CVE-2026-42208

LiteLLM proxy (AI Gateway) versions 1.81.16–1.83.6 suffer a SQL injection in the proxy API key verification path where the caller-supplied key is interpolated into a SQL query during error handling. An unauthenticated attacker can send a crafted Authorization header to LLM routes (e.g., POST /cha...

EUVD-2026-28495

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

CVE-2026-41498 Kimai: Team API Missing Object-Level Authorization

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

CVE-2026-41498

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

CVE-2026-8133 zyx0814 FilePress Shares Filelist API admin.php sql injection

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched...

CVE-2026-8133

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched...

CVE-2026-8133 zyx0814 FilePress Shares Filelist API admin.php sql injection

A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched...

CVE-2026-42150

wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0...

CVE-2026-8127

A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the publi...

SUSE CVE-2026-6863

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

SUSE CVE-2026-7926

Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

SUSE CVE-2026-7939

Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-8127 eladmin Users API Endpoint UserController.java checkLevel access control

A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the publi...

GHSA-MMPC-XJXR-5HF8 OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

EUVD-2026-28462

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

GHSA-MM7J-MHHJ-HJ36 OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints

OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...

PT-2026-38827

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Compiler. Supported versions that are affected are Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and...

CVE-2025-69691

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.execphp. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code...

PT-2026-38802

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM...

PT-2026-38761

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JAXP. Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable...