EUVD-2026-37008

Slim has Reflected XSS in the HtmlErrorRenderer...

CVE-2026-45135

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct fla...

CVE-2026-50019

yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file downloa...

CVE-2026-55423

CVE-2026-55423 affects Langflow prior to version 1.7.0, where the /logout flow fails to clear session data. Root cause: the logout endpoint did not delete cookies with matching attributes (httponly/samesite/secure/domain), so tokens persisted in local storage and cookies even after logout. Conseq...

EUVD-2026-38457

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, CookieJar incorrectly accepts cookies with a dot-only Domain attribute and whitespace-padded variants. SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the empty string; SetCookie::valida...

EUVD-2026-38452

NetComm NF20MESH routers running firmware R6B031 and earlier contain an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter processed by the...

JLSEC-2026-614 WebSocket default Origin check ignores scheme and port in HTTP.jl

Description The default WebSocket Origin validator originalloweddefault only enforced the host component of the same-origin tuple. It never checked the Origin's scheme, and when the request Host header carried no explicit port the norm for default-port 80/443 servers, where browsers omit the port...

JLSEC-2026-613 Redirect credential leakage across scheme/port in HTTP.jl

Description Redirect handling decided whether to retain credential-bearing headers Authorization, Cookie, Proxy-Authorization, etc. by comparing only the hostname, ignoring scheme and port. As a result an https→http downgrade or a same-host/different-port redirect was treated as same-origin and...

CVE-2026-10857

CVE-2026-10857 – Reflected XSS in AKINSoft e-Commerce Affected product: AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce.Vulnerability: Reflected Cross-Site Scripting due to improper neutralization of input during web page generation.Root cause: insufficient sanitization of...

EUVD-2026-38445

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. E-Commerce allows Reflected XSS. This issue affects e-Commerce: before 1.25.01.06...

urllib3: urllib3: Denial of Service due to excessive HTTP response decompression

A flaw was found in urllib3, an HTTP client library for Python. This vulnerability allows a remote attacker to cause excessive resource consumption, such as high CPU usage and massive memory allocation, on the client side. This occurs when urllib3 attempts to decompress an entire HTTP response,...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...

webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling...