CVE-2026-3064 HummerRisk Cloud Task Scheduler ResourceCreateService.java command injection

A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The attack may be launche...

CVE-2026-3064 HummerRisk Cloud Task Scheduler ResourceCreateService.java command injection

A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The attack may be launche...

EUVD-2026-7404

A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The attack may be launche...

PT-2026-21760

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.75.0 Description Payload is a free and open source headless content management system. A Server-Side Request Forgery SSRF issue exists in the external file upload functionality. Insufficient validation of HTTP...

PT-2026-21813

Name of the Vulnerable Software and Affected Versions Dagu versions up to and including 1.16.7 Description Dagu, a workflow engine, contains a flaw in the CreateNewDAG API endpoint POST /api/v1/dags. The endpoint does not properly validate the DAG name before storing it, allowing an authenticated...

CVE-2019-25447

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes,...

K000160103: PostgreSQL vulnerability CVE-2022-2625

Security Advisory Description A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait...

SUSE-SU-2026:20588-1 Security update for postgresql15

This update for postgresql15 fixes the following issues: Update to version 15.16. Security issues fixed: - CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory bsc1258008. - CVE-2026-2004: intarray missing validation of type of input to selectivit...

OPENSUSE-SU-2026:20265-1 Security update for postgresql14

This update for postgresql14 fixes the following issues: Update to version 14.21. Security issues fixed: - CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory bsc1258008. - CVE-2026-2004: intarray missing validation of type of input to selectivit...

SUSE-SU-2026:20587-1 Security update for postgresql14

This update for postgresql14 fixes the following issues: Update to version 14.21. Security issues fixed: - CVE-2026-2003: improper validation of type "oidvector" may allow disclose a few bytes of server memory bsc1258008. - CVE-2026-2004: intarray missing validation of type of input to selectivit...

Incorrect Privilege Assignment

Overview getformwork/formwork is an a file-based Content Management System CMS to make and manage simple sites. Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to insufficient privilege checks in the create user function. An attacker can gain unauthorized...

@deno/sandbox (>=0.0.9 <=0.6.0), @ekairos/dataset (>=1.21.56-beta.0 <=1.22.34-beta.development.0) +45 more potentially affected by unknown CVE via devalue (>=5.0.0 <=5.6.2)

devalue NPM version =5.0.0, =0.0.9, =1.21.56-beta.0, =1.22.4-beta.development.0, =1.21.56-beta.0, =1.21.67-beta.0, =1.21.88-beta.0, =0.0.0-dev-20260121145510, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =0.0.0-dev-20260115183047, =2.3.65, =1.1.27, =1.1.21, =1.2.263, =2.2.3, =4.0.1 and...

CVE-2026-26202 Penpot has Arbitrary File Read via create-font-variant RPC endpoint

Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path e.g. /etc/passwd as a font data chunk in the create-font-variant RPC endpoint, resulting in the file...

CVE-2026-26202 Penpot has Arbitrary File Read via create-font-variant RPC endpoint

Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path e.g. /etc/passwd as a font data chunk in the create-font-variant RPC endpoint, resulting in the file...

CVE-2026-25940 jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user ca...

CVE-2025-70141

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in adminclass.php based on the action parameter. An unauthenticated remote attacke...

CVE-2025-70141

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in adminclass.php based on the action parameter. An unauthenticated remote attacke...

CVE-2025-70141

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in adminclass.php based on the action parameter. An unauthenticated remote attacke...

CLSA-2026-1771407667 freerdp: Fix of CVE-2026-22856

CVE-2026-22856: fix heap use-after-free in createirpthread...

CVE-2026-2386

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpaecreatepage AJAX handler authorizing users only with...