BIT-MONGODB-2026-25609 profile command may permit unauthorized configuration

Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only...

PT-2026-22223

Name of the Vulnerable Software and Affected Versions Initiative versions prior to 0.32.4 Description Initiative, a self-hosted project management platform, does not invalidate previously issued JWT access tokens after a user changes their password. This allows older tokens to remain valid until...

Initiative 代码问题漏洞

Initiative is an open-source project management platform developed by Morelitea. Versions of Initiative prior to 0.32.4 contained code vulnerabilities. These vulnerabilities stemmed from a lack of mechanism to invalidate previously issued JWT access tokens after users changed their passwords,...

CVE-2026-27575

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the authentication and session management process. An attacker can gain unauthorized access to user accounts and maintain persistent access even after a password change by exploiting weak password...

CVE-2026-27575

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An...

UBUNTU-CVE-2026-1747

GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packag...

GHSA-6J87-M5QX-9FQP Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type

A stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious...

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the editableTable.twig component when processing the Row Heading column type. An attacker can execute arbitrary JavaScript in the context of another user's sessio...

CVE-2026-27518

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior lack CSRF protections for state-changing actions in the administrative interface. An attacker can trick an authenticated administrator into performing unauthorized configuration changes...

kernel: drm/i915: Fix NULL ptr deref by checking new_crtc_state

A NULL pointer dereference vulnerability was found in the Intel i915 graphics driver in the Linux kernel. The intelatomicgetnewcrtcstate function can return NULL if the CRTC state was not previously obtained via intelatomicgetcrtcstate, but the return value was not checked before use. This leads ...

CVE-2026-27126

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...

PT-2026-22031

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.0.0 Description The application allows users to set weak passwords without enforcing minimum strength requirements. Active sessions remain valid after a user changes their password, potentially allowing an attacker...

CVE-2026-27513

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a cross-site request forgery CSRF vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit...

UBUNTU-CVE-2026-27589

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled enforceorigin not...

CVE-2026-27590

Caddy prior to 2.11.1 is affected. The FastCGI path-splitting logic lowercased the request path to compute a split index, then used that index on the original path; Unicode can change byte length after lowercasing, causing SCRIPT_NAME/SCRIPT_FILENAME and PATH_INFO misalignment. This path confusio...

CVE-2026-27518

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior lack CSRF protections for state-changing actions in the administrative interface. An attacker can trick an authenticated administrator into performing unauthorized configuration changes...

CVE-2026-27518 Binardat 10G08-0800GSM Network Switch CSRF

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior lack CSRF protections for state-changing actions in the administrative interface. An attacker can trick an authenticated administrator into performing unauthorized configuration changes...

CVE-2026-27518

CVE-2026-27518 affects Binardat 10G08-0800GSM Network Switch firmware up to version V300SP10260209, which allegedly lacks CSRF protections for state-changing actions in the administrative interface. An authenticated administrator can be tricked into performing unauthorized configuration changes. ...

CVE-2026-27126

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...