CVE-2026-41283

OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials...

PT-2026-46845

Summary The log file name parameter in the stata do API and CLI is directly interpolated into a Stata command string without sanitization. The security guard GuardValidator only scans the do-file content but does not validate this parameter. An attacker can inject arbitrary Stata commands includi...

PT-2026-46782

Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...

PT-2026-46172

In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error...

CVE-2026-41283

OpenStack Mistral

PT-2026-46860

Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/ action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...

CVE-2026-41283

OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials...

Kibana 8.x < 8.19.16 / 9.0.x < 9.3.5 / 9.4.x < 9.4.1 DoS (ESA-2026-32)

The version of Kibana installed on the remote host is prior to 8.19.16, 9.3.5, or 9.4.1. It is, therefore, affected by a vulnerability as referenced in the ESA-2026-32 advisory. - Uncontrolled Resource Consumption CWE-400 in Kibana can lead to a denial of service via Excessive Allocation CAPEC-13...

PT-2026-46884

Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/ action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses th...

Important: bind9.16 security update

The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS protocols. BIND includes a DNS server named; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server is operating correctly. Security Fixes:...

bind9.16 security update

32:9.16.23-0.22.6 - Fix GSS-API resource leak CVE-2026-3039 - Invalid handling of CLASS != IN CVE-2026-5946...

PT-2026-46892

Summary The Shopware Store API endpoint /store-api/handle-payment contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign orderId. The affected...

PT-2026-46852

Summary A low-privilege admin user with user recovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim unauthenticated endpoint, reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password another...

PT-2026-46885

Summary A low-privilege admin user with user recovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim unauthenticated endpoint, reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password another...

PT-2026-46865

Unauthenticated Reflected XSS via $ GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

CVE-2026-10215

A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/apiholidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiat...

GHSA-F9RX-7WF7-JR36 Froxlor's API Authentication bypasses 2FA Authentication

Summary Froxlor's API authentication FroxlorRPC::validateAuth does not enforce Two-Factor Authentication. When a user admin or customer enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an...

Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

EUVD-2026-33988

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets...

DRUPAL-CONTRIB-2026-042

This module provides spam protection using the CleanTalk cloud service. The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The cleantalkdie and ctdie functions output the CleanTalk API response message directly into HTML without proper sanitizatio...