111 CVEs tracked today. 18 Critical, 39 High, 40 Medium, 13 Low.
-
CVE-2026-23944
CRITICAL
CVSS 9.8
Arcane Docker management interface prior to 1.13.2 has missing authentication, allowing unauthenticated attackers to manage Docker containers, images, and networks on the host.
Docker
Arcane
-
CVE-2026-23884
CRITICAL
CVSS 9.8
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in offscreen bitmap deletion that leaves dangling pointers, exploitable by malicious RDP servers for client-side code execution.
Use After Free
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-23883
CRITICAL
CVSS 9.8
FreeRDP prior to 3.21.0 has a use-after-free vulnerability in xf_Pointer_New where cursor data is freed prematurely, allowing malicious RDP servers to execute code on clients.
Use After Free
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-23852
CRITICAL
CVSS 9.6
SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code execution through crafted knowledge base entries.
RCE
XSS
Siyuan
-
CVE-2026-23841
CRITICAL
CVSS 9.3
Movary has a third input validation vulnerability that allows authenticated users to delete arbitrary files from the server, potentially causing data loss or service disruption.
XSS
Movary
-
CVE-2026-23840
CRITICAL
CVSS 9.3
Movary has a second input validation vulnerability allowing authenticated users to write arbitrary files on the server, enabling code execution through web shell upload.
XSS
Movary
-
CVE-2026-23839
CRITICAL
CVSS 9.3
Movary movie tracking application has an input validation flaw that allows authenticated users to read arbitrary files from the server, potentially exposing configuration files and secrets.
XSS
Movary
-
CVE-2026-23837
CRITICAL
CVSS 9.8
MyTube self-hosted video downloader has an authorization bypass (CVSS 9.8) that allows unauthenticated access to administrative functions in versions 1.7.65 and prior.
Nginx
Mytube
-
CVE-2026-23836
CRITICAL
CVSS 9.9
HotCRP conference review software version 3.1 has an inadequate input sanitization flaw (CVSS 9.9) that allows authenticated users to execute arbitrary code on the server through crafted submissions.
PHP
Hotcrp
-
CVE-2026-23534
CRITICAL
CVSS 9.8
FreeRDP prior to 3.21.0 contains a client-side heap buffer overflow in session data processing, the fifth in a series of seven critical heap overflows fixed in version 3.21.0.
Buffer Overflow
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-23533
CRITICAL
CVSS 9.8
FreeRDP prior to 3.21.0 has another client-side heap buffer overflow that can be exploited by malicious RDP servers to achieve remote code execution on connected clients.
Buffer Overflow
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-23532
CRITICAL
CVSS 9.8
FreeRDP prior to 3.21.0 has a client-side heap buffer overflow that can be triggered by a malicious RDP server during session data processing, enabling remote code execution.
Buffer Overflow
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-23531
CRITICAL
CVSS 9.8
FreeRDP prior to 3.21.0 has a heap buffer overflow in ClearCodec glyph data processing that allows a malicious RDP server to execute arbitrary code on connected clients.
Buffer Overflow
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-23530
CRITICAL
CVSS 9.8
FreeRDP prior to 3.21.0 has a heap buffer overflow in bitmap decompression (planar codec) that can be triggered by a malicious RDP server to execute code on the client.
Buffer Overflow
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-22797
CRITICAL
CVSS 9.9
OpenStack keystonemiddleware 10.5 through 10.9 has an authentication spoofing vulnerability (CVSS 9.9) allowing attackers to bypass Keystone token validation and access any OpenStack service as any user.
Authentication Bypass
Redhat
Suse
-
CVE-2026-1181
CRITICAL
CVSS 9.0
Altium 365 workspace endpoints had overly permissive CORS policies that allow unauthorized cross-origin access to workspace data, potentially exposing proprietary PCB designs and engineering data.
Authentication Bypass
-
CVE-2026-1162
CRITICAL
CVSS 9.8
UTT HiPER 810 router firmware 1.7.4 has a stack buffer overflow in the /goform/setNat endpoint's strcpy function, enabling remote attackers to execute arbitrary code.
Buffer Overflow
810 Firmware
-
CVE-2026-0610
CRITICAL
CVSS 9.8
Devolutions Server 2025.3.1 through 2025.3.6 contains a SQL injection vulnerability in the remote sessions component that allows attackers to manipulate database queries.
SQLi
Devolutions Server
-
CVE-2026-23880
HIGH
CVSS 7.3
OnboardLite's user migration feature in the admin dashboard is vulnerable to stored cross-site scripting, allowing authenticated attackers to inject malicious scripts that execute when administrators process Discord account migrations. This vulnerability affects versions prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f and could enable session hijacking or credential theft targeting privileged users. No patch is currently available.
XSS
-
CVE-2026-23850
HIGH
CVSS 7.5
SiYuan versions before 3.5.4 allow unauthenticated remote attackers to read arbitrary files on the server through improper HTML rendering in the markdown feature. Public exploit code exists for this vulnerability, which has a CVSS score of 7.5. The vulnerability has been patched in version 3.5.4 and later.
Path Traversal
Siyuan
Suse
-
CVE-2026-23846
HIGH
CVSS 8.1
Tugtainer versions before 1.16.1 transmit authentication credentials through URL query parameters rather than request bodies, causing passwords to be exposed in server logs, browser history, and proxy logs. This exposure allows attackers with access to these logs or cached data to obtain valid credentials for the Docker container management system. Public exploit code exists for this vulnerability, and a patch is available in version 1.16.1.
Docker
Tugtainer
-
CVE-2026-23843
HIGH
CVSS 7.1
Insecure Direct Object Reference (IDOR) in teklifolustur_app PHP application allows authenticated users to access and view quotes belonging to other users by manipulating the offer_id parameter, due to insufficient authorization validation. An attacker with valid credentials can enumerate and read sensitive quote data from other organization members without proper access controls. No patch is currently available for this vulnerability.
PHP
-
CVE-2026-23842
HIGH
CVSS 7.5
ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.
Denial Of Service
AI / ML
Chatterbot
-
CVE-2026-23833
HIGH
CVSS 7.5
ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.
Integer Overflow
Denial Of Service
Esphome
Redhat
-
CVE-2026-23732
HIGH
CVSS 7.5
FreeRDP versions before 3.21.0 contain a buffer overflow in FastGlyph parsing where a malicious Remote Desktop server can crash the client by sending specially crafted glyph data that bypasses length validation. A remote attacker can exploit this vulnerability without authentication to cause denial of service, and public exploit code exists. The vulnerability affects FreeRDP clients connecting to untrusted or compromised RDP servers, with no patch currently available for most deployments.
Buffer Overflow
Denial Of Service
Freerdp
Redhat
Suse
-
CVE-2026-23625
HIGH
CVSS 8.7
Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through subproject names displayed in the Roadmap view, affecting all users who view the compromised roadmap. An attacker with project creation or modification privileges can craft a malicious project name that executes in victims' browsers when they access the Roadmap, potentially leading to session hijacking or credential theft. No patch is currently available; mitigation is only present in versions 16.6.5 and 17.0.0 through HTTP security headers.
XSS
Openproject
-
CVE-2026-22850
HIGH
CVSS 8.3
SQL injection in Koko Analytics for WordPress prior to version 2.1.3 allows unauthenticated attackers to inject malicious SQL through the public tracking endpoint, which gets stored unescaped and executed when administrators export and reimport analytics data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary SQL commands including database manipulation and potential data destruction. The vulnerability affects WordPress installations using vulnerable versions of the Koko Analytics plugin and requires administrator interaction with a malicious export file to fully exploit.
WordPress
PHP
Industrial
Koko Analytics
-
CVE-2026-22037
HIGH
CVSS 8.4
The @fastify/express plugin prior to version 4.0.3 allows authenticated attackers to bypass path-based middleware restrictions by submitting URL-encoded characters in requests, such as using /%61dmin instead of /admin. While the middleware engine fails to match the encoded path, the underlying Fastify router correctly decodes it and routes the request to handlers, enabling unauthorized access to protected endpoints. This affects Node.js applications using vulnerable versions of the plugin.
Node.js
-
CVE-2026-22031
HIGH
CVSS 8.4
Middleware path-matching bypass in @fastify/middie before version 9.1.0 allows authenticated attackers to access protected endpoints by using URL-encoded characters in requests, as the middleware engine fails to decode paths while the underlying router does. An attacker with valid credentials can exploit this inconsistency to circumvent middleware security controls and access restricted functionality. This vulnerability requires low privileges and network access, with no patch currently available.
Authentication Bypass
-
CVE-2026-21618
HIGH
CVSS 8.5
Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicious scripts into web pages through the render_grouped_scopes function, enabling cross-site scripting (XSS) attacks against hex.pm users. The vulnerability affects hexpm versions from October 2025 through January 19, 2026, and currently has no available patch. Attackers can exploit this via a simple network request requiring only user interaction, potentially compromising user sessions or stealing sensitive data.
XSS
-
CVE-2026-1192
HIGH
CVSS 7.3
Online Store Management System versions up to 1.01 contains a vulnerability that allows attackers to command injection (CVSS 7.3).
PHP
Command Injection
Online Store Management System
-
CVE-2026-1179
HIGH
CVSS 7.3
SQL injection in Yonyou KSOA 9.0's /kmf/user_popedom.jsp endpoint allows unauthenticated remote attackers to manipulate the folderid parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The attack requires no user interaction and can result in unauthorized data access, modification, or system disruption.
SQLi
Ksoa
-
CVE-2026-1178
HIGH
CVSS 7.3
SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/select.jsp allows unauthenticated remote attackers to manipulate database queries and potentially extract or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.
SQLi
Ksoa
-
CVE-2026-1177
HIGH
CVSS 7.3
SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/save_folder.jsp allows unauthenticated remote attackers to manipulate database queries and potentially access, modify, or delete sensitive data. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available from the vendor.
SQLi
Ksoa
-
CVE-2026-1176
HIGH
CVSS 7.3
SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /subject/index.php allows unauthenticated remote attackers to query, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against vulnerable instances.
PHP
SQLi
School Management System
-
CVE-2026-1160
HIGH
CVSS 7.3
PHPGurukul Directory Management System 1.0 contains a SQL injection vulnerability in the search functionality of /index.php that allows unauthenticated remote attackers to manipulate the searchdata parameter and execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The vulnerability impacts confidentiality, integrity, and availability with a CVSS score of 7.3.
PHP
SQLi
Directory Management System
-
CVE-2026-1159
HIGH
CVSS 7.3
Online Frozen Foods Ordering System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
PHP
SQLi
Online Frozen Foods Ordering System
-
CVE-2026-1158
HIGH
CVSS 8.8
Buffer overflow in Totolik LR350 firmware allows authenticated remote attackers to achieve full system compromise through malicious SSID parameters in the wizard configuration endpoint. Public exploit code is available for this vulnerability, and no patch has been released, leaving deployed devices at immediate risk. The flaw requires valid credentials but enables complete confidentiality, integrity, and availability violations with network-level access.
Buffer Overflow
Lr350 Firmware
-
CVE-2026-1157
HIGH
CVSS 8.8
Stack-based buffer overflow in Totolink LR350 firmware (version 9.3.5u.6369_B20220309) allows authenticated remote attackers to achieve complete system compromise through manipulation of the ssid parameter in the WiFi configuration function. Public exploit code is available and no patch has been released, leaving affected devices vulnerable to active exploitation. The vulnerability requires valid credentials but poses critical risk due to high-impact consequences including arbitrary code execution.
Buffer Overflow
Lr350 Firmware
-
CVE-2026-1156
HIGH
CVSS 8.8
Unauthenticated remote attackers can exploit a buffer overflow in the WiFi configuration function of Totolink LR350 firmware version 9.3.5u.6369_B20220309 to achieve remote code execution with full system compromise. The vulnerability exists in the ssid parameter handler of /cgi-bin/cstecgi.cgi and requires only network access to trigger, with public exploit code already available. No patch is currently available for affected devices.
Buffer Overflow
Lr350 Firmware
-
CVE-2026-1155
HIGH
CVSS 8.8
Buffer overflow in Totolink LR350 firmware allows authenticated remote attackers to achieve complete system compromise through a malformed SSID parameter in the WiFi guest configuration function. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials can execute arbitrary code with full system privileges.
Buffer Overflow
Lr350 Firmware
-
CVE-2026-1143
HIGH
CVSS 8.8
Buffer overflow in TOTOLIK A3700R firmware version 9.1.2u.5822_B20200513 allows authenticated remote attackers to achieve complete system compromise through manipulation of the ssid parameter in the WiFi guest configuration function. Public exploit code exists for this vulnerability and no patch is currently available. An attacker with network access and valid credentials can execute arbitrary code with full system privileges.
Buffer Overflow
A3700r Firmware
-
CVE-2026-1140
HIGH
CVSS 8.8
Remote code execution in UTT 520W firmware 1.7.7-180627 via a buffer overflow in the /goform/ConfigExceptAli endpoint allows authenticated attackers to execute arbitrary code with high privileges. Public exploit code exists for this vulnerability, and no patch is available from the vendor despite early disclosure notification. Affected organizations running vulnerable 520W devices should immediately isolate or replace equipment until a security update becomes available.
Buffer Overflow
520w Firmware
-
CVE-2026-1139
HIGH
CVSS 8.8
Remote code execution in UTT 520W firmware 1.7.7-180627 stems from a buffer overflow in the /goform/ConfigExceptMSN endpoint accessible to authenticated users. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve complete system compromise including data theft, modification, and service disruption.
Buffer Overflow
520w Firmware
-
CVE-2026-1138
HIGH
CVSS 8.8
Buffer overflow in UTT 520W firmware version 1.7.7-180627 allows authenticated remote attackers to execute arbitrary code through the /goform/ConfigExceptQQ endpoint via unsafe string operations. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability affects confidentiality, integrity, and availability with CVSS 8.8 severity.
Buffer Overflow
520w Firmware
-
CVE-2026-1137
HIGH
CVSS 8.8
Remote code execution in UTT 520W firmware versions through 1.7.7-180627 stems from a buffer overflow in the /goform/formWebAuthGlobalConfig endpoint, allowing authenticated attackers to execute arbitrary code with network access. Public exploit code is available for this vulnerability, and no patches have been released despite vendor notification. The high CVSS score of 8.8 reflects full compromise of confidentiality, integrity, and availability on affected devices.
Buffer Overflow
520w Firmware
-
CVE-2026-1133
HIGH
CVSS 7.3
SQL injection in Yonyou KSOA 9.0 allows unauthenticated remote attackers to manipulate the folderid parameter in /kmf/folder.jsp HTTP requests, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response despite early notification.
SQLi
Ksoa
-
CVE-2026-1132
HIGH
CVSS 7.3
SQL injection in Yonyou KSOA 9.0 via the folderid parameter in /kmf/edit_folder.jsp allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification.
SQLi
Ksoa
-
CVE-2026-1131
HIGH
CVSS 7.3
SQL injection in Yonyou KSOA 9.0's /kmc/save_catalog.jsp endpoint allows unauthenticated remote attackers to manipulate the catalogid parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires only network access with no user interaction, enabling potential data exfiltration and unauthorized database modification.
SQLi
Ksoa
-
CVE-2026-1130
HIGH
CVSS 7.3
Unauthenticated SQL injection in Yonyou KSOA 9.0 via the ID parameter in the /worksheet/worksadd_plan.jsp endpoint allows remote attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no authentication or user interaction and can be exploited over the network.
SQLi
Ksoa
-
CVE-2026-1129
HIGH
CVSS 7.3
SQL injection in Yonyou KSOA 9.0's /worksheet/worksadd.jsp endpoint allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification. The attack requires no user interaction and could enable unauthorized data access, modification, or deletion.
SQLi
Ksoa
-
CVE-2026-1007
HIGH
CVSS 7.6
Devolutions Server versions 2025.3.1 through 2025.3.12 contain an authorization bypass in the virtual gateway component that allows authenticated attackers with high privileges to circumvent IP-based deny rules. This vulnerability could enable attackers to access restricted resources or bypass network-level security controls. No patch is currently available.
Authentication Bypass
Devolutions Server
-
CVE-2026-0943
HIGH
CVSS 7.5
HarfBuzz::Shaper for Perl versions before 0.032 contain a null pointer dereference in the bundled HarfBuzz library that allows remote attackers to cause a denial of service without authentication or user interaction. The vulnerability affects applications using vulnerable versions of the library and results in service unavailability. No patch is currently available.
Null Pointer Dereference
Suse
-
CVE-2025-68616
HIGH
CVSS 7.5
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-va...
SSRF
Weasyprint
Redhat
Suse
-
CVE-2025-61684
HIGH
CVSS 7.5
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. [CVSS 7.5 HIGH]
Denial Of Service
Quicly
-
CVE-2025-29847
HIGH
CVSS 7.5
A vulnerability in Apache Linkis. Problem Description
When using the JDBC engine and da
When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. [CVSS 7.5 HIGH]
Apache
Linkis
-
CVE-2025-11043
HIGH
CVSS 7.4
An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions up to 6.5 is affected by improper certificate validation (CVSS 7.4).
Tls
-
CVE-2026-23886
MEDIUM
CVSS 5.3
Swift W3C TraceContext and Swift OTel improperly validate malformed HTTP headers, enabling remote attackers to crash affected services through denial-of-service attacks. This vulnerability affects applications using these libraries for distributed tracing and telemetry, particularly HTTP servers processing untrusted network input. No patch is currently available, though versions 1.0.0-beta.5 of Swift W3C TraceContext and 1.0.4 of Swift OTel are expected to address the issue.
Denial Of Service
-
CVE-2026-23885
MEDIUM
CVSS 6.4
Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.
Code Injection
RCE
-
CVE-2026-23878
MEDIUM
CVSS 6.5
HotCRP is conference review software. [CVSS 6.5 MEDIUM]
Information Disclosure
Hotcrp
-
CVE-2026-23877
MEDIUM
CVSS 4.3
Swing Music is a self-hosted music player for local audio files. versions up to 2.1.4 contains a security vulnerability.
Path Traversal
Swing Music
-
CVE-2026-23875
MEDIUM
CVSS 5.4
Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.
Authentication Bypass
AI / ML
Crawlchat
-
CVE-2026-23851
MEDIUM
CVSS 6.5
SiYuan knowledge management system versions before 3.5.4 allow authenticated users to copy arbitrary files from the server filesystem into the application workspace due to insufficient path validation in the /api/file/globalCopyFiles endpoint. An attacker with valid credentials can exploit this path traversal vulnerability to read sensitive files and escalate privileges within the application. Public exploit code exists for this medium-severity vulnerability, though a patch is available.
Golang
Siyuan
Suse
-
CVE-2026-23849
MEDIUM
CVSS 5.3
Filebrowser versions up to 2.55.0 contains a vulnerability that allows attackers to enumerate valid usernames by measuring the response time of the /api/login endpo (CVSS 5.3).
Information Disclosure
Filebrowser
Suse
-
CVE-2026-23848
MEDIUM
CVSS 6.5
Mytube versions up to 1.7.71 contains a vulnerability that allows attackers to bypass IP-based rate limiting on general API endpoints (CVSS 6.5).
Denial Of Service
Mytube
-
CVE-2026-23847
MEDIUM
CVSS 6.1
Reflected XSS in SiYuan's /api/icon/getDynamicIcon endpoint allows attackers to inject malicious JavaScript through unescaped SVG content in dynamically generated icon images. An unauthenticated attacker can craft a malicious link that, when clicked by a victim, executes arbitrary scripts in the context of the SiYuan application. Public exploit code exists for versions prior to 3.5.4, which contains the necessary patches.
XSS
Siyuan
Suse
-
CVE-2026-23845
MEDIUM
CVSS 5.8
Mailpit versions before 1.28.3 contain a server-side request forgery vulnerability in the HTML Check feature that allows unauthenticated attackers to trigger arbitrary HTTP requests by crafting malicious CSS links in email messages. The vulnerability exists in the CSS inlining function which automatically downloads external stylesheets without proper validation. Public exploit code exists for this issue, though a patch is available in version 1.28.3 and later.
SSRF
Mailpit
Suse
-
CVE-2026-23844
MEDIUM
CVSS 4.3
Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.
Information Disclosure
Whisper Money
-
CVE-2026-23829
MEDIUM
CVSS 5.3
Header injection in Mailpit's SMTP server prior to version 1.28.3 allows unauthenticated remote attackers to inject or modify email headers by embedding carriage return characters in sender and recipient addresses due to insufficient regex validation. Public exploit code exists for this vulnerability, which could enable attackers to manipulate email routing, spoofing, or phishing attacks against users of the email testing tool. The issue is resolved in version 1.28.3 and later.
Code Injection
Mailpit
Suse
-
CVE-2026-23721
MEDIUM
CVSS 4.3
OpenProject versions prior to 17.0.1 and 16.6.5 fail to properly validate permissions when displaying group membership information, allowing authenticated users with View Members permission in any project to enumerate all groups and identify their members across the entire system. This breaks the intended access control where group membership visibility should be restricted to users with appropriate permissions in projects where the group is active. The vulnerability requires authenticated access and has no available patch or workaround at this time.
Authentication Bypass
Openproject
-
CVE-2026-23646
MEDIUM
CVSS 6.5
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
Information Disclosure
Openproject
-
CVE-2026-21696
MEDIUM
CVSS 6.5
Wings for Pterodactyl versions 1.7.0 through 1.11.x fail to respect SQLite's maximum parameter limit when deleting activity log entries, allowing authenticated users to trigger a database error that prevents log cleanup and causes indefinite accumulation of records. This denial of service condition degrades panel performance and availability over time. Public exploit code exists for this vulnerability, and no patch is currently available.
SQLi
Wings
Suse
-
CVE-2026-1193
MEDIUM
CVSS 6.3
Improper authorization in MineAdmin 1.x/2.x allows authenticated remote attackers to gain unauthorized access through the View Interface cache component. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure requests. An attacker with valid credentials can exploit this to read, modify, or disrupt system operations.
Information Disclosure
Mineadmin
-
CVE-2026-1175
MEDIUM
CVSS 5.3
Birkir Prime up to version 0.4.0.beta.0 exposes sensitive information through error messages in its GraphQL Directive Handler endpoint (/graphql), allowing unauthenticated remote attackers to extract data. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite being notified.
Information Disclosure
Prime
-
CVE-2026-1174
MEDIUM
CVSS 5.3
Birkir Prime versions up to 0.4.0.beta.0 are vulnerable to resource exhaustion attacks through the GraphQL Alias Handler endpoint, allowing unauthenticated remote attackers to cause denial of service. Public exploit code is available for this vulnerability, and the project has not yet released a patch despite early notification. The attack requires no user interaction and can be executed over the network with minimal complexity.
Denial Of Service
Prime
-
CVE-2026-1173
MEDIUM
CVSS 5.3
Prime versions up to 0.4.0.beta.0 are vulnerable to denial of service attacks through the GraphQL Array Based Query Batch Handler component, which can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.
Denial Of Service
Prime
-
CVE-2026-1172
MEDIUM
CVSS 5.3
Birkir Prime versions up to 0.4.0.beta.0 contain a denial of service vulnerability in the GraphQL Directive Handler that can be exploited remotely without authentication. Public exploit code exists for this vulnerability, and the developers have not released a patch despite early notification. An unauthenticated attacker can leverage this flaw to disrupt service availability.
Denial Of Service
Prime
-
CVE-2026-1171
MEDIUM
CVSS 5.3
Remote denial of service in birkir Prime up to version 0.4.0.beta.0 can be triggered through the GraphQL Field Handler endpoint without authentication. Public exploit code exists for this vulnerability, though no patch is currently available from the project maintainers.
Denial Of Service
Prime
-
CVE-2026-1170
MEDIUM
CVSS 5.3
Birkir Prime up to version 0.4.0.beta.0 exposes sensitive information through its GraphQL API endpoint due to improper access controls, allowing unauthenticated remote attackers to disclose confidential data. Public exploit code for this vulnerability is available, and the vendor has not yet released a patch despite being notified of the issue.
Information Disclosure
Prime
-
CVE-2026-1169
MEDIUM
CVSS 4.3
Cross-site request forgery (CSRF) in Birkir Prime through version 0.4.0.beta.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web requests. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch has been released as of this advisory.
CSRF
Prime
-
CVE-2026-1154
MEDIUM
CVSS 4.3
E-Learning System versions up to 1.0 contains a vulnerability that allows attackers to basic cross site scripting (CVSS 4.3).
PHP
XSS
E Learning System
-
CVE-2026-1153
MEDIUM
CVSS 4.3
Cross-site request forgery in Mpay up to version 1.2.4 allows unauthenticated remote attackers to perform unauthorized actions via a crafted request. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems exposed to attack.
CSRF
Mpay
-
CVE-2026-1152
MEDIUM
CVSS 4.7
Mpay versions up to 1.2.4 contain an unrestricted file upload vulnerability in the QR Code Image Handler component via the codeimg parameter, allowing remote attackers with high privileges to upload arbitrary files. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires administrative credentials but carries moderate risk with potential impacts to confidentiality, integrity, and availability.
File Upload
Authentication Bypass
Mpay
-
CVE-2026-1150
MEDIUM
CVSS 6.3
Command injection in Totolik LR350 firmware through the setTracerouteCfg function allows authenticated remote attackers to execute arbitrary system commands via a malicious POST request to /cgi-bin/cstecgi.cgi. Public exploit code is available and the vulnerability remains unpatched, creating immediate risk for deployed devices. An attacker with network access and valid credentials can achieve code execution with full device compromise potential.
Command Injection
Lr350 Firmware
-
CVE-2026-1149
MEDIUM
CVSS 6.3
Command injection in Totolink LR350 firmware allows authenticated remote attackers to execute arbitrary commands through the ip parameter in the setDiagnosisCfg function. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should restrict access to the affected device until a fix is released.
Command Injection
Lr350 Firmware
-
CVE-2026-1148
MEDIUM
CVSS 4.3
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).
CSRF
Patients Waiting Area Queue Management System
-
CVE-2026-1145
MEDIUM
CVSS 6.3
Heap-based buffer overflow in QuickJS up to version 0.11.0 within the js_typed_array_constructor_ta function allows remote attackers to corrupt memory and potentially achieve code execution with user interaction. Public exploit code exists for this vulnerability, increasing practical attack risk. A patch is available and should be applied immediately.
Buffer Overflow
Heap Overflow
Quickjs
Redhat
Suse
-
CVE-2026-1144
MEDIUM
CVSS 6.3
Use-after-free in QuickJS up to version 0.11.0 within the Atomics Ops Handler allows remote attackers to trigger memory corruption without authentication. Public exploit code exists for this vulnerability, enabling potential information disclosure or denial of service. A patch is available and should be applied immediately.
Industrial
Use After Free
Quickjs
Redhat
Suse
-
CVE-2026-1142
MEDIUM
CVSS 4.3
PHPGurukul News Portal 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The flaw affects the integrity of user actions but does not compromise confidentiality or availability.
CSRF
News Portal
-
CVE-2026-1141
MEDIUM
CVSS 6.3
PHPGurukul News Portal 1.0 contains an authorization bypass in the /admin/add-subadmins.php component that allows authenticated attackers to gain unauthorized access and modify system data. Public exploit code exists for this vulnerability, making it readily exploitable by remote actors. A patch is not currently available, leaving installations vulnerable until an update is released.
PHP
News Portal
-
CVE-2026-1135
MEDIUM
CVSS 4.3
Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Title parameter in /admin/activity.php. Public exploit code exists for this vulnerability, enabling potential attacks against affected deployments. A security patch is not currently available.
PHP
XSS
Society Management System
-
CVE-2026-1134
MEDIUM
CVSS 4.3
Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows remote attackers to inject malicious scripts through the detail parameter in /admin/expenses.php, potentially compromising administrator sessions and data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk of client-side attacks.
PHP
XSS
Society Management System
-
CVE-2025-69199
MEDIUM
CVSS 6.5
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. [CVSS 6.5 MEDIUM]
Denial Of Service
Wings
Suse
-
CVE-2025-69198
MEDIUM
CVSS 6.5
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. [CVSS 6.5 MEDIUM]
Denial Of Service
Panel
-
CVE-2025-59355
MEDIUM
CVSS 6.5
A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). [CVSS 6.5 MEDIUM]
Apache
Linkis
-
CVE-2025-15539
MEDIUM
CVSS 5.3
A vulnerability was determined in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_downlink_data_notification_ack of the file src/sgwc/s11-handler.c of the component sgwc. [CVSS 5.3 MEDIUM]
Denial Of Service
Open5gs
-
CVE-2025-11044
MEDIUM
CVSS 6.8
R Automation Runtime versions up to 6.5 is affected by allocation of resources without limits or throttling (CVSS 6.8).
Race Condition
-
CVE-2026-23838
None
Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`....
Nginx
PostgreSQL
SQLi
-
CVE-2026-23522
LOW
CVSS 3.7
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID...
Authentication Bypass
-
CVE-2026-1161
LOW
CVSS 3.5
A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. [CVSS 3.5 LOW]
XSS
-
CVE-2026-1151
LOW
CVSS 2.4
A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. [CVSS 2.4 LOW]
XSS
-
CVE-2026-1147
LOW
CVSS 3.5
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
PHP
XSS
-
CVE-2026-1146
LOW
CVSS 3.5
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
PHP
XSS
-
CVE-2026-1136
LOW
CVSS 3.5
A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. [CVSS 3.5 LOW]
XSS
-
CVE-2025-55252
LOW
CVSS 3.1
Aion versions up to 2.0 contains a vulnerability that allows attackers to the use of easily guessable passwords, potentially resulting in unauthorized acc (CVSS 3.1).
Authentication Bypass
-
CVE-2025-55251
LOW
CVSS 3.1
HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]
File Upload
RCE
-
CVE-2025-55250
LOW
CVSS 1.8
HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. [CVSS 1.8 LOW]
Information Disclosure
-
CVE-2025-55249
LOW
CVSS 3.5
HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. [CVSS 3.5 LOW]
Information Disclosure
-
CVE-2025-52661
LOW
CVSS 2.4
HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. [CVSS 2.4 LOW]
Authentication Bypass
-
CVE-2025-52660
LOW
CVSS 2.7
Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).
File Upload
RCE
-
CVE-2025-52659
LOW
CVSS 2.8
Aion versions up to 2.0 contains a vulnerability that allows attackers to unintended storage of sensitive or dynamic content, potentially resulting in una (CVSS 2.8).
Information Disclosure