CVE-2026-54651 pypdf: Possible infinite loop when processing threads/articles in writer

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. This vulnerability is fixed in 6.13.1...

CVE-2026-54651

CVE-2026-54651 affects the Python PDF library pypdf prior to version 6.13.1. The issue allows an attacker to craft a PDF that can trigger an infinite loop when merging a file with threads/articles into a writer, potentially impacting availability. The vulnerability is fixed in 6.13.1. Affected co...

CVE-2026-34718

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is...

CVE-2026-5028

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the pp-get-articles AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficie...

CVE-2026-49386

In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas...

CVE-2026-8726

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin ...

CVE-2026-48208 Denial-of-Service via SVG Rendering in Ticket

An improper neutralization of active SVG content in OTRS or OTRS Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent o...

OTRS 安全漏洞

OTRS is a service management solution developed by the German company OTRS. Versions 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X up to version 2026.4.X of OTRS contained security vulnerabilities. These vulnerabilities were due to improper handling of SVG content during the rendering of ticke...

CVE-2026-48210 Possible information disclosure via External Interface

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue...

CVE-2026-49386

In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas...

CVE-2026-49386

In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas...

FBI’s 2025 Internet Crime Report

The 2025 Internet Crime Report was published a few weeks ago, but I only just saw it. Lots of interesting statistics. Press release. News articles...

Modernizing User Privacy Preference Measurement through GPPI: A GDPR-Aligned Privacy Preference Item Bank

Privacy measurement instruments e.g., CFIP, IUIPC, PAQ predate GDPR by over a decade and measure privacy concerns, distinct from preferences for regulatory protections e.g., data portability, erasure, automated decision-making rights. This leaves practitioners without tools to assess whether user...

CVE-2026-8726

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin ...

CVE-2026-8726

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin ...

EUVD-2026-29397

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the pp-get-articles AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficie...

CVE-2026-5028

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the pp-get-articles AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficie...

CVE-2026-5028 Eight Day Week Print Workflow <= 1.2.6 - Authenticated (Subscriber+) SQL Injection via 'title' Parameter

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the pp-get-articles AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficie...

CVE-2026-5028

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the pp-get-articles AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficie...

PT-2026-39952

The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the pp-get-articles AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficie...