CVE-2026-50225 Account Creation Exhaustion

The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database...

CVE-2026-40974

A flaw was found in Spring Boot's Cassandra auto-configuration. This vulnerability allows an adjacent attacker to bypass hostname verification during SSL Secure Sockets Layer connection establishment to Cassandra. This could enable a man-in-the-middle attack, potentially leading to unauthorized...

CVE-2026-4292

A flaw was found in Django. Admin changelist forms utilizing ModelAdmin.listeditable were susceptible to improper access control. A remote attacker could exploit this by sending forged POST data, leading to the unauthorized creation of new instances within the application. Mitigation Mitigation f...

CVE-2026-34525

A flaw was found in aiohttp, an asynchronous HTTP client/server framework for Python. This vulnerability allows a remote attacker to send multiple Host headers in a single request. This can lead to unexpected behavior, potentially bypassing security controls or causing cache poisoning, which may...

CVE-2026-34516

A flaw was found in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. A remote attacker could exploit this vulnerability by sending a response with an excessive number of multipart headers. This could cause the system to consume more memory than intended, leading to a...

CVE-2026-1629

A missing cache invalidation flaw has been discovered in mattermost server. Affected versions fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache...

CVE-2026-32600

A flaw was found in xml-security, a library for XML signatures and encryption. This vulnerability arises from a lack of validation for the authentication tag length in XML nodes encrypted with AES-GCM Advanced Encryption Standard Galois/Counter Mode. A remote attacker can exploit this by...

CVE-2026-26131

A flaw was found in .NET. Incorrect default permissions allow an authorized local attacker to exploit this vulnerability. This can lead to local privilege escalation, enabling the attacker to gain higher access rights on the system. Mitigation Mitigation for this issue is either not available or...

CVE-2026-29184

A flaw was found in @backstage/plugin-scaffolder-backend. A malicious scaffolder template can bypass the log redaction mechanism, allowing an attacker to exfiltrate sensitive information secrets from task event logs. This vulnerability leads to information disclosure, potentially exposing...

CVE-2026-3632

A flaw was found in libsoup, a library used by applications to send network requests. This vulnerability occurs because libsoup does not properly validate hostnames, allowing special characters to be injected into HTTP headers. A remote attacker could exploit this to perform HTTP smuggling, where...

CVE-2026-3381

A flaw was found in Compress::Raw::Zlib. This component bundles an outdated version of the zlib compression library, which contains known security vulnerabilities. An attacker could potentially exploit these underlying zlib vulnerabilities through Compress::Raw::Zlib, leading to unspecified...

CVE-2026-28422

A flaw was found in Vim, an open-source command-line text editor. A local user could exploit a stack-buffer-overflow vulnerability in the buildstlstrhl function by rendering a statusline with a multi-byte fill character on a very wide terminal. This could lead to an integrity impact, where data...

CVE-2026-27901

A flaw was found in svelte, a performance-oriented web framework. When rendering untrusted data as the initial value for bind:innerText and bind:textContent on contenteditable elements on the server, the contents were not properly escaped. This improper handling could allow a remote attacker to...

CVE-2026-27204

A flaw was found in Wasmtime. Wasmtime's implementation of WebAssembly System Interface WASI host interfaces is susceptible to resource exhaustion. A malicious guest can exploit this by requesting excessive resource allocations, which Wasmtime does not appropriately limit. This can lead to a Deni...

CVE-2026-27121

svelte is a performance oriented web framework. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious...

CVE-2026-26345

SPIP before 4.4.8 contains a stored cross-site scripting XSS vulnerability in the public area triggered in certain edge-case usage patterns. The echapperhtmlsuspect function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges e.g.,...

Linux Distros Unpatched Vulnerability : CVE-2026-27472

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SPIP before 4.4.9 allows Blind Server-Side Request Forgery SSRF via syndicated sites in the private area. When editing a syndicated site, the application does n...

CVE-2026-22860

A path traversal flaw has been discovered in the rubygem Rack. Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intend...

CVE-2026-26076

A denial of service flaw has been discovered in ntpd-rs. When Network Time Security NTS is enabled on an ntpd-rs server, a remote attacker can create malformed NTS packets that take significantly more effort for the server to respond to by requesting a large number of cookies. This can lead to...

CVE-2026-25598

A flaw was found in Harden-Runner, a CI/CD security agent. This vulnerability allows outbound network connections to evade audit logging. A remote attacker could exploit this by using specific socket system calls sendto, sendmsg, and sendmmsg to bypass detection and logging when the egress-policy...