CVE-2026-27975

Ajenti, a Linux/BSD modular server admin panel, is affected by CVE-2026-27975 in versions prior to 2.2.13. An unauthenticated user could gain access to a server and execute arbitrary code. The vulnerability is rated CVSS v4.0 base score 9.3 (CRITICAL) with network attack vector, no authentication...

CVE-2026-27975

Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13...

CVE-2026-27965

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored...

CVE-2026-27965 Vitess users with backup storage access can gain unauthorized access to production deployment environments

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored...

USN-8066-1 ruby-rack vulnerabilities

Minh Pham Quang discovered that Rack did not correctly handle parsing certain paths, which could lead to a path traversal attack. An attacker could possibly use this issue to leak sensitive information. CVE-2026-22860 Ali Firas discovered that Rack did not correctly sanitize certain inputs. An...

Deserialization of Untrusted Data

Overview langgraph-checkpoint is a library with base interfaces for LangGraph checkpoint savers. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the BaseCache class when cache backends inheriting from BaseCache are enabled, and nodes are opted into cachin...

Arbitrary Code Injection

Overview storybook is a frontend workshop for building UI components and pages in isolation. Affected versions of this package are vulnerable to Arbitrary Code Injection via the WebSocket message handlers for creating and saving stories, specifically through unsanitized input in the...

CVE-2026-26682

Summary: fastCMS prior to v0.1.6 contains a security issue in the PluginController.java that enables a local attacker to execute arbitrary code. Affected software/component: fastCMS (PluginController.java). Impact: local code execution with high impact (per CVSS) as described in referenced record...

PT-2026-22140

Reflected Cross-Site Scripting XSS on the A3factura web platform, in parameter 'name', in 'a3factura-app.wolterskluwer.es//incomes/representatives-management' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser...

PT-2026-22151

Name of the Vulnerable Software and Affected Versions Flair versions 0.4.1 through latest Description The deserialization of untrusted data in the LanguageModel class can lead to arbitrary code execution when loading a malicious model. Recommendations Versions prior to 0.4.1 are not affected. At...

PT-2026-22161

Name of the Vulnerable Software and Affected Versions fastCMS versions prior to 0.1.6 Description An issue exists in fastCMS that allows a local attacker to execute arbitrary code via the PluginController.java component. Recommendations Update to version 0.1.6 or later...

Wolters Kluwer A3factura 跨站脚本漏洞

Wolters Kluwer A3factura is a billing management software developed by the German company Wolters Kluwer. Wolters Kluwer A3factura has a cross-site scripting vulnerability. This vulnerability stems from the reflective cross-site scripting in the parameter name located at the endpoint...

CVE-2026-26682

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component...

FastCMS 安全漏洞

FastCMS is a content management system developed by FastCMS Inc. Versions of FastCMS prior to 0.1.6 contained security vulnerabilities. These vulnerabilities were caused by issues with the PluginController.java component, which could allow local attackers to execute arbitrary code...

flair 安全漏洞

Flair is a very simple and advanced NLP framework developed by Flair OpenSource. There are security vulnerabilities in Flair versions 0.4.1 onwards. These vulnerabilities stem from the LanguageModel class’s ability to deserialize untrusted data, which may allow arbitrary code to be executed when...

c3p0 代码问题漏洞

c3p0 is an open-source JDBC connection pool library developed by Steve Waldman. Versions of c3p0 prior to 0.12.0 had code vulnerabilities, which stemmed from improper deserialization and could lead to the execution of arbitrary code...

Vitess 操作系统命令注入漏洞

Vitess is an open-source database cluster system developed by Vitess, designed for horizontal scaling of MySQL databases. Versions of Vitess prior to 23.0.3 and 22.0.4 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the possibility of...

PT-2026-22141

Reflected Cross-Site Scripting XSS on the A3factura web platform, in parameter 'name', parameter 'name', in 'a3factura-app.wolterskluwer.es//incomes/customers' endpoint, which could allow an attacker to execute arbitrary code in the victim's browser...

GPAC 安全漏洞

GPAC is an open-source multimedia framework developed by GPAC. Versions of GPAC prior to 26.02.0 contain security vulnerabilities. These vulnerabilities stem from stack buffer overflows during the parsing of NHML files, which may allow for the execution of arbitrary code...

CVE-2026-26682

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component...