GHSA-3M5V-4XP5-GJG2 Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...

CVE-2026-32701 Qwik has array method pollution in FormData processing, allowing type confusion and DoS

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...

CVE-2026-32701 Qwik has array method pollution in FormData processing, allowing type confusion and DoS

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...

CVE-2026-33192 free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques

Free5GC is an open-source Linux Foundation project for 5th generation 5G mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a downstream 400 Bad Request from UDR into a 500 Internal Server Error when handling PATCH requests with an empty supi path parameter...

CVE-2026-32697

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, the RecordHandler::getRecord method retrieves any record by module and ID without checking the current user's ACL view permission. The companion saveRecord method...

php_api_doc 跨站脚本漏洞

phpapidoc is a PHP API documentation generation tool developed by Wally’s personal developer. phpapidoc has a cross-site scripting vulnerability, which stems from improper cleaning of the f parameter in the listmethod.php file. This vulnerability may lead to reflective cross-site scripting attack...

PT-2026-26750

Name of the Vulnerable Software and Affected Versions Graphiti versions prior to 1.10.2 Description Graphiti is a framework that exposes models through a JSON:API-compliant interface. Versions prior to 1.10.2 contain a flaw where an attacker can construct a malicious JSONAPI payload with arbitrar...

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...

CVE-2026-32697 SuiteCRM: RecordHandler::getRecord() missing ACLAccess('view') check allows any authenticated user to read any record (IDOR)

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, the RecordHandler::getRecord method retrieves any record by module and ID without checking the current user's ACL view permission. The companion saveRecord method...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the rar archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. An attacker can disclose sensitive heap memory information by submitting a...

free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques

Impact This is an Improper Error Handling vulnerability with Information Exposure implications, combined with an HTTP Method Translation issue. - Security Impact: The UDM incorrectly converts a downstream 400 Bad Request from UDR into a 500 Internal Server Error when handling PATCH requests with ...

GHSA-5RVC-5CWX-G5X8 free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques

Impact This is an Improper Error Handling vulnerability with Information Exposure implications, combined with an HTTP Method Translation issue. - Security Impact: The UDM incorrectly converts a downstream 400 Bad Request from UDR into a 500 Internal Server Error when handling PATCH requests with ...

org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...

org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...

org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration...

BIT-LIBPYTHON-2026-3644 Incomplete control character validation in http.cookies

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.jsoutput lacked the output validation applie...

CVE-2026-31938 jsPDF has HTML Injection in New Window paths

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

UBUNTU-CVE-2026-3633

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soupmessagenew function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF Carriage Return Line Feed injection, occurs because the method value is not properly...

CVE-2026-3633

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soupmessagenew function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF Carriage Return Line Feed injection, occurs because the method value is not properly...

CVE-2026-3633 Libsoup: libsoup: header and http request injection via crlf injection

A flaw was found in libsoup. A remote attacker, by controlling the method parameter of the soupmessagenew function, could inject arbitrary headers and additional request data. This vulnerability, known as CRLF Carriage Return Line Feed injection, occurs because the method value is not properly...