EUVD-2026-33998

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints ...

CVE-2026-4915

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service server process termination via a crafted webhook...

CVE-2026-43879 WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. Wh...

CVE-2026-42226 n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay

n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supp...

CVE-2026-6393

The CVE concerns the WordPress plugin BetterDocs (versions up to and including 4.3.11). The vulnerability lies in the function generate_openai_content_callback() , which lacks proper permission checks and relies on a nonce, allowing authenticated attackers with subscriber-level access or higher t...

Linux Distros Unpatched Vulnerability : CVE-2026-30924

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also...

Linux Distros Unpatched Vulnerability : CVE-2025-14560

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain...

EUVD-2025-198234

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference IDOR vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the...