CVE-2026-31926

Charging station authentication identifiers are publicly accessible via web-based mapping platforms...

CVE-2026-27649

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

CVE-2026-28204

Charging station authentication identifiers are publicly accessible via web-based mapping platforms...

CVE-2026-31926

Charging station authentication identifiers are publicly accessible via web-based mapping platforms...

CVE-2026-31926

Technical details about CVE-2026-31926 are not publicly available in the provided documents. Monitor for updates from vendors and CSIRTs.

CVE-2026-32663

CVE-2026-32663 involves a WebSocket backend that uses charging station identifiers to map sessions but allows multiple endpoints to connect with the same session identifier. The resulting predictable session identifiers enable session hijacking or shadowing, where a newer connection can displace ...

CVE-2026-28204

Charging station authentication identifiers are publicly accessible via web-based mapping platforms...

CVE-2026-27649

Summary: CVE-2026-27649 describes a flaw in the WebSocket backend where charging-station session identifiers are not unique, allowing multiple endpoints to reuse the same session ID. This leads to predictable session identifiers and enables session hijacking or shadowing, where a newer connection...

CVE-2026-27649

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

CVE-2026-3864 CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequenc...

AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN

Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact A logic error in CN Common Name validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid D...

CVE-2026-33147

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmtremotedatasetid function within src/gmtremote.c. This issue occurs when a specially...

CVE-2026-33147 GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmtremotedatasetid function within src/gmtremote.c. This issue occurs when a specially...

EUVD-2026-13784

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmtremotedatasetid function within src/gmtremote.c. This issue occurs when a specially...

CVE-2026-33142 OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters

OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 ClickHouse SQL injection via aggregate query parameters added column name validation to the aggregateBy method but did not apply the same validation to three other query...

CVE-2026-33142

CVE-2026-33142 affects OneUptime prior to version 10.0.34. The issue arises because the functions toSortStatement, toSelectStatement, and toGroupByStatement in StatementGenerator interpolate user-supplied keys as ClickHouse Identifier parameters without validating that they match actual model col...

CVE-2026-33043

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials...

CVE-2026-33025

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although realescapestring was applied, it only escapes...

CVE-2026-32953

Tillitis TKey Client (Go module tkeyclient) versions

SUSE CVE-2026-32611

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix commit 39161f0 addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and psycopg.sql composable objects. However, the DuckDB export module...