EUVD-2026-35091

phpMyFAQ has Weak Cryptography - SHA1 for Password Hashing...

CVE-2026-54518

The CVE-2026-54518 issue affects jackson-databind’s UnwrappedPropertyHandler path. From 2.21.0 through 2.21.4 and 3.1.0 through 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). This...

EUVD-2026-38597

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.13.0 until 2.14.0, a potential Denial-of-Service exists when attacker sends deeply nested JSON if and only if the service reads deeply nested 1000s of levels JSON as JsonNode...

EUVD-2026-38595

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind's PolymorphicTypeValidator PTV is the primary safety mechanism guarding polymorphic deserialization. When polymorphic...

EUVD-2026-38593

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating th...

EUVD-2026-38592

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddresshost, port, which performs eager DNS name resolution fo...

EUVD-2026-38589

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

CVE-2026-46550

NocoDB’s CVE-2026-46550 concerns the refresh-token cookie being set with httpOnly but without Secure and SameSite attributes prior to 2026.04.1. The root cause is in setTokenCookie(), which emitted a cookie with only httpOnly (and possibly domain), leaving it vulnerable to interception over HTTP ...

CVE-2026-47381

CVE-2026-47381 affects NocoDB prior to 2026.05.1, where a user in one workspace could abuse the testConnection endpoint to access another workspace’s integration due to the integration being fetched in a bypass scope and permission checks being evaluated against any base in any workspace. The iss...

CVE-2026-47385

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration creat...

CVE-2026-47385

CVE-2026-47385 (NocoDB) : An authenticated user with base-create permission can attach a SQLite source that points to an arbitrary file on the host, bypassing location restrictions in the SQLite client and base-create services. This can target internal databases (e.g., noco.db or tenant databases...

CVE-2026-47386

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...

CVE-2026-47387

NocoDB (the issue CVE-2026-47387) has a stored XSS due to the shared form-view redirect_url handling. The vulnerable sink in packages/nc-gui/composables/useSharedFormViewStore.ts validates only string/non-empty redirect_url and fails to validate URL schemes, causing non-network schemes (e.g., jav...

CVE-2026-47388

NocoDB is affected by CVE-2026-47388: Missing ownership check in MCP Attachment Read allows a low-privilege MCP token holder with knowledge of an attachment path to read files in shared storage (including attachments from other bases/workspaces). The issue arises because readAttachment did not ve...

CVE-2025-64105

Summary: FOSSBilling

CVE-2025-64105

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating relid when reltype=order, an authenticated...

CVE-2026-53930

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse file:, ftp:, etc. and probing of internal HTTP...

CVE-2026-54555

rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an...

CVE-2026-45792

Vulnerability summary (CVE-2026-45792) RTK (Rust Token Killer) prior to 0.32.0 trusts project-local configuration by auto-loading the highest-priority .rtk/filters.toml without user notification. An attacker with repository access can place a malicious filter to modify shell command output before...

CVE-2026-54317

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....