CVE-2026-3643

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...

CVE-2026-5088 Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts

Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. The makesalt and makesaltbcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply...

CVE-2026-5088

CVE-2026-5088 affects Apache::API::Password for Perl up to version 0.5.2, where salts may be generated with non-cryptographically secure randomness. The _make_salt and _make_salt_bcrypt routines attempt Crypt::URandom and Bytes::Random::Secure; if these modules are unavailable, salts are produced...

EUVD-2026-22817

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as...

CVE-2026-40104

CVE-2026-40104 affects XWiki Platform. A resource exhaustion vulnerability exists in REST API endpoints (for example, /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties) that return metadata listing all pages without query lim...

PT-2026-33115

Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this featur...

VulnCheck KEV: CVE-2025-12548

A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration SSH keys, tokens, etc. from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333...

PT-2026-33113

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

Spring AI Agentic Patterns (Part 7): Session API — Event-Sourced Short-Term Memory with Context Compaction

A New Session API for Spring AI — Structured, Compactable, Multi-Agent-Ready Part 7 of theSpring AI Agentic Patterns series completes the memory picture. After covering Agent Skills, AskUserQuestionTool, TodoWriteTool, Subagent Orchestration, A2A Integration, and AutoMemoryTools for long-term...

XWiki Platform 安全漏洞

The XWiki Platform is an open-source wiki platform designed for creating web collaboration applications. Versions of the XWiki Platform such as 1.8-rc-1, 17.0.0-rc-1, and 17.5.0-rc-1 and earlier contain security vulnerabilities. These vulnerabilities stem from resource exhaustion issues with the...

PT-2026-33170

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying...

PT-2026-33020

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permission callback set to return...

PT-2026-33036

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.12 Description Improper validation of user ownership within the Connected Workspaces feature allows a malicious remote server to change the displayed status of local users via the Connected Workspaces...

Fedora 43 : webkitgtk (2026-431948187d)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-431948187d advisory. Update to 2.52.1. Notable changes from 2.50 to 2.52: Make text look like in other browsers by blending in linear color space. Improved rendering...

PT-2026-33009

Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The make salt and make salt bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simpl...

ApostropheCMS 安全漏洞

ApostropheCMS is a full-stack content management system open source by Apostrophe Technologies. Versions of ApostropheCMS 4.28.0 and earlier contained security vulnerabilities. These vulnerabilities were due to an authorization bypass in the choices and counts query parameters of the REST API,...

@koloseum/utils (>=0.1.11 <=0.1.14), @quickguidehealth/connector-logto-novu (>=0.1.0 <=0.1.4) +1 more potentially affected by unknown CVE via @novu/api (>=0.6.2 <=3.11.0)

@novu/api NPM version =0.6.2, =0.1.11, =0.1.0, =0.1.4 - aleph-backend =1.0.0 Source cves: unknown CVE Source advisory: OSV:GHSA-4X48-CGF9-Q33F...

Origin Validation Error

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Origin Validation Error in the CORS handling process. An attacker can access sensitive authenticated API responses, including user profile data, email, admin statu...

WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses

Summary The CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code runs, and 2...

WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...