EUVD-2026-8915

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the getmodel method in ModelFilesController line 158-160 loads models using Model.findparamparams:modelid without policyscope, bypassing...

CVE-2026-28225 Manyfold has IDOR in ModelFilesController

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the getmodel method in ModelFilesController line 158-160 loads models using Model.findparamparams:modelid without policyscope, bypassing...

CVE-2026-28225

Manyfold is exposed to an authorization bypass in older releases. Before version 0.133.1, the get_model method in ModelFilesController loads models with Model.find_param(params[:model_id]) without enforcing policy_scope(), bypassing Pundit authorization, unlike other controllers (e.g., ModelsCont...

CVE-2026-28225 Manyfold has IDOR in ModelFilesController

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the getmodel method in ModelFilesController line 158-160 loads models using Model.findparamparams:modelid without policyscope, bypassing...

CVE-2026-25929

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s patientpicture context serves the patient’s photo by document ID or patient ID without verifying that the current user is authorized to access...

EUVD-2026-8882

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application com.unitree.doggo2, are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLi...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: helm, crossplane-provider-family-aws, crossplane, argo-events, cerbos, crossplane-provider-aws-elasticache, argo-cd, apko, crossplane-provider-aws-cloudformation, external-secrets-operator, pulumi-language-dotnet, helm-push, crossplane-provider-aws-ec2,...

GHSA-Q9HV-HPM4-HJ6X vulnerabilities

Vulnerabilities for packages: helm, crossplane-provider-family-aws, crossplane, argo-events, cerbos, crossplane-provider-aws-elasticache, argo-cd, apko, crossplane-provider-aws-cloudformation, external-secrets-operator, pulumi-language-dotnet, helm-push, crossplane-provider-aws-ec2,...

EUVD-2026-8878

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR Insecure Direct Object Reference in ReviewableNotesController. When enablecategorygroupmoderation is enabled, a user belonging to a category moderation group can create or delete thei...

CVE-2026-26973

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR Insecure Direct Object Reference in ReviewableNotesController. When enablecategorygroupmoderation is enabled, a user belonging to a category moderation group can create or delete thei...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: crossplane-fips, terraform, buildkitd, crossplane, nfpm, crossplane-provider-family-aws-fips, crossplane-provider-aws-cognitoidentity-fips, melange, crossplane-provider-family-aws, argocd-image-updater, crossplane-provider-aws-cloudformation-fips, openbao,...

CVE-2026-26682

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component...

CVE-2026-26207

CVE-2026-26207 affects Discourse with the discourse-policy plugin. Prior to versions 2025.12.2, 2026.1.1 and 2026.2.0, PolicyController loads posts by ID without verifying the current user’s visibility, allowing authenticated users to interact with policies on posts they cannot view and to enumer...

Discourse 安全漏洞

Discourse is an open-source community discussion platform developed by Discourse. This platform includes features such as communities, email communication, and chat rooms. Versions of Discourse before 2025.12.2, 2026.1.1, and 2026.2.0 contain security vulnerabilities. These vulnerabilities stem...

CVE-2026-26682

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component...

PT-2026-22236

A flaw has been found in psi-probe PSI Probe up to 5.3.0. The impacted element is the function handleRequestInternal of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/ExpireSessionsController.java of the component Session Handler. Executing a manipulation can lead to denial o...

FastCMS 安全漏洞

FastCMS is a content management system developed by FastCMS Inc. Versions of FastCMS prior to 0.1.6 contained security vulnerabilities. These vulnerabilities were caused by issues with the PluginController.java component, which could allow local attackers to execute arbitrary code...

CVE-2026-26682

An issue in fastCMS before v.0.1.6 allows a local attacker to execute arbitrary code via the PluginController.java component...

Cisco Catalyst SD-WAN Controller Authentication Bypass (cisco-sa-sdwan-rpa-EHchtZk)

According to its self-reported version, Cisco SD-WAN Viptela Software is affected by a vulnerability. - A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an...

PSI Probe 访问控制错误漏洞

PSI Probe is an open-source monitoring and management tool for Tomcat developed by Psi-Probe. Versions of PSI Probe 5.3.0 and earlier contained a access control vulnerability. This vulnerability stemmed from improper access control due to operations on parameters in the file...