CVE-2026-45582 n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry...

CVE-2026-40510 OpenSC < 0.27.0-rc1 Stack Buffer Overflow via piv_process_history() in card-piv.c

OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in pivprocesshistory in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longe...

CVE-2026-40510

OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in pivprocesshistory in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longe...

CVE-2026-40510

CVE-2026-40510 affects OpenSC before 0.27.0-rc1. A stack buffer overflow in piv_process_history() (src/libopensc/card-piv.c) can memory-corrupt if a physically present attacker uses a crafted PIV card/USB device that returns a URL field longer than 118 bytes in the Key History Object ASN.1 respon...

CVE-2026-45578 WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

CVE-2026-45578 WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/onpublish.php builds an execAsync command line by string concatenation, single-quoting each argument but never calling...

CVE-2026-45578

CVE-2026-45578 : OS command injection in WWBN/AVideo’s on_publish.php (YPTSocket path). The code builds an execAsync() command by string-concatenating three values, wrapping each in literal single quotes ('$users_id', '$m3u8', '{$obj-&gt;liveTransmitionHistory_id}'), but does not apply escapeshel...

CVE-2025-41269

creationtimestamp| type| source ---|---|--- 2026-05-29 13:02:13+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmylu2roej2g...

CVE-2025-41272

creationtimestamp| type| source ---|---|--- 2026-05-29 13:00:20+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmylqp4ykq2t...

CVE-2025-41273

creationtimestamp| type| source ---|---|--- 2026-05-29 12:53:47+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmyley7qrw2k...

CVE-2026-49198

creationtimestamp| type| source ---|---|--- 2026-05-29 12:15:11+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmyj7xvhmi2d...

CVE-2026-9558

creationtimestamp| type| source ---|---|--- 2026-05-29 12:05:10+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmyio2hges2e 2026-05-31 01:00:37+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mn4ehkhlmf2h...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via insufficient validation of user-supplied URLs in the Focus component. An attacker can cause the server to send HTTP requests to internal or external destinations by supplying crafted URLs. This can...

CVE-2026-9243

creationtimestamp| type| source ---|---|--- 2026-05-29 09:59:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmybmmvksg2k...

CVE-2026-9557

CVE-2026-9557 describes a Server-Side Request Forgery (SSRF) in Mautic’s Focus component. The root cause is insufficient validation of user-supplied URLs, allowing an authenticated user to cause the hosting server to perform outbound HTTP requests. This can enable internal network reconnaissance ...

CVE-2026-9557

A Server-Side Request Forgery SSRF vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary...

CVE-2026-9557

A Server-Side Request Forgery SSRF vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary...

CVE-2025-11262

creationtimestamp| type| source ---|---|--- 2026-05-29 09:38:01+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmyagwkhs42k 2026-06-09 19:00:13+00:00| published-proof-of-concept| Telegram/Twzxtbvyqic9grgE7JaZrbs3i9BOrZG8PBBvMyWgrTB7Ya8...

CVE-2026-10078

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...