CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

CVE-2026-48792

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event nodes, causing pusbhasvirtualinputdevice to return 0 no virtual devices found even when every open call failed due to...

CVE-2026-44214

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

CVE-2026-8898

The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes such as 'organizerid', 'width', 'height',...

CVE-2026-8205

Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since actiongetevents does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with...

CVE-2026-50209

Broadcast events allow malicious software to rewrite the device's default Mobile Device Management MDM endpoint address, shifting administrative ownership to an external attacker...

CVE-2026-9739

Vulnerable to DNS rebinding attacks when using SSE http://b/499408790. During the beta phase, we implemented allowed-origins and allowed-hosts flags to align with MCP security guidelines. However, the hardcoded Access-Control-Allow-Origin: header in the SSE initialization handler was inadvertentl...

CVE-2026-42612

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attribute...

CVE-2026-40308

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...

CVE-2026-40576

excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated...

CVE-2026-49493

creationtimestamp| type| source ---|---|--- 2026-06-05 19:00:47+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnkt5o35st2s 2026-06-05 19:56:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkwbfulzw2d...

GHSA-G72G-R7M4-9X4G NocoDB: OAuth Tokens Persist Through Security Events

Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. Details revokeAllOAuthTokensByUser in the users service was an empty stub bein...

CVE-2026-8914

creationtimestamp| type| source ---|---|--- 2026-06-05 11:35:00+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnk2akmdy32f 2026-06-05 11:35:00+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnk2akmdy32f...

WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.6.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Kirasec in WordPress Plugin LatePoint versions = 5.6.0...

[SECURITY] Fedora 44 Update: python-starlette-0.52.1-2.fc44

Starlette is a lightweight ASGI framework/toolkit, which is ideal for building async web services in Python. It is production-ready, and gives you the following: =E2=80=A2 A lightweight, low-complexity HTTP web framework. =E2=80=A2 WebSocket support. =E2=80=A2 In-process background tasks. =E2=80=...

[SECURITY] Fedora 43 Update: python-starlette-0.52.1-2.fc43

Starlette is a lightweight ASGI framework/toolkit, which is ideal for building async web services in Python. It is production-ready, and gives you the following: =E2=80=A2 A lightweight, low-complexity HTTP web framework. =E2=80=A2 WebSocket support. =E2=80=A2 In-process background tasks. =E2=80=...

CVE-2026-11291

creationtimestamp| type| source ---|---|--- 2026-06-05 02:42:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnj4j2ss7t2g 2026-06-05 13:24:42+00:00| seen| https://infosec.exchange/users/cR0w/statuses/116697713800926918 2026-06-07 18:00:00+00:00| seen|...

CVE-2019-25727

creationtimestamp| type| source ---|---|--- 2026-06-04 23:27:58+00:00| seen| https://bsky.app/profile/pulse-wp.com/post/3mnirmjtf7n25 2026-06-04 23:30:28+00:00| seen| https://bsky.app/profile/pulse-wp.com/post/3mnirqyr22a26...

CVE-2026-26555

creationtimestamp| type| source ---|---|--- 2026-06-04 23:00:15+00:00| seen| Telegram/ZO8GXKofeRUVwVPphXUXme80ypLutlvGOITV9wiiQ1h3jLc 2026-06-05 03:00:06+00:00| seen| Telegram/w0GkJHs0a-iOGxRnRQVAJ6txbFx-4W5StLXj-Qhn1zDpC10...

GHSA-H97M-27FX-42RX matrix-sdk-ui: Incomplete edit validation

Impact The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator or an actor with equivalent power to impersonate...