CVE-2026-11649

Use after free in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2025-65954

SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either depending on configuration redirects the...

CVE-2026-39851

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118...

CVE-2026-4868 Authorization Bypass Through User-Controlled Key in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to imprope...

CVE-2026-44553 Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSIONPOOL to disconnect affected sessions. As a result, a user whose admin role has been revoked retains admin...

CVE-2026-42582

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoderdecodeHuffmanEncodedLiteral may execute new bytelength for a string literal before verifying that length byt...

CVE-2026-41400 OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call

OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service...

CVE-2026-41167

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

SUSE CVE-2026-28212

Firebird is an open-source relational database management system. In versions prior to 6.0.0, 5.0.4, 4.0.7 and 3.0.14, when processing an opslice network packet, the server passes an unprepared structure containing a null pointer to the SDLinfo function, resulting in a null pointer dereference an...

PT-2026-33514

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability was identified in the 'Member Registration' Cadastrar Sócio function. By injecting a payload into the 'Member Name' Nome Sócio field, the script is persistently stored ...

CVE-2026-5734

CVE-2026-5734 involves memory safety bugs in Mozilla products. Affected: Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. Some bugs show memory corruption and could potentially be exploited to run arbitrary code. The issue is addressed by fixes in Firefox 14...

CVE-2026-33871

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service DoS against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of...

CVE-2026-33755

Group-Office (enterprise CRM/groupware) has an authenticated SQL Injection in the JMAP Contact/query endpoint affecting versions before 6.8.158, 25.0.92, and 26.0.17. An authenticated user with basic addressbook access can extract arbitrary data from the database, including active session tokens ...

CVE-2026-28674

Product/Context: xiaoheiFS (self-hosted financial/operational system). Vulnerability: In versions ≤ 0.3.15, the AdminPaymentPluginUpload endpoint allows admins to upload any file to plugins/payment/ with only a hardcoded password (qweasd123456) and disregards file content. A background watcher (S...

CVE-2026-28691

CVE-2026-28691 affects ImageMagick’s JBIG decoder, where an uninitialized pointer dereference exists due to a missing check. Affects versions prior to the fixed releases 7.1.2-16 and 6.9.13-41. The vulnerability can lead to an availability impact (DoS) with network-based attack, with no required ...

EUVD-2026-8750

Storybook Dev Server is Vulnerable to WebSocket Hijacking...

CVE-2026-27904 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested extglobs produce regexps with nested unbounded quantifiers e.g. ?:?:a|b, which exhibit catastrophic...

PT-2026-21866

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.1 Description The application reflects the UUID path parameter directly in the HTTP response body without HTML escaping in the RSS single-watch endpoint. Because Flask defaults to returning text/html f...

PT-2026-3445

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit...

CVE-2025-14510

Incorrect Implementation of Authentication Algorithm vulnerability in ABB ABB Ability OPTIMAX.This issue affects ABB Ability OPTIMAX: 6.1, 6.2, from 6.3.0 before 6.3.1-251120, from 6.4.0 before 6.4.1-251120...