GHSA-QH43-XRJM-4GGP Kimai's User Preferences API allows standard users to modify restricted attributes: hourly_rate, internal_rate

Summary A Mass Assignment / Broken Object Property Level Authorization BOPA vulnerability in the User Preferences API allows any authenticated user even those with the lowest privileges to arbitrarily modify restricted financial attributes on their profile, specifically their hourlyrate and...

OpenRemote has XXE in Velbus Asset Import

Summary The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023...

CVE-2026-20136

A vulnerability in the CLI of Cisco Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. Th...

Cisco Identity Services Engine Multiple Cross-Site Scripting Vulnerabilities

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting XSS attack or a reflected XSS attack against a user of the web-based...

DriveLock SQL Injection Privilege Escalation Vulnerability

This vulnerability allows remote attackers to escalate privileges on affected installations of DriveLock. Authentication is required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 4568 by default. The issue results from the lack of proper...

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the isSSRFSafeURL function. An attacker can access internal services and exfiltrate sensitive data by supplying a crafted URL...

CVE-2026-39387

BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion LFI attack via the tpl parameter, which can lead to Remote Code Execution RCE.The application fails to...

CVE-2026-34212

Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious javascript: URL inside an attachment node in page content. When another user vie...

CVE-2026-40291

Chamilo LMS exposes an insecure direct object modification in PUT /api/users/{id} prior to version 2.0.0-RC.3, allowing any authenticated user with ROLE_STUDENT to escalate to ROLE_ADMIN by modifying their own roles field. The API Platform check is_granted('EDIT', object) only verifies ownership,...

CVE-2026-40291 Chamilo LMS has Privilege Escalation via API User Role Modification

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/id endpoint allows any authenticated user with ROLESTUDENT to escalate their privileges to ROLEADMIN by modifying the roles field o...

CVE-2026-6227 BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the blockname parameter of the /wp-json/backwpup/v1/getblock REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive strreplace sanitization of path traversal sequences. This makes it possible for...

CVE-2026-39425 MaxKB: Stored XSS via Unsanitized html_rander Tags in Markdown Rendering

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue Opening Remarks field by wrapping malicious payloads in tags...

GHSA-9PM8-VWC5-W2HM Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

Impact Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use. Patches Fixed in v0.26.0 Workarounds Disable use of email dropbox...

CVE-2026-39421 MaxKB: Sandbox escape via ctypes and unhooked SYS_pkey_mprotect

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LDPRELOAD-based...

PT-2026-32912

A stored cross-site scripting XSS vulnerability was identified in the SVG sanitization logic. The regex pattern used to strip on event handler attributes could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries. Impact - Stored XSS via malicious SVG fil...

Microsoft Visual Studio Code CoPilot Chat Extension < 0.37.3 Information Disclosure (CVE-2026-23653)

The Microsoft Visual Studio Code CoPilot Chat Extension installed on the remote host is prior to 0.37.3. It is, therefore, affected by an information disclosure vulnerability: - A remote, authenticated attacker can exploit this vulnerability to disclose sensitive information. User interaction is...

BIT-MINIO-2026-39414 MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing

MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit function...

Exploit for SQL Injection in Devcode Openstamanager

CVE-2026-24417: OpenSTAManager has a Time-Based Blind SQL Inje...

CVE-2026-5809

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topicadd and topicedit action handlers accept arbitrary user-supplied data arrays from $REQUEST and store them as postmeta without...

CVE-2026-3371

The Tutor LMS WordPress plugin (versions ≤ 3.9.7) is vulnerable to Insecure Direct Object Reference due to missing authorization checks in the private save_course_content_order() method, which is called unconditionally by the tutor_update_course_content_order AJAX handler. Attackers with Subscrib...