CVE-2026-8823

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669...

CVE-2026-11372

IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2025-33128

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

CVE-2026-8059

IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...

CVE-2026-11372

IBM TRIRIGA Application Platform versions 5.0.2–5.0.3 are affected by a cross-site scripting (XSS) vulnerability in the Web UI that an authenticated user can abuse to embed arbitrary JavaScript, potentially leading to credentials disclosure within a trusted session. The issue is tracked as CVE-20...

EUVD-2026-38280

IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2025-33128

The CVE-2025-33128 affects IBM Engineering Workflow Management (part of IBM Engineering Lifecycle Management). Affected versions are 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007. The issue is a cross-site scripting (XSS) vulnerability in the Web UI that lets an authent...

kernel: RDMA/mana: Validate rx_hash_key_len

A flaw was found in the Linux kernel's RDMA/mana component. A local user could exploit this vulnerability by providing an invalid rxhashkeylen value through a user-space API uAPI structure. This invalid value is then used in a memcpy operation without proper bounds checking, allowing the user to...

Astra Linux – Vulnerability in Zabbix

Setting the SMS media allows for setting the GSM modem file. This file is later used as a Linux device. But since everything is a file for Linux, it’s possible to set another file, such as a log file. In this case, Zabbixserver will attempt to communicate with it as a modem. As a result, the log...

Astra Linux – Vulnerability in jqueryui

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various Text options of the Datepicker widget from untrusted sources might execute untrusted code. This issue has been fixed in jQuery UI 1.13.0. The values passed to various Text options are...

CVE-2026-12458

An incorrect security ui flaw was found in the Passwords component of the Chromium browser. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=517258337...

Siemens RUGGEDCOM RST2428P User Interface (UI) Misrepresentation of Critical Information (CVE-2025-46394)

In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc...

EUVD-2026-37540

Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration

Summary Open WebUI has a Broken Object Level Authorization BOLA vulnerability in the builtin searchknowledgefiles tool. When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call searchknowledgefiles with an arbitrary knowledgeid...

DEBIAN-CVE-2026-12458

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-46807

Vulnerability in the Identity Manager product of Oracle Fusion Middleware component: OIM Legacy UI. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Identity Manager...

CVE-2026-48797

Backpropagate is a Python library for fine-tuning LLMs on a single GPU. In versions 1.1.0 and 1.1.1, the Reflex web UI exposes a training control plane without authentication, allowing dataset upload, model load, training control, multi-run orchestration, GGUF export, and HuggingFace Hub push. Th...

Chromium: CVE-2026-11697 Insufficient validation of untrusted input in UI

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-11659 Insufficient validation of untrusted input in UI

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-20262 Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate...