CVE-2026-34574

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the...

EUVD-2026-17484

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed MDM-delivered and user-defined...

CVE-2026-34060

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a...

CVE-2026-34040

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins AuthZ. This issue has been patched in version 29.3.1...

PT-2026-29396

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a null-pointer dereference NPD in CIccTagLut16::Write can be triggered when processing a crafted ICC profile embedded in a TIFF and extracted during iccTiffDump. This issue has...

PT-2026-29311

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, non-staff users could access read receipt information for staff-only posts they weren't supposed to see. No post content w...

PT-2026-29309

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, there is possible channel membership inference from chat user search without authorization. This issue has been patched in...

CVE-2026-5125

A vulnerability was detected in raine consult-llm-mcp up to 2.5.3. Affected by this vulnerability is the function childprocess.execSync of the file src/server.ts. The manipulation of the argument gitdiff.baseref/gitdiff.files results in os command injection. The attack is only possible with local...

PT-2026-29117

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description CI4MS, a CodeIgniter 4-based CMS skeleton, does not properly sanitize user-controlled input within System Settings – Mail Settings. Configuration fields, including Mail Server, Mail Port, Email...

SUSE CVE-2026-33481

Syft is a a CLI tool and Go library for generating a Software Bill of Materials SBOM from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those...

AWS SDK for Java 2.0: Improper Handling of Special Characters in CloudFront Signing Utilities

Summary This notification is related to the CloudFront signing utilities in the AWS SDK for Java v2, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes an...

CVE-2026-33869 Mastodon has a denial of service for quote authorization

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The...

CVE-2026-33014

EVerest is an EV charging software stack. Prior to version 2026.02.0, during RemoteStop processing, a delayed authorization response restores authorized back to true, defeating the stoptransaction call condition on PowerOff events. As a result, the transaction can remain open even after a remote...

Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. A patched version is available at...

OpenClaw: Tlon settings empty-allowlist reconciliation bypassed intended revocation

Summary Tlon settings reconciliation treated explicit empty allowlists as unset, which could silently undo an intended deny-all revocation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

CVE-2026-33536

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-18 and 6.9.13-43, due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds...

BuildKit's Malicious frontend can cause file escape outside of storage root

Impact When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. Patches The issue has been fixed in v0.28.1+ Workarounds Issue requires using an untrusted BuildKit frontend set...

CVE-2026-27813

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to use-after-free. This is triggered by EV plug-in/unplug and RFID/RemoteStart/OCPP authorization events or delayed authorization response. Version 2026.2.0 contains a patch...

CVE-2026-33481

Syft contains a vulnerability (affecting versions before v1.42.3) where temporary storage is not properly cleaned up when an error occurs during scanning. If scanning archives leads to exhausted temporary storage (e.g., large artifacts or zipbombs), Syft may exit without removing temporary files,...

CVE-2026-33402

Sakai (CLE) vulnerability CVE-2026-33402 affects versions 23.0–23.4 and 25.0–25.1, where group titles and descriptions can contain cross-site scripting scripts. The fix is included in releases 23.5 and 25.2. As a workaround, verify the SAKAI_SITE_GROUP table for titles/descriptions that may conta...