CVE-2026-49345 Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF)

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery SSRF vulnerability exists in Mercator's CVE configuration panel /admin/config/parameters. The testProvider method in ConfigurationController passes...

CVE-2026-49344

Mercator (open source mapping app) prior to version 2025.05.19 is affected by CVE-2026-49344. The Query Engine endpoint /admin/queries/execute does not enforce an authorization gate, allowing any authenticated account (including read-only Auditor) to query models outside the intended scope (e.g.,...

EUVD-2026-36598

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefi...

CVE-2026-54056

Kitty (GPU-based terminal) vulnerability CVE-2026-54056 affects versions 0.47.0–0.47.1 where a remote drag-and-drop via kitten dnd staging can overwrite or truncate arbitrary files writable by the local user. The attack chains a staged remote text/uri-list, exploiting a race in staging where a st...

CVE-2026-53724 Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked e.g...

CVE-2026-50008

Parse Server (versions 9.8.0–before 9.9.1-alpha.3) is affected by a bypass in the routeAllowList option. The allow-list check is enforced as Express middleware against the outer HTTP request URL, but the /batch handler dispatches sub-requests to the internal router without re-running the allow-li...

CVE-2026-47182

Frappe (full‑stack web framework) contains a broken access control flaw in which any authenticated user could access private files by guessing the file path. Affected versions prior to 16.17.4 are vulnerable; the issue is fixed in 16.17.4. Practical impact is unauthorized access to private files,...

EUVD-2026-36443

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

CVE-2026-47135 vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox...

CVE-2026-47131

vm2 prior to 3.11.4 contains a sandbox escape: by using Buffer.call.call with {}.lookupGetter /lookupSetter and Node.js ERR_INVALID_ARG_TYPE, an attacker can obtain the host TypeError constructor and break out of the sandbox, enabling arbitrary code execution. The issue is fixed in vm2 v3.11.4. R...

CVE-2026-47197

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections...

CVE-2026-47196 Quest Bot: Empty automod rule causes every guild message to be deleted

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes"", which is always true, causing the bot ...

EUVD-2026-36277

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it ...

CVE-2026-47177 Quest Bot: Ticket transcripts can disclose private ticket contents to a lower-visibility channel

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it ...

Element Call reports full URLs of visited pages to analytics server

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initialpersoninfo, $sessionentryurl, and $currenturl were found ...

Exploit for CVE-2026-10795

CVE-2026-10795 CVE-2026-10795 – UpdraftPlus Authentication Byp...

PT-2026-48728

Name of the Vulnerable Software and Affected Versions SolidInvoice versions prior to 2.3.17 Description API tokens used to authenticate REST API requests are stored as plaintext strings within the api tokens database table. An attacker with read access to the database, obtained via methods such a...

EUVD-2026-36165

Boxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in...

CVE-2026-46673

Summary of the vulnerability (CVE-2026-46673) : In Russh (Rust SSH client/server), CryptoVec allocations and growth were unchecked in vulnerable releases. Prior to 0.60.3, local agent inputs could feed attacker-controlled frame lengths into buffer growth before validation; in historical releases ...

EUVD-2026-36090

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object,...