CVE-2026-44018 Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked security controls. An attacker could craft malicious METS-GBS...

CVE-2026-56067

Unauthenticated SQL Injection in JetSmartFilters = 3.8.3 versions...

CVE-2026-56068

Unauthenticated SQL Injection in JetEngine = 3.8.10.2 versions...

EUVD-2026-39671

Sales Representative SQL Injection in Groundhogg = 4.5 versions...

CVE-2026-57653 WordPress WP Job Portal plugin <= 2.5.2 - SQL Injection vulnerability

Contributor SQL Injection in WP Job Portal = 2.5.2 versions...

CVE-2026-57643 WordPress WP Post Author plugin <= 3.9.1 - SQL Injection vulnerability

Contributor SQL Injection in WP Post Author = 3.9.1 versions...

EUVD-2026-39759

Contributor SQL Injection in Restaurant Menu by MotoPress = 2.4.10 versions...

CVE-2026-57631

CVE-2026-57631 affects the WordPress Popup box plugin (versions

EUVD-2026-39723

Unauthenticated SQL Injection in Advance Product Search = 1.4.4 versions...

EUVD-2026-39716

Unauthenticated SQL Injection in Quotes llama = 3.1.5 versions...

WordPress Groundhogg plugin <= 4.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Baikuya in WordPress Plugin Groundhogg versions = 4.5...

CVE-2026-54235

A flaw was found in vLLM, an inference and serving engine for large language models LLMs. The temperature validation gates, which use comparison operators, incorrectly handle Not-a-Number NaN and positive Infinity values in Python's IEEE 754 float semantics. These invalid values can bypass...

CVE-2026-10835

The CVE-2026-10835 entry concerns the SALESmanago & Leadoo WordPress plugin, affected versions before 3.11.3. The vulnerability arises from improper sanitisation/escaping of a parameter in an AJAX action before it is used in a SQL statement, coupled with missing authorization enforcement for that...

PT-2026-52990

Name of the Vulnerable Software and Affected Versions H.View HV-500S6 IP cameras affected versions not specified Description An authenticated user can supply unsanitized XML fields to the certificate generation interface. These fields are incorporated into a backend certificate creation command...

Tenable Nessus < 10.12.1 Multiple Vulnerabilities (TNS-2026-17)

According to its self-reported version, the Tenable Nessus application running on the remote host is prior to 10.12.1. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2026-17 advisory. - A SQL injection vulnerability in Nessus allows a remote, unauthenticated...

GO-2026-5547 in-toto-golang and in-toto-python have inconsistent negation behavior in github.com/in-toto/in-toto-golang

in-toto-golang and in-toto-python have inconsistent negation behavior in github.com/in-toto/in-toto-golang...

GHSA-RM3J-F69W-WQMQ golang.org/x/crypto/ssh vulnerable to infinite loop on large channel writes

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation...

GHSA-W879-237Q-WC7R golang.org/x/crypto/ssh: Invoking pathological RSA/DSA parameters may cause DoS

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public...

golang.org/x/crypto/ssh vulnerable to invoking bypass of certificate restrictions

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError...

GHSA-Q4H4-GMJ2-QVW2 golang.org/x/crypto/ssh: Invoking byte arithmetic causes underflow and panic

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs...