System doctorchangepassword.php sql injection

GitBucket RepositoryCreationService.scala Git.cloneRepository.setURI server-side request forgery

Wavlink WL-NU516U1-A POST Parameter wireless.cgi sub_401D68 command injection

CodeAstro Human Resource Management System cross-site request forgery

GotoHTTP reg.12x cross site scripting

CodeAstro Human Resource Management System View Endpoint Employee_model.php GetFileInfo sql injection

itsourcecode Hospital Management System departmentDoctor.php sql injection

itsourcecode Hospital Management System department.php sql injection

itsourcecode Hospital Management System Appointment appointmentdetail.php sql injection

CodeAstro Human Resource Management System Update_Earn_Leave Endpoint Employee_model.php emselectByCode sql injection

Investintech SlimPDFReader PDF File SlimPDFReader.exe TeighaDo+0x25cde0 out-of-bounds

itsourcecode Hospital Management System Appointment appointmentapproval.php sql injection

yashpokharna2555 restaurent-management-system Registration login_register.php cross site scripting

itsourcecode Hospital Management System appointment.php sql injection

itsourcecode Hospital Management System ajaxmedicine.php sql injection

Predictable Temporary File in GNU gzip

SourceCodester Inventory Management System User Registration Endpoint users_handler.php cross site scripting

weng-xianhu EyouCMS API index.php sql injection

CodeAstro Complaint Management System Report addreport cross site scripting

khoj-ai khoj Conversation Sharing api_chat.py authorization

llvm llvm-project Bitcode File IntrinsicInst.cpp getBasePtr heap-based overflow

llvm llvm-project ValueSymbolTable ValueSymbolTable.cpp insert stack-based overflow

GPAC ISOBMFF base_encoding.c data amplification

Stack-Based Buffer Overflow in libxml2

CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization

MyScale MyScaleDB SegmentId.h getCacheKey data authenticity

VoltAgent Memory REST API memory.handlers.ts handleGetMemoryConversation improper authorization

AIDC-AI ComfyUI-Copilot Workflow Checkpoint Restore conversation_api.py resource injection

78 xiaozhi-esp32 MCP Response mcp_server.cc ParseMessage improper synchronization

arc53 DocsGPT Credential Storage encryption.py encrypt_credentials data authenticity

antlr ANTLR4 Maven Plugin GrammarDependencies.java ObjectInputStream.readObject toctou

Chess Play and Learn App com.chess AndroidManifest.xml backup

agp/amd64: Fix broken error propagation in agp_amd64_probe()

Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig

drm/amd/display: Clamp VBIOS HDMI retimer register count to array size

crypto: af_alg - Cap AEAD AD length to 0x80000000

ceph: fix a buffer leak in __ceph_setxattr()

i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler