Broken Quantum: A Systematic Formal Verification Study of Security Vulnerabilities across the Open-Source Quantum Computing Simulator Ecosystem

Quantum computing simulators form the classical software foundation on which virtually all quantum algorithm research depends. We present Broken Quantum, the first comprehensive formal security audit of the open-source quantum computing simulator ecosystem. Applying COBALT QAI -- a four-module...

QD 安全漏洞

QD is a task scheduling and automatic execution tool developed by QD OpenSource. There is a security vulnerability in QD 20230821, which stems from a specially crafted request and may lead to server-side request forgery...

InvenTree 授权问题漏洞

InvenTree is an open-source inventory management system developed by InvenTree. It provides robust low-level inventory control and parts tracking capabilities. Versions of InvenTree prior to 1.2.7 and 1.3.0 contained authorization-related vulnerabilities. These vulnerabilities allowed users with...

PT-2026-31433

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

CI4MS 安全漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.4.0 contained security vulnerabilities. These vulnerabilities stemmed from the srcdoc attribute in Google Maps iframes not being filtered properly, which could allow attackers with administrator...

PT-2026-31418

Name of the Vulnerable Software and Affected Versions Zammad versions prior to 7.0.1 and prior to 6.5.4 Description The OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This could allow an attacker to potentially compromise...

OpenSSL Toolkit 3.3.7

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. This is the 3.3 release...

OpenSSL Toolkit 3.5.6

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. This is the 3.5 LTS release...

OpenSSL Toolkit 3.0.20

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide. This is the 3.0 LTS release...

monetr 授权问题漏洞

Monetr is an open-source personal budget management application developed by Monetr. Versions of Monetr prior to 1.12.3 had an authorization issue vulnerability. This vulnerability stemmed from a transaction integrity flaw, which could lead to bypassing deletion protection...

CVE-2026-35449

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP...

NGINX: NGINX: Denial of Service due to memory corruption via crafted MP4 file

A flaw was found in NGINX Open Source, specifically within the ngxhttpmp4module. An attacker can exploit this memory corruption vulnerability by providing a specially crafted MP4 file. This can lead to an over-read or over-write of NGINX worker memory, causing the worker to terminate and resultin...

CVE-2026-32712 Open Source Point of Sale has Stored XSS in Customer Name (Sales)

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...

EUVD-2026-19939

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...

EUVD-2026-19935

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...

CVE-2026-39374

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

CVE-2026-39380

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied throug...

CVE-2026-39367

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG Electronic Program Guide feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epglin...

CVE-2026-39380

Open Source Point of Sale (OSPOS) has a Stored XSS in the Stock Locations configuration. Before version 3.4.3, the stock_location input is not properly sanitized, allowing injected JavaScript to be stored in the database and executed when viewing the Employees interface. Affected product: OSPOS (...

EUVD-2026-19916

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied throug...