CVE-2026-35527

Incus (pre-7.0.0) is vulnerable to a blind SSRF via image import preflight HEAD requests. An authenticated user can coerce the daemon to issue a host-originated HEAD request to a user-supplied URL before policy checks complete, exposing server metadata in headers (Incus-Server-Architectures, Incu...

CVE-2026-35527

Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function...

requests-hardened is Vulnerable to Server-Side Request Forgery

The SSRF protection in requests-hardened prior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space 100.64.0.0/10. An attacker who can supply arbitrary URLs to requests-hardened could exploit this gap to access internal services hosted within 100.64.0.0/10. This i...

CVE-2026-40280

Gotenberg vulnerability (CVE-2026-40280) enables SSRF through a case-insensitive URL scheme bypass in the webhook and api-download-from deny-lists. In versions

CVE-2026-34084

CVE-2026-34084 describes a vulnerability in PhpSpreadsheet where IOFactory::load() with a user-controlled filename can pass PHP stream wrappers (phar://, ftp://, ssh2.sftp://) to is_file(), triggering PHAR deserialization and potential remote code execution if an appropriate gadget chain exists. ...

CVE-2026-33975 twenty-server SSRF protection bypass via IPv4-mapped IPv6 address normalization

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

CVE-2026-33975

Twenty is an open source CRM built with NestJS Node.js. In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex...

Use of GET Request Method With Sensitive Query Strings

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the OAuth login process, where the user's password hash is included as a query parameter in a redirect UR...

CVE-2026-32699

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...

CVE-2026-32699 FacturaScripts unauthorized modification of immutable nick field via EditUser controller

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...

EUVD-2026-27438

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...

CVE-2026-32699

FacturaScripts (versions ≤ 2025.92) exposes a vulnerability in the EditUser endpoint where the nick field is not validated on POST, allowing an attacker to modify an immutable nickname by intercepting and altering form-data. The UI prevents editing this field, but a modified request can rename an...

OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

Summary OpenClaw webhooks allowed route secrets to be backed by SecretRef values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran openclaw secrets reload, the previous resolved webhook secret could remain valid until the plugin or gateway...

GHSA-Q8FF-7FFM-M3R9 OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload

Summary OpenClaw webhooks allowed route secrets to be backed by SecretRef values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran openclaw secrets reload, the previous resolved webhook secret could remain valid until the plugin or gateway...

EUVD-2026-27371

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hcill: Fix firmware leak on error path Smatch reports: drivers/bluetooth/hcill.c:587 downloadfirmware warn: 'fw' from requestfirmware not released on lines: 544. In downloadfirmware, if requestfirmware succeeds but the...

EUVD-2026-27376

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: platformgetirqbyname returns an int platformgetirqbyname will return a negative value if an error happens, so it should be checked and not just passed directly into devmrequestthreadedirq hoping all will be ok...

EUVD-2026-27343

A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB X Keyboard Extension modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory...

CVE-2026-7855

CVE-2026-7855 affects D-Link DI-8100 firmware 16.07.26A1. The vulnerability is in the HTTP Request Handler, specifically the function tggl_asp in the file tggl.asp ; manipulating the Name argument triggers a buffer overflow. The issue is exploitable remotely and the exploit is public. CVSS-based ...

CVE-2026-7855 D-Link DI-8100 HTTP Request tggl.asp tggl_asp buffer overflow

A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tgglasp of the file /tggl.asp of the component HTTP Request Handler. Performing a manipulation of the argument Name results in buffer overflow. The attack can be initiated remotely. The exploit is no...

CVE-2026-7855

A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tgglasp of the file /tggl.asp of the component HTTP Request Handler. Performing a manipulation of the argument Name results in buffer overflow. The attack can be initiated remotely. The exploit is no...