CVE-2026-46426

Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if isPublicUser or if isPublicUser ...

PT-2026-26709

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. Unauthenticated users can determine whether a specific user is...

MAL-2025-7985 Malicious code in @ginger-team/public-ui (npm)

The package @ginger-team/public-ui was found to contain malicious code...

GHSA-Q28V-664F-Q6WJ Indico vulnerability allows attackers to bulk dump user details

Impact An endpoint used to display details of users listed in certain fields such as ACLs could be misused to dump basic user details such as name, affiliation and email in bulk. !TIP If your instance allows everyone to create a user account, and you wish to truly restrict access to these user...

umati Gateway 信息泄露漏洞

umati Gateway is an umati open source tool that uses JSON messages to connect OPC UA servers to MQTT agents. An information disclosure vulnerability exists in umati Gateway that stems from the user interface allowing public access, which could result in configurations being viewed and modified...

LinkedIn: Html injection in event Description

A vulnerability was found where HTML injection was possible in event descriptions on LinkedIn, allowing malicious links to be inserted and executed when users viewed search results. By adding a link with HTML markup as an event description and making the event public, the link would execute for...