CVE-2026-30913 flarum/nickname: Display name injection in notification emails (autolink & markdown)

Flarum is open-source forum software. When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting...

CVE-2026-30913

The CVE concerns Flarum with the nicknames extension enabled. A user’s nickname is inserted verbatim into plain‑text notification emails, allowing email clients to render it as a hyperlink. This can mislead recipients into visiting attacker‑controlled domains. The issue is tied to nickname handli...

CVE-2026-30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

PT-2026-24020

CVE-2025-55017: Apache IoTDB: Path Traversal https://t.co/dRIraLBMg2 CVE-2025-64152: Apache IoTDB: Path Traversal https://t.co/fiMsybbd3I Two notifications of vulnerabilities non-described in the exact same way, but with slightly different affected and fixed version ranges...

CVE-2026-30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

EUVD-2026-10120

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

CVE-2026-30840

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

CVE-2026-30840

CVE-2026-30840 affects Wallos prior to version 4.6.2, where a server-side request forgery (SSRF) vulnerability exists in notification testers. The issue has been patched in 4.6.2. According to the advisory metrics, the vulnerability is high risk (CVSSv3.0: 8.8), with network attack vector, low at...

CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched in version 4.6.2...

PT-2026-23825

Name of the Vulnerable Software and Affected Versions Wallos versions prior to 4.6.2 Description Wallos is a self-hostable personal subscription tracker. A server-side request forgery condition exists in the notification testers functionality. This allows for potentially malicious requests to be...

Wallos 代码问题漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.6.2 had code-related vulnerabilities, which stemmed from server-side request forgeing in the notification tester...

CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

PT-2026-23749

🚨 CVE-2026-30847 Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such a...

PT-2026-23669

QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges. This software does not implement any protection against this type of attack. Al...

CVE-2026-0025

In hasImage of Notification.java, there is a possible way to reveal information across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0012

In setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0034

In setPackageOrComponentEnabled of ManagedServices.java, there is a possible notification policy desync due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-2460

creationtimestamp| type| source ---|---|--- 2026-03-03 11:00:00+00:00| seen| https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-02...