PT-2026-44415

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.21 Description The serialize function in hono/cookie fails to validate the sameSite and priority options against characters that can corrupt Set-Cookie header syntax, such as semicolons, carriage returns, and line...

CVE-2026-44775

Kavita CVE-2026-44775 affects the Kavita reader server prior to v0.9.0, where ReaderController.GetImage allowed unauthenticated access to page images across libraries because the endpoint was decorated with [AllowAnonymous] and the apiKey parameter was never validated. An unauthenticated actor co...

PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Summary The safeextractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape — but does not validate member.linkname, does not reject symlink/hardlink members, and calls...

OpenID Connect nonce generated but never validated — ID token replay attack

Summary The roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a...

CVE-2026-5504

A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated...

GHSA-GFMV-VH34-H2X5 Signal K Server: Unauthenticated Source Priorities Manipulation

Summary The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns...

PT-2026-24782

Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign...

CVE-2026-30863

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration...

CVE-2026-28472

OpenClaw CVE-2026-28472 affects the gateway WebSocket connect handshake. The vulnerability allows bypassing device-identity checks when an auth.token is present but not validated, enabling attackers to connect to the gateway without device identity or pairing and potentially gain operator access ...

CVE-2021-35486

A Cross-Site Request Forgery CSRF vulnerability in Nokia IMPACT through 19.11.2.10-20210118042150283 allows a remote attacker to import and overwrite the entire application configuration. Specifically, in /ui/rest-proxy/entity/import, neither the X-CSRF-NONCE HTTP header nor the CSRF-NONCE cookie...

EUVD-2025-208086

The CPSD CryptoPro Secure Disk application boots a small Linux operating system to perform user authentication before using BitLocker to decrypt the Windows partition. The system is located on a separate unencrypted partition which can be reached by anyone with access to the hard disk. Multiple...

(0Day) Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convertconfig functio...

EUVD-2025-26495

Malicious code in bioql PyPI...

CVE-2025-10458

Parameters are not validated or sanitized, and are later used in various internal operations...

CVE-2025-10458

Parameters are not validated or sanitized, and are later used in various internal operations...

CVE-2025-8067

A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor...

Ivanti Avalanche getCountMuStatDevicePropResultsFromMuListAgentIds SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Avalanche. Authentication is required to exploit this vulnerability. The specific flaw exists within the getCountMuStatDevicePropResultsFromMuListAgentIds function. The issue results from the...

CVE-2025-47786 Emlog vulnerable to Stored Cross-site Scripting

Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In /admin/comment.php, the parameter perpagenum is not validated and is directly...

DRUPAL-CONTRIB-2025-058

This module enables you to add the Piwik Pro web statistics tracking system to your website. The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website. This vulnerability...

UBUNTU-CVE-2025-3522

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validate...