CVE-2026-8207

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.phpL145 feature. Successful exploitation requires Teacher or high...

CVE-2026-8207

Gibbon up to version 30.0.01 is affected by an authenticated SQL injection via the Tracking/graphing feature in Tracking/graphing.php (line 145). Exploitation requires Teacher or higher privileges and can lead to unintended read/write access to the database. A fix is available in Gibbon v30.0.01;...

CVE-2026-8207

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.phpL145 feature. Successful exploitation requires Teacher or high...

CVE-2026-36458

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cmscontent tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered...

CVE-2026-8126

A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file postcomment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used...

Unity Linux 20.1060e / 20.1070e Security Update: clamav (UTSA-2026-017365)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017365 advisory. A vulnerability in the regex module used by the signature database load module of Clam AntiVirus ClamAV versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and...

Gibbon SQL注入漏洞

Gibbon is a school platform developed by the Gibbon team that addresses practical issues encountered by educators every day. Versions of Gibbon prior to v30.0.01 contained an SQL injection vulnerability. This vulnerability stemmed from the misuse of the Tracking/graphing feature, allowing...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-016791)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016791 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on RasterField only implemented on PostGIS allows remote...

CVE-2026-42287

Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been...

CVE-2026-42287

Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been...

CVE-2026-42287 Emlog: SQL Injection Vulnerability in log_model.php within addLog() and updateLog() Functions

Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been...

CVE-2026-42287 Emlog: SQL Injection Vulnerability in log_model.php within addLog() and updateLog() Functions

Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been...

ai.starlake:spark-redshift_2.13 (>=6.5.0 <=6.5.1), ai.starlake:starlake-api_2.13 (>=1.5.8 <=1.5.15) +87 more potentially affected by CVE-2026-8178 via com.amazon.redshift:redshift-jdbc42 (>=2.0.0.3 <=2.2.1)

com.amazon.redshift:redshift-jdbc42 MAVEN version =2.0.0.3, =6.5.0, =1.5.8, =2025.34.3, =0.293, =0.293, =5.0.0, =5.1.0, =1.3.0, =1.19.1891, =0.1.15-alpha, =0.1.15-alpha, =0.1.15-alpha, =3.2.171, =6.0.0-spark3.3, =6.6.0-spark3.5 and more Source cves: CVE-2026-8178 Source advisory:...

GHSA-7R82-QHG4-6WVJ Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite Affected Component Retrieval web/YouTube processing endpoints: - backend/openwebui/routers/retrieval.py lines 1810-1837, processweb - backend/openwebui/routers/retrieval.py the parallel processyoutube endpoint -...

Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite Affected Component Retrieval web/YouTube processing endpoints: - backend/openwebui/routers/retrieval.py lines 1810-1837, processweb - backend/openwebui/routers/retrieval.py the parallel processyoutube endpoint -...

CVE-2026-8178 Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver

An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application...

EUVD-2026-28808

Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag and NORNICDBADDRESS / server.host config key is plumbed through to the HTTP server correctly but never reaches the Bo...

CVE-2026-41524 Ajax30/BraveCMS-2.0: Stored XSS in Page / Article Content

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive !! !!. Any JavaScript or HTML injected by an editor-ro...

CVE-2026-44337

PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names...

EUVD-2026-28594

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase,...