CVE-2026-27832

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection SQLi vulnerability, exploitable through the advancedQueryData parameter comparator field on an authenticated endpoint. The endpoint...

Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references. Original Description A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when...

nats-server websockets are vulnerable to pre-auth memory DoS

...

CVE-2025-14149

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied...

PT-2026-22411

Name of the Vulnerable Software and Affected Versions WeGIA versions prior to 3.6.5 Description WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the adicionar tipo docs atendido.php script does not utilize the project’s central controller and lacks appropriate...

GO-2026-4533 nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server

nats-server websockets are vulnerable to pre-auth memory DoS in github.com/nats-io/nats-server...

EUVD-2026-8694

OpenSIPS versions 3.1 before 3.6.4 containing the authjwt module prior to commit 3822d33 contain a SQL injection vulnerability in the jwtdbauthorize function in modules/authjwt/authorize.c when dbmode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT...

CVE-2026-25554

OpenSIPS versions 3.1 before 3.6.4 containing the authjwt module prior to commit 3822d33 contain a SQL injection vulnerability in the jwtdbauthorize function in modules/authjwt/authorize.c when dbmode is enabled and a SQL database backend is used. The function extracts the tag claim from a JWT...

CVE-2026-27702 Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)

Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe eval vulnerability in Budibase's view filtering implementation allows any authenticated user including free tier accounts to execute arbitrary JavaScript code on the server...

Security update 5.1.2 for Multi-Linux Manager Client Tools

This update fixes the following issues: dracut-saltboot: Update to version 1.1.0 Retry DHCP requests up to 3 times bsc1253004 golang-github-QubitProducts-exporterexporter: Non-customer-facing optimization around source building golang-github-boynux-squidexporter: Update to version 1.13.0...

CVE-2026-2974

AliasVault App (up to 0.25.3) on Android/iOS contains a vulnerability in the Backup Handler that manipulates tokens inside shared_prefs/aliasvault.xml (accessToken/refreshToken/metadata/key_derivation_params/auth_methods). This can expose backup files to an unauthorized control sphere through a l...

CVE-2026-2968

Cesanta Mongoose up to 7.20 is affected in mg_chacha20_poly1305_decrypt (tls_chacha20.c, Poly1305 Authentication Tag Handler). The issue is improper verification of the cryptographic signature, with a remote attack vector. Descriptions indicate high complexity for exploitation and that the exploi...

CVE-2026-2898

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

Exploit for Deserialization of Untrusted Data in Nextgen Mirth_Connect

CVE-2023-43208 — Mirth Connect Pre-Auth RCE Pre-authenticated...

GHSA-GCXP-XG77-798J funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

funadmin: Deserialization Vulnerability in Backend Endpoint via AuthCloudService getMember Function

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

CVE-2026-2898

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

CVE-2026-2898 funadmin Backend Endpoint AuthCloudService.php getMember deserialization

A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloudaccount results in deserialization. The attack may be performed from...

CVE-2026-2898

The CVE concerns funadmin up to 7.1.0-rc4, affecting the Backend Endpoint through the function getMember in app/common/service/AuthCloudService.php. The issue stems from deserialization triggered by manipulating the cloud_account argument, enabling a remote attack. The exploit is publicly availab...

CLSA-2026-1771663697 curl: Fix of 2 CVEs

CVE-2025-14524: fix OAuth2 bearer token leak on cross-protocol redirect - CVE-2025-15224: fix libssh public-key auth fallback to SSH agent...