CVE-2026-26378

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features...

PT-2026-45946

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trust remote code parameter, intended to prevent remote code execution, ...

PT-2026-46085

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

Linux Distros Unpatched Vulnerability : CVE-2026-37712

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the...

📄 Gogs Git Rebase Argument Injection / Remote Code Execution

This Metasploit module exploits an argument injection vulnerability in the pull request merge flow of Gogs versions less than or equal to 0.14.2 and less than or equal to 0.15.0+dev. frozenstringliteral: true This module requires Metasploit: https://metasploit.com/download Current source:...

PT-2026-46118

Name of the Vulnerable Software and Affected Versions Docling versions 2.82.0 through 2.90.x Description When the HTML backend is explicitly configured for rendering, the Playwright-based rendering feature allows JavaScript execution and unrestricted network access during the processing of...

PT-2026-46042

Name of the Vulnerable Software and Affected Versions Koha versions prior to 25.11 Description A Server-Side Request Forgery SSRF issue exists via the Z39.50/SRU server configuration, which allows authenticated attackers to perform internal network scanning and identify running services by...

Linux Distros Unpatched Vulnerability : CVE-2026-37713

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the...

Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability

Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie...

Linux Distros Unpatched Vulnerability : CVE-2026-37711

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the...

CVE-2026-47179

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because...

CVE-2026-45632

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId...

CVE-2026-49143

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContex...

CVE-2026-49143

CVE-2026-49143 affects BrowserStack Runner up to version 0.9.5. The vulnerability is in the /_log HTTP handler, permitting unauthenticated, network-adjacent attackers to achieve remote code execution by sending crafted JSON bodies that are passed to vm.runInNewContext() with eval(); attackers can...

CVE-2026-49143 BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContex...

CVE-2026-49143 BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContex...

CVE-2026-49143

BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContex...

CVE-2026-42211

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...

CVE-2026-1829

The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'etpbtext' shortcode 'cvdbcontentvisibilitycheck' parameter. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...