CVE-2026-49064

creationtimestamp| type| source ---|---|--- 2026-06-15 15:57:52+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3modnls2hnp2a 2026-06-15 20:00:50+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3moe36a2mb42i...

CVE-2026-3375

creationtimestamp| type| source ---|---|--- 2026-06-15 15:38:06+00:00| seen| https://bsky.app/profile/donwebmedia.bsky.social/post/3modmiexfw62m...

CVE-2026-8683 Overly long URLs crash the Mattermost Desktop App

Mattermost Desktop App versions =6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost Advisory ID:...

CVE-2026-34024

creationtimestamp| type| source ---|---|--- 2026-06-15 13:17:56+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3modensuage2e...

CVE-2026-12057

creationtimestamp| type| source ---|---|--- 2026-06-15 13:12:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3modeeugzcs2e 2026-06-15 17:12:57+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3modrs32ria2v 2026-06-15 20:00:58+00:00| seen|...

CVE-2026-8386

creationtimestamp| type| source ---|---|--- 2026-06-15 11:52:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mod7vq67zq2d...

Cross-site Scripting

Nuxt is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient validation of URL schemes in the component, where attacker-controlled values supplied to the to or href props can contain javascript: or vbscript: URLs that are rendered directly into the underlying element,...

CVE-2026-49776

creationtimestamp| type| source ---|---|--- 2026-06-15 10:16:11+00:00| seen| https://bsky.app/profile/atomicedge.bsky.social/post/3mod2iseygx2o 2026-06-15 21:36:46+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moeajewr3o2h 2026-06-16 01:01:09+00:00| seen|...

CVE-2026-12223

creationtimestamp| type| source ---|---|--- 2026-06-15 08:30:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mocukowlju2p...

CVE-2026-8935

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin acces...

CVE-2026-8935 Advanced Google Maps < 6.1.1 - Unauthenticated Administrator Account Creation

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin acces...

CVE-2026-12206

creationtimestamp| type| source ---|---|--- 2026-06-15 04:17:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mocghjmip427...

CVE-2026-12209

creationtimestamp| type| source ---|---|--- 2026-06-15 04:12:32+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mocg6l5xlt27...

CVE-2026-12204

creationtimestamp| type| source ---|---|--- 2026-06-15 04:02:32+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mocfmoby2d2m...

CVE-2026-50888

An authenticated Server-Side Request Forgery SSRF in the custom scraper subsystem component of Benjamin Jonard Koillection v1.8.0 allows attackers to scan internal resources via supplying a crafted URL...

PT-2026-49185

Name of the Vulnerable Software and Affected Versions WP MAPS PRO versions prior to 6.1.1 Description The plugin registers an unauthenticated AJAX action that allows the creation of an administrator account. By providing a valid nonce, which is publicly available on any frontend page that enqueue...

CVE-2026-50887

The provided documents confirm a Server-Side Request Forgery (SSRF) vulnerability in shlink v5.0.1. The flaw resides in the automatic short URL title resolution component and is exploitable by supplying a crafted longUrl, enabling an attacker to scan internal resources. No concrete remediation de...

PT-2026-49570

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

PT-2026-49596

Name of the Vulnerable Software and Affected Versions starlette versions prior to 1.3.1 Description The HTTP request path is not validated before being used to reconstruct request.url. When a path does not begin with /, such as @google.com, it is concatenated as scheme://hostpath. This shifts the...

PT-2026-49328

Name of the Vulnerable Software and Affected Versions shlink version 5.0.1 Description A Server-Side Request Forgery SSRF exists in the automatic short URL title resolution component. This allows attackers to scan internal resources by providing a crafted longUrl variable. Recommendations At the...