CVE-2026-41259

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted...

CVE-2026-6207

CVE-2026-6207 is rejected and not an active vulnerability entry.

CVE-2026-45294

FreeScout (PHP/Laravel) before version 1.8.219 is vulnerable. The password reset endpoint returns visually distinct responses based on whether the submitted email belongs to an existing user, enabling unauthenticated enumeration of valid helpdesk agent email addresses. Root cause: inadequate obfu...

CVE-2026-46526

CVE-2026-46526 concerns Local Deep Research. Before version 1.6.10, the URL validation flow had a logical flaw that could bypass SSRF protections because parsing differed between urlparse and the HTTP request library. The code first runs SSRF checks via validate_url and then uses requests.get to ...

PT-2026-44472

Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate url to validate the input URL. Th...

PT-2026-44135

Description symfony/html-sanitizer lets applications sanitise untrusted HTML. The configuration methods allowLinkHosts... and allowLinkSchemes... are intended to restrict targets to an allowlist of hosts/schemes; allowMediaHosts / allowMediaSchemes do the same for etc. Three distinct bypasses all...

Astra Linux - уязвимость в ntfs-3g

NTFS-3G versions prior to 2021.8.22 may experience a stack buffer overflow when correcting differences between the MFT Mounted File Table and MFTMirror. This can lead to code execution or an escalation of privileges when using the setuid-root account...

Astra Linux - уязвимость в tomcat9

There is a vulnerability related to observable timing discrepancies when comparing AJP secrets in Apache Tomcat. This issue affects Apache Tomcat versions as follows: 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109...

Open WebUI 代码问题漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.5 had code issues and vulnerabilities, which were caused by parsing differences between the urlparse and requests libraries, leading to SSRF bypasses...

go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

Impact go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally,...

GHSA-389R-GV7P-R3RP go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

Impact go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally,...

CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

BinDiff 8

BinDiff is an open-source comparison tool for binary files to quickly find differences and similarities in disassembled code...

CLEANSTART-2026-FH63386 When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint

Multiple security vulnerabilities affect the sealed-secrets package. When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. See references for individual vulnerability...

Python 安全漏洞

Python is an open-source, object-oriented programming language developed by the Python Foundation. This language features extensibility, support for modules and packages, and compatibility with multiple platforms. However, Python has security vulnerabilities. One of these vulnerabilities stems fr...

SonicWALL SMA1000 安全漏洞

SonicWALL SMA1000 is a series of security mobile access solutions developed by the American company SonicWALL. It simplifies end-to-end secure remote access for enterprise resources across local, cloud, and hybrid data centers. There is a security vulnerability in SonicWall SMA1000, which stems...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the requestEmailChange mutation. An attacker can determine whether specific email addresses are registered by analyzing the differences in error messages returned by the system. Remediation A fix was pushed into...

EUVD-2025-209166

The login mechanism of Sage DPW 202106004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 202106000. On-premise administrators can toggle this behavior in newer versions...

EUVD-2026-17749

The application allows PDF JavaScript and document/print actions such as WillPrint/DidPrint to update form fields, annotations, or optional content groups OCGs immediately before or after redaction, encryption, or printing. These script‑driven updates are not fully covered by the existing...

PT-2026-29529

The login mechanism of Sage DPW 2021 06 004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021 06 000. On-premise administrators can toggle this behavior in newer versions...