CVE-2026-25918

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

CVE-2026-25875

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims role and scope without enforcing server-side role verification...

UBUNTU-CVE-2026-25918

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

CVE-2026-25925

PowerDocu (Windows GUI) is vulnerable before version 2.4.0 due to JSON deserialization in Flow/App packages. The app blindly trusts the $type property, allowing an attacker to instantiate arbitrary .NET objects and execute code. This yields high-severity, local, with user interaction required. Fi...

CVE-2026-25925 PowerDocu Affected by Remote Code Execution via Insecure Deserialization

PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files, allowing an attacker to...

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

GHSA-HCVW-475W-8G7P Keycloak affected by improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

Keycloak affected by improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

CVE-2026-25918 unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims role and scope without enforcing server-side role verification...

CVE-2026-25875

PlaciPy 1.0.0 is affected by CVE-2026-25875 where the admin authorization middleware trusts client-controlled JWT claims (role and scope) without server-side verification. This can enable privilege escalation or unauthorized admin-level actions by an attacker presenting manipulated JWTs. The CVSS...

CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims role and scope without enforcing server-side role verification...

Prototype Pollution

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the mergeConfig function. An attacker can cause the application to crash by supplying a malicious configuration object containing a proto property...

org.keycloak.protocol.oidc.grants: Disabled identity providers are still accepted for JWT Authorization Grant

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

org.keycloak.services.resources.organizations: Keycloak: Unauthorized organization registration via improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

CVE-2026-1529

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

CVE-2026-25495

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteriaorderBy parameter JSON body. The application fails to sanitize this input before...

CVE-2026-1609

A flaw was found in Keycloak. When the JSON Web Token JWT authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper...

CVE-2026-1529 Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

CVE-2026-1529 Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...