CVE-2026-5025 - The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the

CVE-2026-5022 - The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or aut

CVE-2026-5010 - A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in Clickedu. This vulnerabi

CVE-2026-4984 - The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twili

CVE-2026-4980 - A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.

CVE-2026-4957 - A flaw has been found in OpenBMB XAgent 1.0.0. The impacted element is the function FunctionHandler.

CVE-2026-4956 - A vulnerability was detected in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. The affected ele

CVE-2026-4955 - A vulnerability was found in Shenzhen Ruiming Technology Streamax Crocus 1.3.44. This impacts an unk

CVE-2026-4954 - A security vulnerability has been detected in mingSoft MCMS up to 5.5.0. Impacted is the function li

CVE-2026-4953 - A weakness has been identified in mingSoft MCMS up to 5.5.0. This issue affects the function catchIm

CVE-2026-33766 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, `isSSRFSafeURL()

CVE-2026-33764 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's

CVE-2026-33763 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_vid

CVE-2026-33761 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json

CVE-2026-33759 - WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pla

CVE-2026-33758 - OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao

CVE-2026-33757 - OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao

CVE-2026-33755 - Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions

CVE-2026-33750 - The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior

CVE-2026-33748 - BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and

CVE-2026-33433 - Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.42, 3.6.11, and 3.7.0-ea.

CVE-2026-33284 - GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/suppor

CVE-2026-33206 - calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books.

CVE-2026-33205 - calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books.

CVE-2026-30689 - A blog.admin v.8.0 and before system's getinfobytoken API interface contains an improper access cont

CVE-2026-30637 - Server-Side Request Forgery (SSRF) vulnerability exists in the AnnounContent of the /admin/read.php

CVE-2026-30407 - Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by

CVE-2026-30304 - In its design for automatic terminal command execution, AI Code offers two options: Execute safe com

CVE-2026-30303 - The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, render

CVE-2026-29871 - A path traversal vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9

CVE-2026-28375 - A testdata data-source can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-27880 - The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cau

CVE-2026-27879 - A resample query can be used to trigger out-of-memory crashes in Grafana.

CVE-2026-27877 - When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed

CVE-2026-27876 - A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary

CVE-2026-1496 - Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for comman

CVE-2025-69988 - BS Producten Petcam 33.1.0.0818 is vulnerable to Incorrect Access Control. An unauthenticated attack

CVE-2025-69986 - A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC Indoor Camera V7.6.

CVE-2025-61190 - A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in DSpace JSPUI 6.5 within

CVE-2024-11604 - Insertion of Sensitive Information into Log File vulnerability in the SCIM Driver module in OpenText

CVE-2026-32859 - ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerabi

CVE-2026-32695 - Traefik is an HTTP reverse proxy and load balancer. Prior to versions 3.6.11 and 3.7.0-ea.2, Traefik

CVE-2025-13478 - Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote au

CVE-2026-4982 - A user with permission "update world" in any Venueless world is able to exfiltrate chat messages fro

CVE-2026-4340 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in

CVE-2026-4622 - OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute

CVE-2026-4621 - Hidden Functionality vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to enable t

CVE-2026-4620 - OS Command Injection vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to execute

CVE-2026-4619 - Path Traversal vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to wtite over any

CVE-2026-4309 - Missing Authorization vulnerability in NEC Platforms, Ltd. Aterm Series allows a attacker to get a s

CVE-2026-25101 - Bludit allows user's session identifier to be set before authentication. The value of this session I

CVE-2026-25100 - Bludit is vulnerable to Stored Cross-Site Scripting (XSS) in its image upload functionality. An auth

CVE-2026-25099 - Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any t

CVE-2023-7339 - Stack-based buffer overflow vulnerability in Softing Industrial Automation GmbH gateways allows over

CVE-2026-3457 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab

CVE-2026-27860 - If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP au

CVE-2026-27859 - A mail message containing excessive amount of RFC 2231 MIME parameters causes LMTP to use too much C

CVE-2026-27858 - Attacker can send a specifically crafted message before authentication that causes managesieve to al

CVE-2026-27857 - Sending "NOOP (((...)))" command with 4000 parenthesis open+close results in ~1MB extra memory usage

CVE-2026-27856 - Doveadm credentials are verified using direct comparison which is susceptible to timing oracle attac

CVE-2026-27855 - Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache i

CVE-2026-24031 - Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin. This

CVE-2026-0394 - When dovecot has been configured to use per-domain passwd files, and they are placed one path compon

CVE-2025-59032 - ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be us

CVE-2025-59031 - Dovecot has provided a script to use for attachment to text conversion. This script unsafely handles

CVE-2025-59028 - When sending invalid base64 SASL data, login process is disconnected from the auth server, causing a

CVE-2026-4948 - A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-autho

CVE-2026-34353 - In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbit

CVE-2026-33559 - WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On

CVE-2026-33366 - Missing authentication for critical function vulnerability in BUFFALO Wi-Fi router products may allo

CVE-2026-33280 - Hidden functionality issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to g

CVE-2026-32678 - Authentication bypass issue exists in BUFFALO Wi-Fi router products, which may allow an attacker to

CVE-2026-32669 - Code injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is explo

CVE-2026-27650 - OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products. If this vulnerability is

CVE-2026-22744 - In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed

CVE-2026-22743 - Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpr

CVE-2026-22742 - Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability i

CVE-2026-22738 - In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value

CVE-2024-14028 - Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webserver allows HTTP DoS

CVE-2026-4910 - A security vulnerability has been detected in Shenzhen Ruiming Technology Streamax Crocus up to 1.3.

CVE-2026-3098 - The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to,

CVE-2026-4909 - A weakness has been identified in code-projects Exam Form Submission 1.0. This impacts an unknown fu

CVE-2026-4908 - A security flaw has been discovered in code-projects Simple Laundry System 1.0. This affects an unkn

CVE-2026-4907 - A vulnerability was identified in Page-Replica Page Replica up to e4a7f52e75093ee318b4d5a9a9db675105

CVE-2026-4906 - A vulnerability was determined in Tenda AC5 15.03.06.47. The affected element is the function decode

CVE-2026-33935 - MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an

CVE-2026-33890 - MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an

CVE-2026-33747 - BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and

CVE-2026-33745 - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.39.0, t

CVE-2026-33744 - BentoML is a Python library for building online serving systems optimized for AI apps and model infe

CVE-2026-33735 - MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an

CVE-2026-33730 - Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP us

CVE-2026-33729 - OpenFGA is a high-performance and flexible authorization/permission engine built for developers and

CVE-2026-33728 - dd-trace-java is a Datadog APM client for Java. In versions of dd-trace-java 0.40.0 through prior to

CVE-2026-33726 - Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to

CVE-2026-33725 - Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise

CVE-2026-33721 - MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior t

CVE-2026-33718 - OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vuln

CVE-2026-33701 - OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation l

CVE-2026-33699 - pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerabilit

CVE-2026-33693 - Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the `v4_is_in

CVE-2026-4905 - A vulnerability was found in Tenda AC5 15.03.06.47. Impacted is the function formWifiWpsOOB of the f

CVE-2026-4904 - A vulnerability has been found in Tenda AC5 15.03.06.47. This issue affects the function formSetCfm

CVE-2026-33945 - Incus is a system container and virtual machine manager. Incus instances have an option to provide c

CVE-2026-33898 - Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spa

CVE-2026-33697 - Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS

CVE-2026-29071 - Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. P

CVE-2026-29070 - Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. P

CVE-2026-28788 - Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. P

CVE-2026-28786 - Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. P

CVE-2026-27893 - vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1

CVE-2026-4903 - A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability affects the function formQuickInd

CVE-2026-4902 - A vulnerability was detected in Tenda AC5 15.03.06.47. This affects the function fromAddressNat of t

CVE-2026-34352 - In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the

CVE-2026-33897 - Incus is a system container and virtual machine manager. Prior to version 6.23.0, instance template

CVE-2026-33743 - Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafte

CVE-2026-33711 - Incus is a system container and virtual machine manager. Incus provides an API to retrieve VM screen

CVE-2026-33542 - Incus is a system container and virtual machine manager. Prior to version 6.23.0, a lack of validati

CVE-2026-4900 - A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unk

CVE-2026-4899 - A security flaw has been discovered in code-projects Online Food Ordering System 1.0. Affected by th

CVE-2026-4898 - A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected by this vu

CVE-2026-4346 - The vulnerability affecting TL-WR850N v3 allows cleartext storage of administrative and Wi-Fi creden

CVE-2026-3650 - A memory leak exists in the Grassroots DICOM library (GDCM). The bug occurs when parsing malformed D

CVE-2026-33687 - Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 con

CVE-2026-33686 - Sharp is a content management framework built for Laravel as a package. Versions prior to 9.20.0 hav

CVE-2026-33682 - Streamlit is a data oriented application development framework for python. Streamlit Open Source ver

CVE-2026-33674 - PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperl

CVE-2026-33673 - PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 are vulne

CVE-2026-33672 - Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulner

CVE-2026-33671 - Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulner

CVE-2026-33670 - SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir inte

CVE-2026-33669 - SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieve

CVE-2026-33664 - Kestra is an open-source, event-driven orchestration platform Versions up to and including 1.3.3 ren

CVE-2026-33661 - Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to v

CVE-2026-33658 - Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions

CVE-2026-33653 - Ulloady is a file uploader script with multi-file upload support. A Stored Cross-Site Scripting (XSS

CVE-2026-28377 - A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /statu

CVE-2026-1556 - Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths

CVE-2026-0748 - In the Drupal 7 Internationalization (i18n) module, the i18n_node submodule allows a user with both

CVE-2025-12805 - A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator. This vulnerability allows una

CVE-2026-4933 - Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsin

CVE-2026-4393 - Cross-Site Request Forgery (CSRF) vulnerability in Drupal Automated Logout allows Cross Site Request

CVE-2026-3622 - The vulnerability exists in the UPnP component of TL-WR841N v14, where improper input validation lea

CVE-2026-3573 - Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injecti

CVE-2026-3532 - Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows P

CVE-2026-3531 - Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal OpenID Connect / OA

CVE-2026-3530 - Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenID Connect / OAuth client allows Serv

CVE-2026-3529 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability i

CVE-2026-3528 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability i

CVE-2026-3527 - Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploitin

CVE-2026-3526 - Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsin

CVE-2026-3525 - Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsin

CVE-2026-33742 - Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel

CVE-2026-33738 - Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description`

CVE-2026-33645 - Fireshare facilitates self-hosted media and link sharing. In version 1.5.1, an authenticated path tr

CVE-2026-33644 - Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in

CVE-2026-33640 - Outline is a service that allows for collaborative documentation. Outline implements an Email OTP lo

CVE-2026-33638 - Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version

CVE-2026-33635 - iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-

CVE-2026-33628 - Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel

CVE-2026-33623 - PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Pinc

CVE-2026-33622 - PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Pinc

CVE-2026-33621 - PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Pinc

CVE-2026-33620 - PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Pinc

CVE-2026-33619 - PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. Pinc

CVE-2026-33545 - MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqli

CVE-2026-33541 - TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage

CVE-2026-33537 - Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (S

CVE-2026-33375 - The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer

CVE-2026-2272 - A flaw was found in GIMP. An integer overflow vulnerability exists when processing ICO image files,

CVE-2026-2271 - A flaw was found in GIMP's PSP (Paint Shop Pro) file parser. A remote attacker could exploit an inte

CVE-2026-2239 - A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the fread_pascal_string funct

CVE-2026-2100 - A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_Der

CVE-2026-21724 - A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning

CVE-2026-0968 - A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit

CVE-2026-0967 - A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_ho

CVE-2026-0966 - The API function `ssh_get_hexa()` is vulnerable, when 0-lenght input is provided to this function. T

CVE-2026-0965 - A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing

CVE-2026-0964 - A malicious SCP server can send unexpected paths that could make the client application override loc

CVE-2026-33632 - ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies.

CVE-2026-33631 - ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies.

CVE-2026-33536 - ImageMagick is free and open-source software used for editing and manipulating digital images. Prior

CVE-2026-33535 - ImageMagick is free and open-source software used for editing and manipulating digital images. Prior

CVE-2026-33532 - `yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `ya

CVE-2026-33531 - InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, a path traversal vu

CVE-2026-33530 - InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoin

CVE-2026-33529 - Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authe

CVE-2026-33528 - GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the

CVE-2026-33525 - Authelia is an open-source authentication and authorization server providing two-factor authenticati

CVE-2026-32287 - Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, l

CVE-2026-32286 - The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised Pos

CVE-2026-32285 - The Delete function fails to properly validate offsets when processing malformed JSON input. This ca

CVE-2026-32284 - The msgpack decoder fails to properly validate the input buffer length when processing truncated fix

CVE-2026-2436 - A flaw was found in libsoup's SoupServer. A remote attacker could exploit a use-after-free vulnerabi

CVE-2023-7338 - Ruckus Unleashed contains a remote code execution vulnerability in the web-based management interfac

CVE-2021-4474 - Ruckus Access Point products contain an arbitrary file read vulnerability in the command-line interf

CVE-2026-4926 - Impact: A bad regular expression is generated any time you have multiple sequential optional groups

CVE-2026-4923 - Impact: When using multiple wildcards, combined with at least one parameter, a regular expression c

CVE-2026-3190 - A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permissi

CVE-2026-3121 - A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a miscon

CVE-2026-33506 - Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or Op

CVE-2026-33505 - Ory Keto is am open source authorization server for managing permissions at scale. Prior to version

CVE-2026-33491 - Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version

CVE-2026-33153 - Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists.

CVE-2026-33152 - Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists.

CVE-2026-33149 - Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists.

CVE-2026-33148 - Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists.

CVE-2026-30463 - Daylight Studio FuelCMS v1.5.2 was discovered to contain a SQL injection vulnerability via the /cont

CVE-2026-30458 - An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset toke

CVE-2026-30457 - An issue in the /parser/dwoo component of Daylight Studio FuelCMS v1.5.2 allows attackers to execute

CVE-2026-29969 - A cross-site scripting (XSS) vulnerability in the wff_cols_pref.css.aspx endpoint of staffwiki v7.0.

CVE-2026-29055 - Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists.

CVE-2026-28503 - Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists.

CVE-2026-26213 - thingino-firmware versions up to the firmware-2026-03-16 release contains an unauthenticated os comm

CVE-2026-33732 - srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing disc

CVE-2026-33504 - Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth

CVE-2026-33503 - Ory Kratos is an identity, user management and authentication system for cloud services. Prior to ve

CVE-2026-33496 - ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes H

CVE-2026-33495 - ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes H

CVE-2026-33494 - ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes H

CVE-2026-33490 - H3 is a minimal H(TTP) framework. In versions 2.0.0-0 through 2.0.1-rc.16, the `mount()` method in h

CVE-2026-33487 - goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSig

CVE-2026-33486 - Roadiz is a polymorphic content management system based on a node system that can handle many types

CVE-2026-33481 - Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from containe

CVE-2026-33477 - FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operatio

CVE-2026-32857 - Firecrawl version 2.8.0 and prior contain a server-side request forgery (SSRF) protection bypass vul

CVE-2026-4867 - Impact: A bad regular expression is generated any time you have three or more parameters within a s

CVE-2026-3116 - Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request

CVE-2026-3115 - Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail t

CVE-2026-3114 - Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail t

CVE-2026-3113 - Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail t

CVE-2026-3112 - Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail t

CVE-2026-3109 - Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allo

CVE-2026-3108 - Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail t

CVE-2026-34071 - Stirling-PDF is a locally hosted web application that allows you to perform various operations on PD

CVE-2026-33636 - LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portabl

CVE-2026-33470 - Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In ve

CVE-2026-33469 - Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In ve

CVE-2026-33468 - Kysely is a type-safe TypeScript SQL query builder. Prior to version 0.28.14, Kysely's `DefaultQuery

CVE-2026-33442 - Kysely is a type-safe TypeScript SQL query builder. In versions 0.28.12 and 0.28.13, the `sanitizeSt

CVE-2026-33438 - Stirling-PDF is a locally hosted web application that allows you to perform various operations on PD

CVE-2026-33430 - Briefcase is a tool for converting a Python project into a standalone native application. Starting i

CVE-2026-33416 - LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portabl

CVE-2026-33402 - Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 thro

CVE-2026-33015 - EVerest is an EV charging software stack. Prior to version 2026.02.0, even immediately after CSMS pe

CVE-2026-33014 - EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing,

CVE-2026-33009 - EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to C+

CVE-2026-32846 - OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in medi

CVE-2026-29905 - Kirby CMS through 5.1.4 allows an authenticated user with 'Editor' permissions to cause a persistent

CVE-2026-29044 - EVerest is an EV charging software stack. Prior to version 2026.02.0, when WithdrawAuthorization is