CVE-2026-52812

CVE-2026-52812 affects Gogs (open source self-hosted Git service) prior to 0.14.3. The vulnerability stems from a dedupe path in LFS storage: when an OID file already exists on disk, serveUpload bypasses hash verification and inserts a new per-repo binding (repo_id, oid) without confirming that t...

CVE-2026-56319

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...

CVE-2026-50875

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

PYSEC-2026-174

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's str.lstrip to the requested path segment when verifying the JWT's sub...

FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...

EUVD-2026-23958

In OpenXiangShan NEMU prior to 55295c4, when running with RVH Hypervisor extension enabled, a VS-mode guest write to the supervisor interrupt-enable CSR sie may be handled incorrectly and can influence machine-level interrupt enable state mie. This breaks privilege/virtualization isolation and ca...

CVE-2026-29646

In OpenXiangShan NEMU prior to 55295c4, when running with RVH Hypervisor extension enabled, a VS-mode guest write to the supervisor interrupt-enable CSR sie may be handled incorrectly and can influence machine-level interrupt enable state mie. This breaks privilege/virtualization isolation and ca...

Craft CMS: GraphQL Asset Mutation Privilege Escalation

There is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not...

CVE-2026-23553 x86: incomplete IBPB for vCPU isolation

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1 vCPU runs on CPU A, running task ...

CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

Node.js: FS Permissions Bypass

A flaw was discovered in Node.js's Permissions model that allowed attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory could escape the allowed path a...

Prototype Pollution

Overview happy-dom is a Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. It includes many web standards from WHATWG DOM and HTML. Affected versions of this package are vulnerable to Prototype Pollution via the shared process between untrusted scripts...

Amazon Linux 2 : docker, --advisory ALAS2DOCKER-2025-076 (ALASDOCKER-2025-076)

The version of docker installed on the remote host is prior to 25.0.13-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2025-076 advisory. Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container...

Low: docker

Issue Overview: Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails...

EUVD-2024-54607

Malicious code in bioql PyPI...

CVE-2025-34189

Vasion Print formerly PrinterLogic Virtual Appliance Host versions prior to 1.0.735 and Application versions prior to 20.0.1330 macOS/Linux client deployments contain a vulnerability in the local inter-process communication IPC mechanism. The software stores IPC request and response files inside...

CVE-2024-11185 On affected platforms running Arista EOS, ingress traffic on Layer 2 ports may, under certain conditions, be improperly forwarded to ports associated with different VLANs, resulting in a breach of VLAN isolation and segmentation boundaries.

On affected platforms running Arista EOS, ingress traffic on Layer 2 ports may, under certain conditions, be improperly forwarded to ports associated with different VLANs, resulting in a breach of VLAN isolation and segmentation boundaries...

CVE-2024-11185 On affected platforms running Arista EOS, ingress traffic on Layer 2 ports may, under certain conditions, be improperly forwarded to ports associated with different VLANs, resulting in a breach of VLAN isolation and segmentation boundaries.

On affected platforms running Arista EOS, ingress traffic on Layer 2 ports may, under certain conditions, be improperly forwarded to ports associated with different VLANs, resulting in a breach of VLAN isolation and segmentation boundaries...

Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host...