CVE-2026-24770

RAGFlow (open‑source RAG engine) has a Zip Slip flaw in the MinerUParser that affects v0.23.1 and possibly earlier. The vulnerability arises in the ZIP extraction path (MinerUParser, _extract_zip_no_root) where filenames inside archives aren’t sanitized, enabling overwriting of arbitrary server f...

CVE-2026-23881

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially...

PT-2026-4813

Critical HarfBuzz Vulnerability Analysis - SUSE-2026-0287-1 The recent patch for HarfBuzz CVE-2025-53086 addresses a classic yet dangerous heap corruption bug. Read more: 👉 https://t.co/nFbw9Hr1kZ OpenSUSE Security https://t.co/ZDH04WBByX...

ROOT-OS-DEBIAN-13-CVE-2026-22693 CVE-2026-22693 in rootio-harfbuzz - Patched by Root

Root has patched CVE-2026-22693 in the rootio-harfbuzz package for Root:Debian:13. Multiple fixed versions available...

CVE-2026-23966

CVE-2026-23966 (sm-crypto) affects the JavaScript library implementing SM2/SM3/SM4. The vulnerability resides in the SM2 decryption logic, where an attacker can recover the private key by repeatedly invoking the SM2 decryption interface. The issue exists in versions prior to 0.3.14; version 0.3.1...

CVE-2026-22849 Saleor lacks proper HTML sanitization in rich text fields

Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and...

EUVD-2026-3313

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts cbData/remaining length and never validates against the minimum size implied by cx/cy. A malicious server can trigger a client‑side global buffer overflow, causing a crash DoS. Versi...

GHSA-M3C4-PRHW-MRX6 Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass

Summary A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing for...

Qnap QTS and QuTS Hero Buffer Copy without Checking Size of Input (CVE-2024-56805)

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS...

html2pdf.js contains a cross-site scripting vulnerability

Impact html2pdf.js contains a cross-site scripting XSS vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, an...

CVE-2026-22610 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting XSS vulnerability has been identified in the Angular Template Compiler. The...

CVE-2023-43813

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue...

CVE-2023-29506

XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10...

CVE-2023-49076

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5...

CVE-2023-45818

TinyMCE is an open source rich text editor. A mutation cross-site scripting mXSS vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before...

CVE-2021-41188

Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the .htaccess file will protect against...

CVE-2025-23040

GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop...

CVE-2022-37316

Archer Platform 6.8 before 6.11 P3 6.11.0.3 contains an improper API access control vulnerability in a multi-instance system that could potentially present unauthorized metadata to an authenticated user of the affected system. 6.10 P3 HF1 6.10.0.3.1 is also a fixed release...

CVE-2022-31153

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts vanilla and ethereum flavors in the...

CVE-2023-25654

baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution RCE Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch...