Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the GET /public/api/resources/download endpoint when serving SVG files without a proper Content Security Policy header. An attacker can execute arbitrary JavaScript in the context of users' browsers by...

CVE-2026-40296

creationtimestamp| type| source ---|---|--- 2026-05-07 02:45:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mla754dpfc2k...

CVE-2026-41417

creationtimestamp| type| source ---|---|--- 2026-05-07 02:25:14+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mla5ysj4sc2h...

SUSE CVE-2026-43243

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add signal type check for dcn401 getphyd32clksrc Trying to access link enc on a dpia link will cause a crash otherwise...

CVE-2026-3291

creationtimestamp| type| source ---|---|--- 2026-05-07 02:12:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mla5b7ww3i2p...

GHSA-FPF5-4JW8-67X8

creationtimestamp| type| source ---|---|--- 2026-05-07 02:10:29+00:00| seen| https://gist.github.com/alon710/fbdb426cde042168e0871c7f8c96676d...

CVE-2026-40325

creationtimestamp| type| source ---|---|--- 2026-05-07 01:53:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mla4a22fht2n...

Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist

Summary The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m. Details The blocklist in...

Weblate Vulnerable to Private Translation Enumeration via Screenshot API

Impact The screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. Patches https://github.com/WeblateOrg/weblate/pull/19258 Acknowledgement Weblate thanks Luay for reporting this vulnerability according to the organization's...

Information Exposure

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Information Exposure in the Screenshot API, tasks API, and component link API. An attacker can access private translation data by enumeratin...

CVE-2026-40076

creationtimestamp| type| source ---|---|--- 2026-05-07 00:00:41+00:00| seen| https://infosec.exchange/users/offseq/statuses/116530350683018033 2026-05-07 00:00:43+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3ml7vwe264u2v 2026-05-07 01:43:26+00:00| seen|...

PT-2026-38381

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.30.0 Description The ExifTool metadata write blocklist can be bypassed using group-prefix syntax, allowing an attacker to perform arbitrary file rename, move, hardlink, and symlink creation on the server. The...

open-notebook 安全漏洞

Open-Notebook is a privacy-oriented multi-model AI note-taking tool developed by Luis Novo. Version 1.8.1 of Open-Notebook contains a security vulnerability. This vulnerability stems from improper input validation and overly permissive default CORS configurations. It could allow remote attackers ...

i18next-http-backend 路径遍历漏洞

i18next-http-backend is an open-source cross-platform backend resource loading tool developed by i18next. Versions of i18next-http-backend prior to version 3.0.5 contained a path traversal vulnerability. This vulnerability occurred due to the direct insertion of lng and ns values into URL templat...

PT-2026-45198

Name of the Vulnerable Software and Affected Versions D-Link DI-8400 versions prior to 16.07.26A1 Description A stack-based buffer overflow occurs in an unknown function within the '/dbsrv.asp' endpoint. This issue is triggered by manipulating the str argument, allowing for remote exploitation. A...

PT-2026-38400

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17.1 Description The screenshots, tasks, and component link API endpoints allow for the enumeration of translations within a project that the user should not be able to access. Recommendations Update to version 5.17...

PT-2026-38595

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions 3.19.1 through 3.19.5 GitHub Enterprise Server versions 3.20.0 through 3.20.1 Description A reflected HTML injection issue exists in the Management Console login page. The redirect to query parameter on the...

PT-2026-38415

Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link...

Linux Distros Unpatched Vulnerability : CVE-2026-33079

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS Regular Expression Denial of Service vulnerability in LINKTITLERE that allows an attacker who can...

Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting xss vulnerability via crafted URL being rended from cron.erb...