mysql: InnoDB unspecified vulnerability (CPU Apr 2026)

Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via...

mysql: Optimizer unspecified vulnerability (CPU Apr 2026)

Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network...

PT-2026-48982

Name of the Vulnerable Software and Affected Versions Discourse versions 2026.1.0 through 2026.1.3 Discourse versions 2026.3.0 Discourse versions 2026.4.0 Description The AI explain helper fails to verify the can see? permission on the reply to post of a post being explained. This allows an...

CVE-2026-53782 Summarize < 0.17.0 SSRF via podcast:transcript URL fetch

Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying...

EUVD-2026-36308

Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying...

CVE-2026-49261

Summary: CVE-2026-49261 affects MariaDB Galera cluster where enabling wsrep_notify_cmd allows shell commands to be executed via the joiner node name. Affected versions include MariaDB 10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.1–11.8.7, and 12.3.1. Impact: potential remote command exe...

CVE-2026-44488 Axios: Allocation of Resources Without Limits or Throttling in axios

Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolve...

CVE-2026-7250 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request...

CVE-2026-40992

Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4...

VMware Spring Boot 安全漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. There are security vulnerabilities in versions 4.0.0 to 4.0.6, 3.5.0 to 3.5.14, 3.4.0 to 3.4.16, 3.3.0 to 3.3.19, and 2.7.0 to 2.7.33 of VMware Spring Boot. These vulnerabilities stem from the use of fixed...

GitLab Enterprise Edition（EE） 跨站脚本漏洞

GitLab Enterprise Edition EE is a content management system provided by the American company GitLab. Versions of GitLab EE from 13.1.4 to 18.10.8, as well as versions from 18.11 to 18.11.5 and from 19.0 to 19.0.2, contained a cross-site scripting vulnerability. This vulnerability stemmed from...

GitLab Enterprise Edition（EE）和GitLab Community Edition（CE） 安全漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are products of the American company GitLab. GitLab Enterprise Edition is a content management system. GitLab Community Edition is a community version of GitLab. There were security vulnerabilities in versions of GitLab CE/EE between 15...

Summarize 代码问题漏洞

Summarize is a multi-source rapid summarization tool developed by Peter Steinberger. Versions of Summarize prior to 0.17.0 contained code vulnerabilities. These vulnerabilities were caused by server-side request forgeing attacks. Attackers could exploit these vulnerabilities by providing maliciou...

MariaDB Server 操作系统命令注入漏洞

MariaDB Server is an open-source relational database system developed by MariaDB. Versions 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1 of MariaDB Server have a vulnerability related to operating system command injection. This vulnerability arises from...

EUVD-2026-36132

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

CVE-2026-50131 Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

CVE-2026-50131

Fedify (TypeScript federated server framework) has an incomplete SSRF mitigation in validatePublicUrl(): isValidPublicIPv4Address() blocks common private/local ranges but still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid. This exposes ...

CVE-2026-50131 Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting...

CVE-2026-50127

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCSRESTRICTPRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions...

CVE-2026-50127 Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)

Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCSRESTRICTPRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions...