PT-2026-44493

Name of the Vulnerable Software and Affected Versions Kibana affected versions not specified Description Improper neutralization of input during web page generation allows for stored HTML injection. A user with write access to an Elasticsearch index can persist crafted markup that is not...

Summarize 安全漏洞

Summarize is a multi-source rapid summarization tool developed by Peter Steinberger. Versions of Summarize prior to 0.15.1 contain security vulnerabilities. These vulnerabilities stem from an issue with authorization deficiencies, which could allow attackers to execute browser automation operatio...

Vinyl/Varnish -- HTTP/2 parsing deficiency

Vinyl Development Team reports: A deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack request smuggling, which in turn can be used for cache poisoning, authentication bypass or possibly even information disclosure and manipulation...

ROS-20260505-73-0056

Vulnerability in python3.10 related to insufficient neutralization of special elements in a request. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

WordPress plugin VI: Include Post By 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2025-66487

IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequency that an authenticated user can send emails, which could result in email flooding or a denial of service...

GO-2026-4704 IncusOS has a LUKS encryption bypass due to insufficient TPM policy in github.com/lxc/incus-os/incus-osd

IncusOS has a LUKS encryption bypass due to insufficient TPM policy in github.com/lxc/incus-os/incus-osd...

BIT-PYTHON-2026-3479 pkgutil.get_data() does not enforce documented restrictions

pkgutil.getdata did not validate the resource argument as documented, allowing path traversals...

PT-2026-31533

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 147.0.7727.55 Description Improper input validation within the WebML component in Google Chrome could lead to an out-of-bounds memory write. This issue was discovered in versions of Google Chrome before...

CVE-2026-32622 SQLBot: Remote Code Execution via Terminology Poisoning

SQLBot is an intelligent data query system based on a large language model and RAG. Versions 1.5.0 and below contain a Stored Prompt Injection vulnerability that chains three flaws: a missing permission check on the Excel upload API allowing any authenticated user to upload malicious terminology,...

WordPress Plugin Avada Core Cross-Site Scripting Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in the WordPress plugin Avada Core, which stems fro...

HCL AION SQL Injection Vulnerability

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a SQL injection vulnerability that stems from the application's lack of validation of externally entered SQL statements, which can be exploited by an attacker to steal sensitive database data by injecting a...

CVE-2025-52644

HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation processes...

PT-2026-25749

HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation processes...

CVE-2026-20882 Mobiliti e-mobi.hu Improper Restriction of Excessive Authentication Attempts

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain...

PT-2026-22266

Name of the Vulnerable Software and Affected Versions Systems utilizing WebSocket endpoints for the Open Charge Point Protocol OCPP affected versions not specified Description WebSocket endpoints lack proper authentication mechanisms, allowing attackers to perform unauthorized station impersonati...

CVE-2026-27584 ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction...

UBUNTU-CVE-2025-71241

SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting XSS in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. This vulnerability is mitigated by the SPIP security screen...

CVE-2026-0969 Arbitrary code execution in React server-side rendering of untrusted MDX content

The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0...