CVE-2026-47386

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...

CVE-2026-54317

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....

CVE-2026-54157

CVE-2026-54157 describes an unauthenticated SSRF in LobeHub’s web API proxy. Prior to version 2.1.57, POST /webapi/proxy accepts a URL in the body and fetches it server-side without authentication, enabling arbitrary outbound requests, leakage of internal deployment details, and reflection of Set...

CVE-2026-47139

A flaw was found in vm2, a Node.js sandbox. This vulnerability allows sandboxed code to bypass network restrictions by utilizing internal HTTP built-ins, such as httpclient and httpserver. An attacker can exploit this to make outbound HTTP requests or open listening HTTP sockets, even when public...

EEF-CVE-2026-54892 Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Summary Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decode\each/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key...

EUVD-2026-38433

Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing t...

Dify v1.6.0 - Server-Side Request Forgery

Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remotefiles.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access. id: CVE-2025-56520 info: name: Dify v1.6.0 - Server-Side Request...

kkFileView 4.0 - Server-Side Request Forgery

kkFileView 4.0 contains a server-side request forgery caused by improper validation in OnlinePreviewController.java, letting attackers induce the server to make arbitrary requests, exploit requires sending crafted requests. id: CVE-2022-42149 info: name: kkFileView 4.0 - Server-Side Request Forge...

LoLLMS WebUI - Subfolder Prediction via Path Traversal

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'addreferencetolocalmode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. id: CVE-2024-4841 info: name: LoLLMS WebUI - Subfolder Prediction via Path...

DATAGERRY - REST API Auth Bypass

Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests. id: CVE-2024-46627 info: name: DATAGERRY - REST API Auth Bypass author: gy741 severity: critical description: | Incorrect access control in BECN DATAGERRY v2.2 allows attackers...

ChanCMS <= 3.3.0 - Server-Side Request Forgery

yanyutao0402 ChanCMS 3.3.0 contains a server-side request forgery caused by manipulation of the "taskUrl" argument in /cms/collect/getArticle, letting remote attackers make arbitrary requests, exploit requires no special privileges. id: CVE-2025-10211 info: name: ChanCMS = 3.3.0 - Server-Side...

St. Joe ERP system - SQL Injection

A SQL injection vulnerability exists in the St. Joe ERP system "圣乔ERP系统" that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into...

CVE-2026-56321

Capgo backend Supabase edge functions before 12.128.2 does not apply the global authentication middleware to the GET /private/rolebindings/:orgid endpoint, unlike the POST and DELETE rolebindings routes, so unauthenticated requests reach the handler instead of being rejected at the middleware...

EUVD-2026-38377

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhoo...

CVE-2026-56357 n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger

n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhoo...

CVE-2026-10852

IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server...

CVE-2026-10852

IBM i 7.3–7.6 and IBM WebSphere Application Server/Liberty are affected by CVE-2026-10852, a denial-of-service in the WebSphere WebServer Plug-in when crafted requests are sent. Root cause cited: NULL Pointer Dereference (CWE-476). CVSS 3.1 base score 5.9 (Network, High attack complexity, No priv...

EUVD-2026-38346

IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server...

CVE-2026-53663

React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight,...

CVE-2026-54290

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...