EUVD-2026-39568

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access...

EUVD-2026-39577

A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import...

CVE-2026-42342

A flaw was found in React Router and @remix-run/server-runtime. A remote attacker can exploit this vulnerability by sending certain crafted requests to the manifest endpoint. This can lead to unbounded path expansion, consuming disproportionate server resources. The primary consequence is a denia...

EUVD-2026-31397

golang.org/x/crypto/ssh: Invoking client can cause server deadlock on unexpected responses...

CVE-2026-6412

Technical details about CVE-2026-6412 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-40984

A flaw was found in Micrometer. A remote attacker can provide specially crafted HTTP requests, which may lead to a denial-of-service DoS condition. This vulnerability allows an attacker to disrupt the availability of the affected system...

CVE-2026-56769

Huly Platform through 0.7.423, fixed in commit 68cbf8a contains an authenticated server-side request forgery vulnerability in the /import endpoint of front pod that allows workspace users to make arbitrary server requests. Attackers can exploit this by supplying malicious URLs to fetch internal...

CVE-2026-49980

A flaw was found in Rclone, a command-line program for cloud storage synchronization. When the rcd --rc-serve option is enabled, an unauthenticated remote attacker can send specially crafted GET or HEAD requests to execute arbitrary commands as the Rclone process user. This vulnerability allows f...

CVE-2026-55180

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...

CVE-2026-56779

MaxKB

CVE-2026-46608

CVE-2026-46608 concerns Glances XML-RPC server (glances -s) where a multi-origin CORS configuration intended to restrict browser access silently falls back to a wildcard when cors_origins has two or more entries. The issue arises from server-side logic that sets Access-Control-Allow-Origin to the...

CVE-2026-55180

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...

CVE-2026-55180

CVE-2026-55180 affects pnpm before 10.34.2 and 11.5.3. The issue arises when pnpm and related configuration (repository-controlled .npmrc and pnpm-workspace.yaml) expand ${ENV_VAR} placeholders into registry request destinations and registry credentials. This can cause dependency resolution to se...

CVE-2026-55180 pnpm: Repository config can expand victim environment secrets into registry requests before scripts run

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...

CVE-2026-9716

CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the device’s HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces...

CVE-2026-55412

ToolJet (open-source platform) Vulnerability: SSRF in the RestAPI data source component allows authenticated users to induce server-side HTTP requests that bypass its private IP filter via DNS trickery (169.254.169.254.nip.io), potentially stealing Azure managed identity tokens for the AKS produc...

CVE-2026-9716

CVE-2026-9716 describes a CWE-476 NULL Pointer Dereference that could cause a denial-of-service, rendering a device’s HMI and configuration functionality unavailable when malformed requests hit exposed network interfaces. The root cause is a NULL pointer dereference; impact is high availability l...

CVE-2026-56122

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traver...

CVE-2026-40208

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame...

CVE-2026-40011

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires...