CVE-2026-26196 Gogs: Access tokens get exposed through URL params in API requests

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and accesstoken, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

CVE-2026-28012

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Gridiron gridiron allows PHP Local File Inclusion.This issue affects Gridiron: from n/a through = 1.0.14...

CVE-2026-22420

CVE-2026-22420 pertains to the Horizon WordPress theme (AncoraThemes Horizon) with a Local File Inclusion vulnerability via improper control of the include/require filename, affecting Horizon versions up to and including 1.1. Public documentation in the connected sources confirms the vulnerabilit...

CVE-2025-53335

CVE-2025-53335 describes a PHP Local File Inclusion in the WordPress theme Berger (ThemeREX Berger) via improper control of filenames for include/require statements. The issue affects Berger versions up to 1.1.1 and is listed with a high impact by CVSS (C/H, I/H, A/H) and a network attack vector,...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

[SECURITY] Fedora 42 Update: coturn-4.9.0-1.fc42

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

PT-2026-23446

Name of the Vulnerable Software and Affected Versions Octopus Server affected versions not specified Description An issue existed in Octopus Server where a new API key could be created from an existing access token. This allowed the new API key to have a longer lifetime than the original access...

Challenges and Design Considerations for Finding CUDA Bugs through GPU-Native Fuzzing

Modern computing is shifting from homogeneous CPU-centric systems to heterogeneous systems with closely integrated CPUs and GPUs. While the CPU software stack has benefited from decades of memory safety hardening, the GPU software stack remains dangerously immature. This discrepancy presents a...

PT-2026-23604

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3 Description Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. A registered user lacking the necessary permissions to create or modify file requests can generate a...

CVE-2026-27801

Vaultwarden (unofficial Bitwarden server) is affected by CVE-2026-27801 where versions 1.34.3 and earlier permit a 2FA bypass on protected actions due to faulty rate-limit enforcement. An authenticated attacker can perform protected actions (e.g., access a user’s API key or delete vaults and orga...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

CVE-2025-59785

Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption. This vulnerability can only be exploited after authenticating with administrator privileges...

CVE-2025-59783

CVE-2025-59783 affects the API endpoint for user synchronization in 2N Access Commander 3.4.1 . The root cause is insufficient input validation, enabling an OS command injection . Exploitation requires authentication with administrator privileges . The CVSS 4.0 base score is 8.8 (HIGH) with netwo...

PT-2026-22932

Name of the Vulnerable Software and Affected Versions 2N Access Commander versions prior to 3.4.3 Description A flaw exists in the validation of an API endpoint in 2N Access Commander that could allow an attacker to bypass the password policy for backup file encryption. Successful exploitation...

PT-2026-22931

Name of the Vulnerable Software and Affected Versions 2N Access Commander versions prior to 3.4.2 Description The 2N Access Commander software contains a flaw related to insufficient validation of data written to logs. Specifically, certain parameters received through the API are included in log...

GHSA-JQWG-75QF-VMF9 SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access

Summary /api/query/sql allows users to run SQL directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any SQL query on the database. Details The vulnerable endpoint is in kernel/api/sql.go go func SQLc gin.Context ret := gulu.Ret.NewResult defer...

Easy File Sharing Web Server v7.2 - Buffer Overflow

Exploit title: Easy File Sharing Web Server v7.2 - Buffer Overflow Date: 16/10/2025 Exploit Author: Donwor X: @realDonwor Discord: Donwor Website: https://github.com/D0nw0r Software Link: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe Version: Easy File Sharing Web...

CVE-2026-28286 ZimaOS: Unauthorized Creation of Files/Folders in Restricted System Directories via API

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, th...

EUVD-2026-9208

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...