CVE-2026-32813 Admidio: Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Admidio is an open-source user management solution. Versions 5.0.6 and below are vulnerable to arbitrary SQL Injection through the MyList configuration feature. The MyList configuration feature lets authenticated users define custom list column layouts, storing user-supplied column names, sort...

CVE-2026-32875

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps crashes the Python interpreter segmentation fault when the product of the indent...

CVE-2026-32873

CVE-2026-32873 affects the Gleam-based web server ewe (versions 0.8.0–3.0.4). The bug in handle_trailers causes an infinite loop when encountering rejected trailers by recursively re-parsing the same header (using rest) instead of advancing past it (Buffer(header_rest, 0)). This leads to a perman...

CVE-2026-32771

Summary of CVE-2026-32771 (CTFer.io Monitoring) : In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go is vulnerable to a path traversal flaw caused by a missing trailing path separator in a strings.HasPrefix check. This allows an attacker to craft archives that ...

SUSE CVE-2026-31972

SAMtools is a program for reading, manipulating and writing bioinformatics file formats. The mpileup command outputs DNA sequences that have been aligned against a known reference. On each output line it writes the reference position, optionally the reference DNA base at that position obtained fr...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. There is a security vulnerability in Devolutions Server, which stems from improper certificate verification. This...

PT-2026-26660

Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Befo...

CVE-2026-33372

CVE-2026-33372 affects Zimbra Collaboration (ZCS) 10.0 and 10.1. A CSRF vulnerability in Zimbra Webmail arises from improper validation of CSRF tokens, accepting tokens in the request body instead of requiring them in the header. An attacker can lure an authenticated user into submitting a crafte...

PT-2026-26552

Name of the Vulnerable Software and Affected Versions PJSIP versions 2.16 and below Description PJSIP is a free and open source multimedia communication library written in C. Versions 2.16 and below contain a Heap-based Buffer Overflow in the DNS parser's name length handler. This impacts...

MindSQL SQL注入漏洞

MindSQL is an open-source database interaction and retrieval enhancement generation library developed by MindInventory. Versions of MindSQL 0.2.1 and earlier contained a SQL injection vulnerability. This vulnerability stemmed from the askdb function in the mindsql/core/mindsqlcore.py file, which...

PT-2026-26718

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize ig data function which only sanitizes array values but not array keys...

Cryptomator 安全漏洞

Cryptomator is a simple digital self-defense tool from the Cryptomator community. Versions of Cryptomator prior to 2.8.3 contained security vulnerabilities, which were due to insufficient integrity checks in the iOS system. These vulnerabilities could lead to man-in-the-middle attacks and token...

PT-2026-26549

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. Before versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an...

PT-2026-26608

Name of the Vulnerable Software and Affected Versions versions prior to 2026-4434 Description A flaw exists in the validation of certificates during PAM propagation WinRM connections. This allows a network attacker to conduct a man-in-the-middle attack by disabling TLS certificate verification. T...

AlmaLinux 10 : nginx (ALSA-2026:4705)

The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:4705 advisory. nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied connections CVE-2026-1642 Tenable has extracted the preceding description block directly...

Cryptomator 安全漏洞

Cryptomator is a simple digital self-defense tool from the Cryptomator community. It is used to protect data. Versions of Cryptomator prior to 1.19.1 have security vulnerabilities; these vulnerabilities stem from integrity-checking flaws, which can lead to man-in-the-middle attacks and token leak...

CVE-2026-32757 Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NPM. They contain malicious code, and its content was NOT yet...

CVE-2026-29100 SuiteCRM has Reflected HTML Injection in Login Page via default_user_name Parameter

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. SuiteCRM 7.15.0 contains a reflected HTML injection vulnerability in the login page that allows attackers to inject arbitrary HTML content, enabling phishing attacks and page defacement. Versio...