GHSA-8PFC-JJGW-6G26 SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

Summary The @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions e.g., 2000 nested parentheses, causing a RangeError:...

CVE-2026-27885

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including...

CVE-2026-27885

CVE-2026-27885 affects Piwigo prior to version 16.3.0. A SQL injection vulnerability exists in the Activity.getList/API endpoint, exploitable by an authenticated administrator which can lead to leakage of sensitive data (user credentials, email addresses, and all stored content). The root cause i...

CVE-2026-27885 Piwigo: SQL Injection in Activity.getList

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including...

EUVD-2026-18870

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the adminonly option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched ...

EUVD-2026-18827

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL...

CVE-2026-22664

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in the Fal.ai media status polling feature that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack ...

CVE-2026-22664

The CVE-2026-22664 issue affects prompts.chat with an SSRF in Fal.ai media status polling prior to commit 30a8f04. Authenticated users can supply attacker-controlled URLs in the token parameter to trigger arbitrary outbound requests, potentially exposing the FAL_API_KEY in the Authorization heade...

CVE-2026-22662 prompts.chat Blind SSRF via media-generate

prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests...

CVE-2026-28766 Gardyn Cloud API Missing Authentication for Critical Function

A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication...

CVE-2026-28766

CVE-2026-28766 refers to Gardyn Cloud API missing authentication for a critical function. The initial description and related documents confirm that a specific endpoint exposes all user account information for registered Gardyn users without requiring authentication, enabling potential confidenti...

CVE-2026-28767

CVE-2026-28767 affects Gardyn Cloud API: the administrative endpoint /api/admin/notifications is accessible without authentication. This allows information disclosure of internal administrative communications and related data. The documented remediation is to require admin authentication on all /...

CVE-2026-28767 Gardyn Cloud API Missing Authentication for Critical Function

A specific administrative endpoint notifications is accessible without proper authentication...

CVE-2026-28767 Gardyn Cloud API Missing Authentication for Critical Function

A specific administrative endpoint notifications is accessible without proper authentication...

CVE-2026-32646 Gardyn Cloud API Missing Authentication for Critical Function

A specific administrative endpoint is accessible without proper authentication, exposing device management functions...

CVE-2026-32646 Gardyn Cloud API Missing Authentication for Critical Function

A specific administrative endpoint is accessible without proper authentication, exposing device management functions...

CVE-2026-32646

CVE-2026-32646 concerns the Gardyn Cloud API where administrative endpoints (e.g., /api/admin/) lack proper authentication, exposing device management and internal admin communications. Multiple connected sources (Red Hat, CVE/CVE list, Circle, CVE writeups, and PT-2026-30214) corroborate a patte...

CVE-2026-32662 Gardyn Cloud API Active Debug Code

Development and test API endpoints are present that mirror production functionality...

CVE-2026-32662 Gardyn Cloud API Active Debug Code

Development and test API endpoints are present that mirror production functionality...

Missing Authentication for Critical Function

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the FastAPI...