Skip to main content
CVE-2026-22688 CRITICAL POC PATCH Act Now

WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as subprocesses. PoC available, patch available.

Command Injection AI / ML Weknora Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-65091 CRITICAL PATCH Act Now

XWiki Full Calendar Macro (before 2.4.5) has SQL injection accessible to guest users via the Calendar.JSONService page. Maximum CVSS 10.0 with scope change. Patch available.

SQLi Denial Of Service Full Calendar Macro
NVD GitHub
CVSS 3.1
10.0
EPSS
0.2%
CVE-2025-61686 CRITICAL PATCH Act Now

React Router (@react-router/node 7.0.0-7.9.3) has a path traversal in file-based session storage when using unsigned cookies. Attackers can manipulate session file paths to read or write arbitrary files on the server.

Path Traversal React Router Node Remix Run Deno Remix Run Node
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-22600 CRITICAL PATCH Act Now

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF export feature. Authenticated users can read server files by uploading malicious SVGs disguised as PNGs. Patch available.

Information Disclosure Openproject
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy