CVE-2025-55292 In Meshtastic, an attacker can spoof licensed amateur flag for a node

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption...

CVE-2025-55292

Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption...

CVE-2026-24740

CVE-2026-24740 summary (Dozzle) : Dozzle’s agent-backed shell endpoints permit a user restricted by a per-user label filter (for example, label=env=dev) to obtain an interactive root shell in containers outside the user’s label scope (for example, env=prod) on the same agent host. The root cause ...

CVE-2026-22262 Suricata datasets: stack overflow when saving a set

Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not us...

CVE-2026-24010

Horilla is a free and open source Human Resource Management System HRMS. A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker...

CVE-2026-23967

sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a...

CVE-2026-23946 Tendenci has Authenticated Remote Code Execution via Pickle Deserialization

Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module which is not enabled by default. This vulnerability allows Remote Code Execution RCE b...

CVE-2026-23524 Laravel Redis Horizontal Scaling Insecure Deserialization

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize function without restricting which classes can be instantiated, which leaves users vulnerable to...

CVE-2026-23846

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially...

CVE-2026-23944 Arcane allows unauthenticated proxy access to remote environments

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled...

CVE-2026-23944 Arcane allows unauthenticated proxy access to remote environments

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled...

CVE-2026-23880 OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin wh...

CVE-2026-23875 CrawlChat's Discord Bot has a Knowledge Permission vulnerability

CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base...

CVE-2026-23849 File Browser vulnerable to Username Enumeration via Timing Attack in /api/login

File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuri...

CVE-2026-23837 MyTube has an Authorization Bypass vulnerability

MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication...

CVE-2026-23846

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially...

CVE-2026-23836 HotCRP vulnerable to remote code execution through formulas

HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2...

CVE-2026-23833

ESPHome CVE-2026-23833: An integer overflow in the API component protobuf decoder (bounds check ptr + field_length in components/api/proto.cpp) allows denial-of-service by sending a large field_length. Affects ESPHome versions 2025.9.0–2025.12.6 across all supported devices (ESP32/ESP8266/RP2040/...

EulerOS 2.0 SP12 : cups (EulerOS-SA-2026-1085)

According to the versions of the cups package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, an unsafe...

BIT-COSIGN-2026-22703 Cosign verification accepts any valid Rekor entry under certain conditions

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...