CVE-2026-42881

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

CVE-2026-42576 apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

CVE-2026-35477

InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PARTNAMEFORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the non-sandboxed...

WordPress Contact Form 7 Database Addon – CFDB7 Plugin <= 1.2.6.8 is vulnerable to Sensitive Data Exposure

Software Contact Form 7 Database Addon – CFDB7 Type Plugin Vulnerable versions = 1.2.6.8 Fixed in 1.2.7 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2024-3870 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID b218289620d7 Credits Ti...