GHSA-8C9Q-7855-WFXQ File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting XSS. This vulnerability is mitigated by the fact that it only affects installations with Checkout commercecheckout enabled, and the "Comments"...

Incorrect Privilege Assignment

Overview Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the pre-auth logic that enables an attacker to activate the default-disabled POJO import feature. The attacker can then upload and import a malicious Java POJO leading to execution of arbitrary code by...

SUSE CVE-2026-33260

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33254

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default...

CVE-2026-33254

CVE-2026-33254 affects PowerDNS DNSdist. An attacker can open a large number of concurrent DoQ/DoH3 connections, causing unbounded memory allocation and denial of service. DoQ/DoH3 are disabled by default, which mitigates impact per the sources; no patch/version details are provided in the docume...

CVE-2026-33254 Resource exhaustion via DoQ/DoH3 connections

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default...

CVE-2026-33254 Resource exhaustion via DoQ/DoH3 connections

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default...

CVE-2026-33254

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default...

EUVD-2026-24720

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

EUVD-2026-24725

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33257

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33256

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33260 Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33260

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33257 Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33256 Unbounded memory allocation by internal web server

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

CVE-2026-33256

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default...

PT-2026-34436

Name of the Vulnerable Software and Affected Versions DNSdist affected versions not specified Description An attacker can create a large number of concurrent DoQ DNS over QUIC or DoH3 DNS over HTTP/3 connections, causing unlimited memory allocation and leading to a denial of service. DoQ and DoH3...

PT-2026-34321

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is...