UBUNTU-CVE-2026-41852

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

CVE-2026-41853 Spring Framework Multipart Request Smuggling in Spring MVC and WebFlux

Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...

EUVD-2026-35327

Spring WebFlux applications are vulnerable to Denial of Service DoS attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48...

VMware Spring Framework 安全漏洞

VMware Spring Framework is an open-source Java/JavaEE application framework developed by VMware, a US-based company. This framework helps developers build high-quality applications. Versions 7.0.0 to 7.0.7, 6.2.0 to 6.2.18, 6.1.0 to 6.1.27, and 5.3.0 to 5.3.48 of the VMware Spring Framework conta...

PT-2026-47661

Applications that evaluate user-supplied Spring Expression Language SpEL expressions are vulnerable to an Algorithmic Denial of Service DoS. By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or...

Nextcloud user_oidc 输入验证错误漏洞

Nextcloud useroidc is an application developed by the German company Nextcloud. In versions 6.1.0 to 8.2.2, there was a vulnerability related to input validation errors. This vulnerability stemmed from improper redirection handling, which could allow attackers to create links that redirect users ...

CVE-2026-48906

CVE-2026-48906 affects the Tassos Framework Plugin (Novarain/Tassos Framework) used with Joomla. The CVE records describe an arbitrary file deletion vulnerability in the plugin prior to version 6.1.0, enabling deletion of arbitrary files on affected sites. The CVSS analysis indicates remote acces...

CVE-2026-48906 Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla

The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites...

CVE-2026-45249

A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...

EUVD-2026-31650

A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...

Amazon Linux 2023 : python3.13-lxml (ALAS2023-2026-1679)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1679 advisory. lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input t...

Security Bulletin: Zip Slip path traversal vulnerability in jaraco.context affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential Zip Slip path traversal vulnerability in jaraco.context has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.4.0) +4607 more potentially affected by CVE-2026-22745 via org.springframework:spring-webmvc (>=6.1.0 <=6.1.21)

org.springframework:spring-webmvc MAVEN version =6.1.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.5.0, =cloud-0.1, =cloud-0.2.1 and more Source cves: CVE-2026-22745 Source advisory: OSV:GHSA-6P4F-WCWH-5VVM...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +1202 more potentially affected by CVE-2026-22740 via org.springframework:spring-webflux (>=6.1.0 <=6.1.21)

org.springframework:spring-webflux MAVEN version =6.1.0, =0.2.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.6.0, =0.6.0, =1.2.0, =2.1.0, =1.3.0, =1.0.2, =1.0.45 and more Source cves: CVE-2026-22740 Source advisory: OSV:GHSA-5843-P793-GHMM...

OESA-2026-2010 python-lxml security update

\ Security Fixes: lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Setting the resolveentities option explicitly to...

OESA-2026-2009 python-lxml security update

\ Security Fixes: lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Setting the resolveentities option explicitly to...

CVE-2026-41066

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Setting the resolveentities option explicitly to resolveentities='internal' ...

CVE-2026-6564

EMQ EMQX Enterprise up to 6.1.0 contains a vulnerability in an unknown function of the Session Handling component that leads to improper authorization. The issue can be exploited remotely and an exploit is publicly available. Affected product: EMQX Enterprise (

CVE-2026-34584

listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists which they don't have access to under different scenarios. This only affects multi-use...

CVE-2026-34828

CVE-2026-34828 affects listmonk, a standalone self-hosted newsletter manager. A session-management vulnerability in versions 4.1.0 up to, but not including, 6.1.0 allows already-authenticated sessions to remain valid after password reset or password change, enabling an attacker with a valid sessi...