CVE-2026-39951

CVE-2026-39951 affects Cacti versions 1.2.30 and earlier, exposing a Stored SQL Injection through graph_name_regexp in the Reports feature. The vulnerability is fixed in version 1.2.31. Public references confirm the issue and include a fix commit and security advisory link. No exploitation detail...

CVE-2026-52813

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization names containing path traversal sequences ../ are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary...

CVE-2026-52807

Summary (supported by provided docs): Gogs is affected by a DOM-based XSS in the New Issue page when a milestone name contains HTML/JS payloads. The root cause involves client-side rendering: milestone names are rendered with Go’s escaping in new_form.tmpl, but Semantic UI 2.4.2 uses preserveHTML...

CVE-2026-52806

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs allows authenticated users to achieve Remote Code Execution RCE on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase before...

CVE-2026-49220

CVE-2026-49220 affects Jellyfin up to version 10.11.8, where a vulnerability in the AuthenticateByName flow allows a non-privileged user to inject HTML/JavaScript in the Client header that executes in an Administrative user session when accessing a user’s detail from the dashboard. This is a user...

CVE-2026-53945

CVE-2026-53945 affects Ghost CMS: from 6.0.9 up to 6.21.1, the private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing the Ghost server to reach internal hosts through features that issue external fetches. Remediation: upgrade to Ghost 6.21.1 or later. Impact per...

EUVD-2026-39001

Warp is an agentic development environment. From 0.2025.08.06.08.12.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by...

Important: Red Hat Security Advisory: bind security update

An update for bind is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone

A flaw was found in BIND. A remote attacker could exploit this vulnerability by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. This could cause the resolver to consume excessive CPU resources, leading to a denial of service DoS for legitimate users...

CVE-2026-57282

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent...

CVE-2026-57282

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent...

CVE-2026-52941

The CVE-2026-52941 issue affects the Linux kernel’s SMC tracepoints. The smc_msg_event tracepoint unconditionally dereferences smc->conn.lnk->ibname, causing a NULL dereference when conn->lnk is NULL on SMC-D (while it is set for SMC-R). This can crash the first sendmsg()/recvmsg() on an...

CVE-2026-7761 Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

CVE-2026-8617

The CVE concerns the WordPress SearchPlus plugin (versions up to and including 1.7.1). The vulnerability arises from a missing capability check and missing nonce validation in two AJAX callback functions, searchplus_save_token_action_callback() and searchplus_reset_token_action_callback(), which ...

EUVD-2026-38658

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settingsform/updatesettings functionality. The plugin's options page handler dispatches on the...

DomainMOD 4.11.01 - Cross-Site Scripting

DomainMOD 4.11.01 contains a cross-site scripting vulnerability via assets/add/dns.php Profile Name or notes field. id: CVE-2018-19914 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.11.01 contains a cross-site scripting...

WebTareas 2.4p5 - Cross-Site Scripting

webtareas 2.4p5 was discovered to contain a cross-site scripting XSS vulnerability in the component /clients/listclients.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. id: CVE-2022-44957 info: name: WebTareas...

ChurchCRM - SQL Injection

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper...

Oracle iPlanet Web Server 7.0.x - Image Injection

Oracle iPlanet Web Server 7.0.x allows image injection in the Administration console via the productNameSrc parameter to an admingui URI. This issue exists because of an incomplete fix for CVE-2012-0516. id: CVE-2020-9314 info: name: Oracle iPlanet Web Server 7.0.x - Image Injection author:...

Spotweb <= 1.5.1 - Cross Site Scripting

Cross-site scripting XSS vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter. id: CVE-2021-40973 info: name: Spotweb = 1.5.1 - Cross Site Scripting author: theamanrawat severity:...