DEBIAN-CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath and...

CVE-2026-35461

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...

CVE-2026-22682

OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository...

UBUNTU-CVE-2026-34983

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following...

CVE-2026-34988

Wasmtime is a runtime for WebAssembly. From 28.0.0 to before 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of its pooling allocator contains a bug where in certain configurations the contents of linear memory can be leaked from one instance to the next. The implementation of resetting the...

CVE-2026-34983 Wasmtime has a use-after-free bug after cloning `wasmtime::Linker`

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following...

EUVD-2026-20938

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3...

Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3...

EUVD-2025-209390

A Reflected Cross-Site Scripting XSS affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user...

CVE-2026-39983

basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences \r\n in file path parameters passed to high-level path APIs such as cd, remove, rename, uploadFrom, downloadTo, list, and removeDir. The library's protectWhitespace helper only handle...

CVE-2026-35207

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from...

Cross-site Scripting (XSS)

Overview limesurvey/limesurvey is a FOSS online survey tool on the web. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getInstance function when processing the gid parameter. An attacker can execute arbitrary JavaScript in the context of a logged-in user by...

CVE-2026-39315 Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...

CVE-2026-35207

In dde-control-center (Deepin Desktop Environment), the plugin-deepinid insecurely skipped TLS certificate verification when fetching user avatars from openapi.deepin.com and similar providers. Prior to version 6.1.80, this allowed a (MITM) attacker to intercept traffic, potentially replace the a...

CVE-2026-35207 deepinid plugin in dde-control-center is configured to skip TLS certificate verification when downloading avatar from remote server

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from...

CVE-2026-35207 deepinid plugin in dde-control-center is configured to skip TLS certificate verification when downloading avatar from remote server

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from...

CVE-2026-35207

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from...

CVE-2026-40069

The vulnerability affects the BSV Ruby SDK (gem) prior to version 0.8.2, specifically BSV::Network::ARC failure detection. From 0.1.0 to 0.8.1, ARC only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED; responses with txStatus values INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containin...

CVE-2026-39972

Mercure is a protocol for pushing data updates to web browsers and other HTTP clients in a battery-efficient way. Prior to 0.22.0, a cache key collision vulnerability in TopicSelectorStore allows an attacker to poison the match result cache, potentially causing private updates to be delivered to...

EUVD-2026-20898

fast-jwt: Stateful RegExp /g or /y causes non-deterministic allowed-claim validation logical DoS...