EUVD-2026-38634

FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields ...

CVE-2026-53931

NocoDB: Server-Side Request Forgery via the spreadsheet-import endpoint (axiosRequestMake) allowed unauthenticated use as a generic HTTP proxy prior to 2026.05.1, enabling potentially unintended requests to internal destinations. The issue is fixed in 2026.05.1. The GHSA/OSV/PT-Security disclosur...

CVE-2026-45135

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct fla...

ChurchCRM - API Authentication Bypass via URL Injection

ChurchCRM 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public id: CVE-2026-39339 info: name:...

WordPress User Messages <= 1.2.4 - Reflected XSS

WordPress User Messages plugin = 1.2.4 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires victim to load a...

PT-2026-51608

Name of the Vulnerable Software and Affected Versions FlatPress versions prior to commit 10be83c Description A stored cross-site scripting issue exists in comment and contact forms. The name, URL, and email fields are rendered without proper output encoding in Smarty templates. This allows...

CVE-2020-37255

creationtimestamp| type| source ---|---|--- 2026-06-20 15:54:23+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moq7q64bi42u...

CVE-2025-62198

creationtimestamp| type| source ---|---|--- 2026-06-20 15:26:11+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3moq65qz3vt2a 2026-06-22 11:52:39+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mout5qyudc22...

CVE-2019-25756

creationtimestamp| type| source ---|---|--- 2026-06-19 19:30:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moo3cxp2gs27...

CVE-2026-56142

creationtimestamp| type| source ---|---|--- 2026-06-19 16:35:27+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3monrkomijt2z 2026-06-20 14:01:25+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mopzg6xmjp2d...

CVE-2026-12620

The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...

CVE-2026-44663

creationtimestamp| type| source ---|---|--- 2026-06-18 21:58:43+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3molt5sr3cn22...

CVE-2026-40181

A flaw was found in React Router. This vulnerability allows a remote attacker to redirect users to an external, potentially malicious, website. This occurs when specially crafted URLs, containing paths starting with //, are passed to the redirect function, causing them to be misinterpreted as...

CVE-2026-20178

The CVE-2026-20178 issue affects the browser-based Cisco Webex App. Root cause: improper input validation of URL parameters in an HTTP request, enabling an unauthenticated, remote attacker to persuade a user to click a crafted URL and be redirected to a malicious webpage. Impact is limited to use...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

BIT-MARIADB-MIN-2026-44170 MariaDB: Argument injection in CONNECT REST Xcurl on Windows via unsanitized URL

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP...

GHSA-4GRM-H2QV-H6W6

creationtimestamp| type| source ---|---|--- 2026-06-16 00:56:16+00:00| seen| https://gist.github.com/alon710/bc7929d92c51f42ce9344791ed6ca313...

Use of Incorrectly-Resolved Name or Reference

Overview starlette is a The little ASGI library that shines. Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in the reconstruction of request.url when the HTTP request path does not begin with /. An attacker can mislead the application into trusti...

GHSA-7C78-JF6Q-G5CM

creationtimestamp| type| source ---|---|--- 2026-06-15 17:11:14+00:00| seen| https://gist.github.com/alon710/0bdb094f8b35593b7efeef728ecec669...

CVE-2026-12208

creationtimestamp| type| source ---|---|--- 2026-06-15 03:57:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mocfdpu4yu2s...