CVE-2026-45353

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0...

CVE-2026-45353 electerm: Local code through electerm's single-instance socket

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0...

CVE-2026-45353 electerm: Local code through electerm's single-instance socket

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0...

CVE-2026-45353

CVE-2026-45353 affects electerm (3.0.6–3.8.8); the vulnerability arises from the single-instance socket allowing local code execution via a crafted JSON payload, enabling a same-user process to spawn attacker-controlled local processes. The issue is resolved in 3.9.0 (official fix); some sources ...

CVE-2026-2611 Improper Origin Validation in mlflow/mlflow

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

CVE-2026-2652

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2614

Summary: CVE-2026-2614 affects mlflow/mlflow

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the RPC Handler component. An attacker can gain unauthorized access to sensitive operations or data by sending crafted remote procedure calls without proper authorization checks. Remediation Upgrade...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the RPC Handler component. An attacker can gain unauthorized access to sensitive operations or data by sending crafted remote procedure calls without proper authorization checks. Remediation Upgrade...

PT-2026-36210

Name of the Vulnerable Software and Affected Versions nextlevelbuilder GoClaw versions prior to 3.9.0 nextlevelbuilder GoClaw Lite versions prior to 3.9.0 Description A flaw in the RPC Handler component allows for improper authorization. This issue can be triggered remotely through an unknown...

WordPress Webling plugin <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via 'title' Parameter vulnerability discovered by Kate Kligman in WordPress Plugin Webling versions = 3.9.0...

EUVD-2026-21248

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

CVE-2026-1263

CVE-2026-1263 affects the Webling WordPress plugin up to version 3.9.0. The vulnerability is a Stored Cross-Site Scripting in the title parameter via the functions webling_admin_save_form and webling_admin_save_memberlist . It enables authenticated users with Subscriber-level access and above to ...

JeecgBoot 访问控制错误漏洞

JeecgBoot is a Java low-code platform developed by Jeecg Corporation, designed for enterprise web applications. Versions 3.9.0 and 3.9.1 of JeecgBoot contain access control vulnerability issues. This vulnerability stems from a lack of authentication in the AI Chat Module component’s...

CVE-2026-33072

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key defaultpleasechangethiskey is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker...

CVE-2026-33332 NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...

CVE-2026-33332 NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...

CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...

CVE-2026-33332

CVE-2026-33332 affects NiceGUI prior to v3.9.0. The media routes app.add_media_file() and app.add_media_files() accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing a...