esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. [CVSS 7.5 HIGH]
esm.sh versions up to 137 contain an SSRF vulnerability in the `/http(s)` fetch route that allows remote attackers to bypass hostname validation through DNS alias domains and access internal localhost services. Public exploit code exists for this vulnerability, and no patches are currently available. This affects users of esm.sh CDN services and any applications relying on the affected versions.
Stored XSS in Rucio's WebUI Custom Rules function allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes when other users view affected pages, enabling session hijacking or unauthorized actions. Versions prior to 35.8.3, 38.5.4, and 39.3.1 are vulnerable, and public exploit code exists. Patches are available in the affected version branches.
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.
Vikunja before version 2.0.0 contains a path traversal vulnerability in its backup restoration function that fails to validate file paths in ZIP archives, allowing attackers with high privileges to write arbitrary files to the host system. Public exploit code exists for this vulnerability, and malformed archives can trigger a denial of service that permanently wipes the database before crashing the application. The flaw affects Vikunja and the underlying Go platform, with no patch currently available.
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal addresses by exploiting IPv4-mapped IPv6 address handling in permission and channel binding requests. The vulnerability bypasses "denied-peer-ip" restrictions designed to block loopback ranges, enabling an attacker to interact with internal services that should be unreachable. Public exploit code exists for this flaw, and a patch is available in version 4.9.0 and later.
Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 7.1).
iccDEV provides a set of libraries and tools for working with ICC color management profiles. [CVSS 7.1 HIGH]
Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).
Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).
OpenEMR versions prior to 8.0.0 allow any authenticated user to view all internal messages and notes from other users by exploiting insufficient authorization checks on the Message Center's `show_all` parameter. The vulnerability exists because the application does not verify administrator privileges before returning the complete message list, enabling unauthorized disclosure of sensitive medical communications. Public exploit code exists for this medium-severity information disclosure vulnerability.
OpenEMR versions prior to 8.0.0 fail to properly enforce permission checks, allowing authenticated users to access sensitive information belonging to other authorized users. The vulnerability requires valid credentials and network access but does not enable data modification or denial of service. Public exploit code exists and a patch is available in version 8.0.0 and later.
Arbitrary file write in Dagu workflow engine up to version 1.16.7 allows authenticated users with DAG write permissions to place malicious YAML files anywhere on the filesystem due to insufficient name validation in the CreateNewDAG API endpoint. Since Dagu executes DAG files as shell commands, an attacker can achieve remote code execution by overwriting existing DAGs or configuration files. Public exploit code exists for this vulnerability, and a patch is available.
OpenEMR versions prior to 8.0.0 contain an authorization bypass in the FHIR CareTeam endpoint that allows authenticated users with patient-scoped tokens to retrieve care team information for all patients rather than only their own, potentially exposing Protected Health Information across the entire system. The vulnerability exists because the service fails to enforce patient compartment filtering, and public exploit code is available. Security professionals should prioritize patching to version 8.0.0 or later to prevent unauthorized PHI disclosure.
Denial of service in FreeRDP prior to version 3.23.0 allows a malicious RDP server to crash the client application through a missing bounds check in smartcard packet handling. This vulnerability affects users who have explicitly enabled smartcard redirection, and public exploit code exists. The crash is triggered via assertion failure in builds with verbose assert checking enabled, which is the default configuration in FreeRDP 3.22.0.
OpenEMR prior to version 8.0.0 allows low-privileged users to export sensitive patient and medical data through the message_list.php report functionality due to missing access controls. The vulnerability affects receptionists and similar roles who can bypass authorization checks to extract entire message databases containing confidential information. Public exploit code exists for this issue, though a patch is available in version 8.0.0 and later.
FileBrowser Quantum versions prior to 1.1.3-stable and 1.2.6-beta expose a password bypass vulnerability in shared files, allowing unauthenticated recipients to download protected content by accessing the direct download link embedded in share details. An attacker possessing only the share link can retrieve files without providing the intended password, completely circumventing access controls. Public exploit code exists for this vulnerability, and patches are available in the patched versions.
OpenEMR versions before 8.0.0 contain an improper access control flaw in the edih_main.php endpoint that allows any authenticated user, including low-privilege accounts like Receptionists, to retrieve sensitive EDI log files by manipulating the log_select parameter. The vulnerability bypasses role-based access controls that should restrict access through the GUI, enabling unauthorized disclosure of system logs. Public exploit code exists for this issue, which is fixed in version 8.0.0.
iccDEV provides a set of libraries and tools for working with ICC color management profiles. [CVSS 6.2 MEDIUM]
Openemr versions up to 8.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Stored XSS in Rucio's WebUI Custom RSE Attribute field allows authenticated attackers to inject malicious JavaScript that persists in the backend and executes for any user viewing affected pages, potentially leading to session hijacking or unauthorized actions. Public exploit code exists for this vulnerability, which affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1. No patch is currently available for all affected versions.
Stored XSS in Rucio's WebUI Identity Name field allows authenticated attackers to inject malicious scripts that execute in users' browsers, enabling session hijacking or unauthorized actions. The vulnerability affects versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. Administrators should upgrade immediately as no patch availability timeline has been announced for unpatched versions.
Stored XSS in Rucio's WebUI RSE metadata allows authenticated attackers to inject malicious scripts that execute in users' browsers when viewing affected pages, potentially leading to session hijacking or unauthorized actions. The vulnerability affects Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1, and public exploit code exists. A security update is available in the patched versions listed above.
changedetection.io versions before 0.54.1 are vulnerable to reflected cross-site scripting (XSS) via the RSS endpoint, where user-supplied UUID parameters are rendered without HTML encoding in text/html responses, allowing attackers to execute arbitrary JavaScript in users' browsers. Public exploit code exists for this vulnerability. The issue affects Flask-based deployments and is resolved in version 0.54.1.
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaScript in users' browsers when developers pass unsanitized input from URL parameters or other sources to the repo prop. The vulnerability stems from unsafe use of dangerouslySetInnerHTML without input validation, and public exploit code exists. Upgrading to version 1.0.1 or later eliminates the risk by removing dangerouslySetInnerHTML in favor of safe JSX data binding.
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.
Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.
Python sandbox escape in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Users who can modify workflows can escape the Python Code node sandbox for full host compromise on instances using internal Task Runners.
Unauthenticated arbitrary database read/write in Parse Dashboard's AI Agent endpoint (POST /apps/:appId/agent) lets remote attackers operate against any connected Parse Server using the master key. Affected builds span the 7.3.0-alpha.42 through 9.0.0-alpha.7 pre-releases, but only deployments that have explicitly enabled the opt-in agent feature are exposed. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the chained authentication/CSRF/authorization gaps make exploitation trivial where the feature is configured.
Path traversal in Kubernetes PersistentVolume creation via pathPattern parameter allows creating volumes in arbitrary host filesystem locations. CVSS 9.9 with scope change.
Unauthenticated RCE in SPIP tickets plugin before 4.3.3 via code injection. Allows executing arbitrary PHP code without authentication. Patch available.
Authentication bypass in Cisco Catalyst SD-WAN Manager API allows unauthenticated remote access to the management platform. Separate vulnerability from the peering auth bypass (CVE-2026-20127).
Unauthenticated command injection in TinyWeb HTTP/HTTPS server for Win32 before 2.01 allows remote attackers to execute arbitrary commands. Patch available.
Path traversal in Lanscope Endpoint Manager Sub-Manager Server version 9.4.7.3 and earlier allows access to files outside restricted directories on managed endpoints.
OS command injection via TLS-SRP update functionality. Third TLS-SRP injection CVE — command injection through the credential update mechanism.
OS command injection via TLS-SRP handshake. Similar to CVE-2026-27847 but targeting command execution through the SRP authentication process.
SQL injection via TLS-SRP handshake. Attacker can inject SQL through the SRP username field during TLS handshake, compromising any application using TLS-SRP authentication.
Arbitrary file upload via subtitle loading in asbplayer v1.13.0 allows execution of malicious files through crafted subtitle files.
SQL injection in itsourcecode News Portal Project 1.0 via the Category parameter in /admin/add-category.php allows unauthenticated remote attackers to manipulate database queries. Public exploit code is available for this vulnerability, and no patch has been released, leaving affected installations vulnerable to data exfiltration, modification, or deletion. The attack requires no user interaction and can be executed over the network with a CVSS score of 7.3.
SQL injection in itsourcecode News Portal Project 1.0's category editing functionality allows unauthenticated remote attackers to manipulate the Category parameter and execute arbitrary SQL queries. Public exploit code is available for this vulnerability, increasing the likelihood of active exploitation. Currently, no patch is available to remediate this issue.
SQL injection in itsourcecode Document Management System 1.0 login functionality allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires only network access with no user interaction, enabling attackers to potentially read, modify, or delete sensitive data within the application.
SQL injection in the News Portal Project 1.0 /admin/contactus.php endpoint allows unauthenticated remote attackers to manipulate the pagetitle parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable data theft, modification, or denial of service against affected installations.
SQL injection in itsourcecode Document Management System 1.0 via the Username parameter in /register.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems face potential data theft, modification, and denial of service through successful exploitation.
SQL injection in itsourcecode College Management System 1.0 via the teacher_id parameter in /admin/teacher-salary.php enables unauthenticated remote attackers to execute arbitrary database queries and manipulate sensitive payroll data. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects confidentiality, integrity, and availability of the system.
SQL injection in itsourcecode College Management System 1.0's login functionality allows remote attackers to manipulate the email parameter and execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, enabling immediate attack capability against unpatched systems. The flaw permits data disclosure, modification, and potential service disruption with a CVSS score of 7.3.
Simple And Nice Shopping Cart Script versions up to 1.0 contains a security vulnerability (CVSS 7.3).
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. [CVSS 5.4 MEDIUM]
Stored XSS in TypiCMS prior to version 16.1.7 allows authenticated users to upload malicious SVG files that execute JavaScript in administrators' browsers, compromising their sessions through unsanitized file content. Public exploit code exists for this vulnerability affecting Laravel-based TypiCMS installations. The flaw stems from insufficient validation of SVG file contents despite MIME type checks being present.
Incorrect permission assignment on critical resources in Juniper Networks On-Box Anomaly detection framework. Allows unauthorized modification of anomaly detection configuration, potentially disabling security monitoring.