SQL Injection

Overview @n8n/api-types is a fair-code workflow automation platform with native AI capabilities Affected versions of this package are vulnerable to SQL Injection in the process of importing a Data Table JSON file during a Source Control Pull operation. An attacker who can write to the git...

CVE-2026-33570 Subnet Solutions PowerSYSTEM Center Incorrect Authorization

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions...

CVE-2026-44240

CVE-2026-44240 affects the Node.js FTP client basic-ftp . Before version 5.3.1, the client is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious FTP server can send an unterminated multiline response during the initial banner phase, causi...

WordPress EventPrime plugin <= 4.3.2.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Evan in WordPress Plugin EventPrime versions = 4.3.2.0...

CVE-2026-36983

D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection...

CVE-2026-42205

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...

CVE-2026-44012

Craft CMS vulnerability CVE-2026-44012: AssetsController::actionShowInFolder() allows information disclosure by returning asset filenames and full folder hierarchies without validating volume permissions. Affected: 5.0.0-RC1 up to before 5.9.18. Any authenticated CP user with only accessCp can en...

CVE-2026-44012

Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...

CLSA-2026-1778613560 python3.11: Fix of 2 CVEs

CVE-2025-15282: reject control characters in data: URL mediatypes - CVE-2025-11468: preserve parens when folding email comments to prevent header injection...

EUVD-2026-29712

Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally...

EUVD-2026-29708

Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network...

EUVD-2026-29729

A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via...

EUVD-2026-29690

External control of file name or path in Microsoft Edge Chromium-based allows an unauthorized attacker to disclose information over a network...

EUVD-2026-29687

Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally...

EUVD-2026-29686

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally...

EUVD-2026-29697

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally...

EUVD-2026-29688

Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally...

EUVD-2026-29678

External control of file name or path in Microsoft Office Word allows an unauthorized attacker to disclose information over a network...

EUVD-2026-29662

Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service locally...

EUVD-2026-29679

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network...