PT-2026-28640

Name of the Vulnerable Software and Affected Versions HiJiffy Chatbot affected versions not specified Description An incorrect authorization issue exists in HiJiffy Chatbot. This allows an attacker to download private messages belonging to other users. The issue is due to improper access control...

PT-2026-28391

Name of the Vulnerable Software and Affected Versions Lightcms version 2.0 Description A reflected cross-site scripting XSS issue exists in the /admin/menus component. This allows attackers to execute arbitrary Javascript within a user's browser by altering the referer value in the request header...

PT-2026-28653

Name of the Vulnerable Software and Affected Versions 648540858 wvp-GB28181-pro versions up to 2.7.4 Description A security flaw exists in the 648540858 wvp-GB28181-pro software. The issue is related to deserialization within the GenericFastJsonRedisSerializer function located in the file...

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

Exploit for OS Command Injection in Arcane

CVE-2026-23520 MCP API Remote Command Execution RCE Proo...

CVE-2026-4562

The CVE-2026-4562 entry describes a security flaw in MacCMS version 2025.1000.4052 affecting an unknown part of application/api/controller/Timming.php within the Timming API Endpoint. The vulnerability permits missing authentication, with remote exploitation possible and the exploit publicly rele...

CVE-2026-3645 Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action

The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...

CVE-2026-2375 App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the verifyrole function in AuthTrails.php explicitly whitelisting the wcfmvendor role alongside subscriber and...

langflow has Unauthenticated IDOR on Image Downloads

Summary The /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns the image with HTTP 200. Details src/backend/base/langflow/api/v1/files.py:138-164 — downloadimage takes...

CVE-2026-32632 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding

Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent...

CVE-2026-31891

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

GHSA-FWJ4-6WGP-MPXM Katello: Denial of Service and potential information disclosure via SQL injection

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sortby parameter of the /api/hosts/bootcimages API endpoint. This can lead to a Denial of...

EUVD-2026-12544

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this...

CVE-2026-3237

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this...

PT-2026-25975

Name of the Vulnerable Software and Affected Versions Cockpit versions 2.13.4 and earlier Description Cockpit is a headless content management system. Instances running version 2.13.4 or earlier with API access enabled are susceptible to a SQL Injection issue in the MongoLite Aggregation Optimize...

PT-2026-25859

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below Description SiYuan, a personal knowledge management system, contains an authorization bypass that allows authenticated users, including those with the Reader role, to execute arbitrary SQL statements against the...

SUSE CVE-2017-18915

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the E2E Metadata Parser API endpoint, which processes unbounded request bodies without size restrictions. An authenticated user can cause the server to run out of memory and disru...

CVE-2026-32142 shopware/commercial: `/api/_info/config` route exposes information about licenses

Shopware is an open commerce platform. /api/info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15...

Command Injection

Overview openakita is a 全能自进化AI Agent - 基于Ralph Wiggum模式，永不放弃 Affected versions of this package are vulnerable to Command Injection via the run function in the Chat API Endpoint component when processing the Message argument. An attacker can execute arbitrary operating system commands by supplyin...