OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.
SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.
OS command injection in XikeStor SKS8310-8X network switch firmware 1.04.B07 and prior via management interface. Unauthenticated RCE on network infrastructure.
Predictable session identifier generation in XikeStor SKS8310-8X network switch allows session hijacking even if the command injection (CVE-2026-25070) is patched.
Arbitrary code execution in Backstage's @backstage/plugin-techdocs-node (versions <= 1.14.2) allows attackers who can influence an mkdocs.yml file to run arbitrary Python during the documentation build, bypassing TechDocs' allowlist-based configuration filtering. The flaw stems from MkDocs configuration keys (notably the hooks feature) that the security allowlist failed to block, meaning any contributor able to merge or supply a crafted mkdocs.yml gains code execution on the build host. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS 9.8 rating and trivial exploitation primitive make this a high-priority patch for self-hosted developer portals.
Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.