CVE-2026-35194 Apache Flink: Remote code execution via SQL injection in code generation

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions 1.15.0+ and LIKE...

CVE-2026-33700

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...

CVE-2026-32889

tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT synchronized lyrics frame. In server-side deployments that automatically parse...

WordPress Vibes plugin <= 2.2.0 - Unauthenticated SQL Injection via `resource` Parameter vulnerability

Unauthenticated SQL Injection via resource Parameter vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Vibes versions = 2.2.0...

WordPress MBE eShip Plugin <= 2.1.2 is vulnerable to Cross Site Request Forgery (CSRF)

Software MBE eShip Type Plugin Vulnerable versions = 2.1.2 Fixed in 2.2.1 OWASP Top 10 A1: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-38729 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 4adf7a356e66 Credits Joshua Chan Required...