CVE-2026-13222

The CVE-2026-13222 entry concerns the pretix-oppwa payment integration, where insufficient validation of payment status responses allows reusing a valid payment status across different payments. This could enable an attacker to gain access to multiple valid tickets tied to a single payment. Affec...

CVE-2026-42387 Insufficient input validation in ZoneToCache

A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation...

EUVD-2026-39335

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

EUVD-2026-39190

Generic IO & Memory Access driver for PCs provided by TOSHIBA CORPORATION and Dynabook Inc. exposes its IOCTL with insufficient access control. A logged-in user with no administrative privilege may access physical memory...

CVE-2026-41566

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

CVE-2026-56129

Generic IO & Memory Access driver for PCs provided by TOSHIBA CORPORATION and Dynabook Inc. exposes its IOCTL with insufficient access control. A logged-in user with no administrative privilege may access physical memory...

Moodle LTI module Reflected - Cross-Site Scripting

A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's brows...

Grafana Post-Auth DuckDB - SQL Injection To File Read

The SQL Expressions experimental feature of Grafana allows for the evaluation of duckdb queries containing user input. These queries are insufficiently sanitized before being passed to duckdb, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or highe...

Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect

The plugin is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. id: CVE-2024-0250...

Travelpayouts <= 1.1.16 - Open Redirect

The plugin is vulnerable to Open Redirect due to insufficient validation on the travelpayoutsredirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. id: CVE-2024-0337...

Relevanssi <= 4.24.4 (Free) - Unauthenticated SQL Injection

The Relevanssi – A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the cats and tags query parameters in all versions up to, and including, 4.24.4 Free and = 2.27.4 Premium due to insufficient escaping on the user supplied parameter and lack of sufficient...

Grafana <= 6.7.1 - Cross-Site Scripting

Grafana through 6.7.1 contains an unauthenticated stored cross-site scripting vulnerability due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot...

CVE-2026-12053

GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insufficient output filtering in Duo Workflows...

CVE-2026-12053 Insertion of Sensitive Information into Log File in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insufficient output filtering in Duo Workflows...

CVE-2026-13024

Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. Chromium security severity: High...

CVE-2026-12416

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravelinvoicechangepassword function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and...

Mlflow < 2.11.0 - Path Traversal

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '' character can be used to insert a path into the fragment, effectively...

CVE-2026-12034

The following flaw was identified in the Chromium browser: Insufficient validation of untrusted input Linux Toolkit Theming. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=519258799...

CVE-2026-12025

The following flaw was identified in the Chromium browser: Insufficient validation of untrusted input Network. Upstream bugs: https://code.google.com/p/chromium/issues/detail?id=517153191...

Insufficient Session Expiration

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Insufficient Session Expiration in the authenticateuser function. An attacker can gain unauthorized access or maintain access to sensitive information by exploiting session...