CVE-2026-41161 Username Enumeration via Timing Attack

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time...

EUVD-2026-28543

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

CVE-2026-7475

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

MAL-2026-3394 Malicious code in @gaia-codesearch/gaia-api-typescript (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 59cc0f371f067ea9c6f0bbe7076f9f33181d8e1ae55c43ff05ae2b854de41549 The package @gaia-codesearch/gaia-api-typescript was found to contain malicious code. Source: ossf-package-analysis...

EUVD-2025-209736

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

CVE-2026-7475

The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sky-custom-scripts custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with capabilitytype = 'post' and showinrest = true, combined with...

MAL-2026-3387 Malicious code in @gaia-codesearch/gaia-api-python (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bffb43bbb30e1d5c01c4c389983726a49a5489ddebcfef91353d03f7a767d01f The package @gaia-codesearch/gaia-api-python was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @gaia-codesearch/gaia-api-python (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bffb43bbb30e1d5c01c4c389983726a49a5489ddebcfef91353d03f7a767d01f The package @gaia-codesearch/gaia-api-python was found to contain malicious code. Source: ossf-package-analysis...

Improper Authorization

github.com/mattermost/mattermost-server is vulnerable to improper authorization. The vulnerability is due to insufficient validation of team membership permissions in the Add Channel Member API, which allows an attacker to exploit the API endpoint to access user metadata and channel membership...

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

BIT-JRE-2025-61748

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15...

BIT-JRE-2024-21211

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Compiler. Supported versions that are affected are Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and...

BIT-JRE-2024-21145

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: 2D. Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1;...

BIT-JRE-2024-21068

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle...

BIT-JRE-2024-20945

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Security. Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM...

BIT-JRE-2023-22025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition:...

Exploit for Improper Input Validation in Apache Activemq

CVE-2026-34197 — Apache ActiveMQ Classic Jolokia RCE Lab O...

CVE-2026-42279

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/organization/time-entries/timeEntry API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entr...

CVE-2026-8133

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched...

CVE-2026-41498

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...