EUVD-2026-10112

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1...

GHSA-QR2G-P6Q7-W82M x402 SDK Security Advisory

Impact A security vulnerability exists in outdated versions of the x402 SDK. This vulnerability does not affect users' private keys, smart contracts, or funds. The issue impacts resource servers accepting payments on Solana when the facilitator is running a vulnerable version of the x402 SDK. Who...

CVE-2026-28442

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...

EUVD-2026-10090

The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winstondisconnect function in all versions up to, and including, 0.0.3. This makes it possible for authenticated...

PT-2026-23871

Name of the Vulnerable Software and Affected Versions Netmaker versions prior to 1.5.0 Description Netmaker, a networking tool utilizing WireGuard, contains an issue where a user with the platform-user role can access WireGuard private keys for all configurations within a network. This occurs...

CVE-2026-1981

The Winston AI WordPress plugin (HUMN-1 AI Website Scanner & Human Certification)

AZL-79616 CVE-2026-27142 affecting package golang 1.18.8-10

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actio...

CVE-2026-30835 Parse Server: Malformed `$regex` query leaks database error details in API response

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...

RLSA-2026:3842 Moderate: delve security update

Delve is a debugger for the Go programming language. The goal of the project is to provide a simple, full featured debugging tool for Go. Delve should be easy to invoke and easy to use. Chances are if you're using a debugger, things aren't going your way. With that in mind, Delve should stay out ...

CVE-2026-28066

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Legrand legrand allows PHP Local File Inclusion.This issue affects Legrand: from n/a through = 2.17...

CVE-2026-25888 Chartbrew: Remote Code Execution (RCE) via Vulnerable API

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1...

PT-2026-23786

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.0.13 Description Flowise incorrectly trusts HTTP clients that set the header x-request-from: internal, bypassing authorization checks for all /api/v1/ endpoints. This allows an authenticated tenant session to invoke...

Zabbix 安全漏洞

Zabbix is a set of open-source monitoring systems developed by Zabbix Inc. This system supports network monitoring, server monitoring, cloud monitoring, and application monitoring. Zabbix has security vulnerabilities; these vulnerabilities stem from authenticated users with template/host write...

OliveTin 安全漏洞

OliveTin is an open-source web application developed by OliveTin. Versions of OliveTin prior to 300.11.1 contained security vulnerabilities. These vulnerabilities were due to authorization flaws, which could allow verified users with the view: false permission to enumerate bindings and metadata...

PT-2026-23761

The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston disconnect function in all versions up to, and including, 0.0.3. This makes it possible for authenticated...

chartbrew 代码注入漏洞

Chartbrew is an open-source data visualization and dashboard building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.1 contained a code injection vulnerability. This vulnerability stemmed from the faulty API, which allowed remote code execution...

Gokapi 访问控制错误漏洞

Gokapi is a lightweight, self-hosted alternative to Firefox sending by Marc Bulling. Versions of Gokapi prior to 2.2.3 contained an access control vulnerability. This vulnerability stemmed from the ability of users without the permission to create or modify files to create temporary API keys with...

Gokapi has privilege escalation with auth token

Impact A registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If you do not have any other users with access to the admin/upload menu, you are not impacted. Patches...

CVE-2026-26196 Gogs: Access tokens get exposed through URL params in API requests

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params like token and accesstoken, which can leak through logs, browser history, and referrers. This issue has been patched in version 0.14.2...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...