CVE-2026-33431 Roxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config//show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and it...

Linux Distros Unpatched Vulnerability : CVE-2026-34518

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp...

CVE-2026-33497 Langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the downloadprofilepicture function of the /profilepictures/foldername/filename endpoint, the foldername and filename parameters are not strictly filtered, which allows the secretkey to be re...

CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text()

changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the includefilters field. These XPath expressions are processed using the elementpath library which...

CVE-2026-23880 OnboardLite has stored Cross-site Scripting issue that may lead to admin Account Take Over

OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin wh...

CVE-2026-21492

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium ICC color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV libra...

CVE-2025-59535

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on...

PT-2024-8718 · Siemens · Sinec Ins

Name of the Vulnerable Software and Affected Versions: SINEC INS versions prior to V1.0 SP2 Update 3 Description: A vulnerability has been identified in the affected application where it does not properly invalidate sessions when the associated user is deleted, disabled, or their permissions are...

DataEase 数据伪造问题漏洞

DataEase is an open source data visualization and analysis tool from DataEase Open Source. It is used to help users quickly analyze data and gain insight into business trends to achieve business improvement and optimization. DataEase v2.10.2 version before the data forgery problem vulnerability ,...

PT-2024-29975 · Llama.Cpp · Llama.Cpp

Name of the Vulnerable Software and Affected Versions: llama.cpp versions prior to b3561 Description: The issue is related to the rpc tensor structure in llama.cpp, which provides LLM inference in C/C++. The unsafe data pointer member can cause arbitrary address writing, potentially leading to...