CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

CVE-2026-35430

Authorization bypass through user-controlled key in Azure Privileged Identity Management PIM allows an authorized attacker to elevate privileges over a network...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the uploadedFileSaveIn function, which uses filepath.Join with user-supplied directory input but does not validate the resulting path boundaries. An attacker can write files outside the intended web root by...

CVE-2026-8890

The CVE-2026-8890 entry affects code100x Mobile API. The vulnerability is an authentication bypass in the Mobile API’s middleware.ts: when an Auth-Key header is present but not validated, an attacker can inject a crafted JSON payload in the g header, spoofing a user identity that downstream handl...

CVE-2026-8890

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is...

CVE-2026-44775

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...

CVE-2026-41164

nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...

CVE-2026-44775 Kavita: No authentication at /api/Reader/image

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...

EUVD-2026-31936

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...

CVE-2026-44775

Kavita CVE-2026-44775 affects the Kavita reader server prior to v0.9.0, where ReaderController.GetImage allowed unauthenticated access to page images across libraries because the endpoint was decorated with [AllowAnonymous] and the apiKey parameter was never validated. An unauthenticated actor co...

CVE-2026-48901

The InputFilter::getInstance method omitted a security sensitive parameter from the instance cache key...

CVE-2026-48901

The InputFilter::getInstance method omitted a security sensitive parameter from the instance cache key...

EUVD-2026-31871

The InputFilter::getInstance method omitted a security sensitive parameter from the instance cache key...

CVE-2026-48901 Joomla! Core - [20260517] - Incorrect Cache Key Construction for InputFilter objects

The InputFilter::getInstance method omitted a security sensitive parameter from the instance cache key...

CVE-2026-48901

The CVE-2026-48901 entry concerns Joomla! Core: the InputFilter::getInstance() method omits a security‑sensitive parameter from the instance cache key, enabling an issue in cache key construction. Affected component is the InputFilter object (core). The published metrics indicate a high impact on...

CVE-2026-48901 Joomla! Core - [20260517] - Incorrect Cache Key Construction for InputFilter objects

The InputFilter::getInstance method omitted a security sensitive parameter from the instance cache key...

Malicious code in token-me-uk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a058b653e7a491fdf0c9128b4d2d408c2cdac6a1784adc5f02a0975a0e669eb The CLI in cli.mjs reads its API key from process.env.TOKENMEUKAPIKEY, falling back to process.env.OPENAIAPIKEY and then process.env.ANTHROPICAPIKEY...

JLSEC-2026-521

A flaw was found in gnutls. A use after free issue in clientsendparams in lib/ext/presharedkey.c may lead to memory corruption and other potential consequences...

JLSEC-2026-520

A flaw was found in gnutls. A use after free issue in client sending keyshare extension may lead to memory corruption and other consequences...

JLSEC-2026-524

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS1 v1.5 padding...