EUVD-2026-37952

Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARDREGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attacke...

PT-2026-51021

Name of the Vulnerable Software and Affected Versions Mercator versions prior to 2025.05.19 Description A Server-Side Request Forgery SSRF exists in the CVE configuration panel at the '/admin/config/parameters' endpoint. The testProvider method in ConfigurationController passes user-supplied inpu...

PT-2026-50845

Name of the Vulnerable Software and Affected Versions The Royal Addons for Elementor – Addons and Templates Kit for Elementor versions 1.7.1058 through 1.7.1059 Description An arbitrary file read issue exists due to the wpr get csv handle helper function. When the settings.table upload csv.url...

PT-2026-51099

Name of the Vulnerable Software and Affected Versions langflow versions prior to 1.9.1 Description An Insecure Direct Object Reference IDOR exists in the '/api/v1/responses' endpoint. This issue allows an authenticated attacker to execute any flow belonging to another user by specifying the...

PT-2026-50985

Name of the Vulnerable Software and Affected Versions Joomla J-CruisePortal version 6.0.4 Description An SQL injection allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code. This is achieved by sending POST requests to the "cruises" endpoint using crafted SQL...

PT-2026-50830

Name of the Vulnerable Software and Affected Versions Classified Listing – Classified ads & Business Directory versions prior to 5.4.3 Description The plugin contains a missing authorization flaw in the gallery image update as feature AJAX handler action: rtcl fb gallery image update as feature...

PT-2026-50847

Name of the Vulnerable Software and Affected Versions Bogo plugin for WordPress versions prior to 3.9.2 Description An issue exists where authenticated attackers with subscriber-level access and above can extract the raw title, content, excerpt, and password of private, draft, or password-protect...

PT-2026-50878

Name of the Vulnerable Software and Affected Versions SIMA GmbH Bondix versions prior to 1.25.7.6 Description OS command injection exists in the environment and tunnel configuration functionality on Linux. An authenticated attacker with configuration write access can execute arbitrary...

PT-2026-50995

Name of the Vulnerable Software and Affected Versions Joomla! Component vBizz version 1.0.7 Description An SQL injection allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the payid parameter. This is achieved by submitting POST requests to the...

PT-2026-50994

Name of the Vulnerable Software and Affected Versions Joomla! Component vBizz version 1.0.7 Description An unrestricted file upload issue allows authenticated attackers to upload arbitrary PHP files. This is achieved by submitting malicious files through the profile pic parameter via POST request...

PT-2026-50993

Name of the Vulnerable Software and Affected Versions Joomla vWishlist version 1.0.1 Description An SQL injection allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code. This is achieved by sending POST requests to the component using crafted payloads in the...

CVE-2026-12050

Technical details beyond the initial description are not publicly available in the provided documents. Monitor for updates.

CVE-2026-56075

PraisonAI before 4.5.128 contains an arbitrary shell command execution vulnerability where the UI modules hardcode approvalmode to auto, overriding administrator configuration from PRAISONAPPROVALMODE environment variable. Authenticated attackers can instruct the LLM agent to execute arbitrary...

CVE-2026-54017

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, the terminal-server reverse proxy in backend/openwebui/routers/terminals.py does not fully confine the user-controlled path segment before forwarding it to an admin-configured termin...

CVE-2026-22674

Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARDREGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attacke...

CVE-2026-49248

OneDev is a Git server with CI/CD, kanban, and packages. In versions 15.0.6 and below, TarUtils.untar creates symbolic links verbatim from TAR entry getLinkName without validating whether the target is an absolute path. A subsequent file entry in the same archive traverses the symlink, writing to...

CVE-2026-49252

deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any...

CVE-2026-22674 Hashgraph Guardian Stored XSS via branding companyName field

Hashgraph Guardian through 3.5.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARDREGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attacke...

CVE-2026-22674 Hashgraph Guardian Stored XSS via branding companyName field

Hashgraph Guardian through 3.6.0, fixed in commit ba8c566, contains a stored cross-site scripting vulnerability that allows authenticated users with the STANDARDREGISTRY role to inject malicious scripts by submitting a crafted companyName value via the branding configuration API endpoint. Attacke...

CVE-2026-49252 deepstream is vulnerable to prototype pollution

deepstream is a server that allows clients and backend services to sync data, send messages and make rpcs at scale. Versions prior to 10.0.5 are vulnerable to Prototype Pollution. Exploitation can lead to potential privilege escalation from any authenticated user with write permission to any...