CVE-2026-53931

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-import endpoint axiosRequestMake could be used as a generic HTTP proxy. Before the fix it was reachable unauthenticated, and its URL-extension allowlist was a regex tested against the full URL string, s...

CVE-2026-49859

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name...

EUVD-2026-38014

Use of Less Trusted Source vulnerability in Apache APISIX. Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: afs: Fixed the failure condition due to the merge preference rule syzbot reported a lock being held when returning to user space1. This occurs because if argc is less than 0 and the function returns directly, the held inode lo...

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1

In the Linux kernel, the following vulnerabilities have been resolved: ipv6: fib6rules: avoided possible NULL dereferencing in fib6ruleaction. syzbot is capable of triggering the following crashes 1, caused by the unsafe use of ip6dstidev. Indeed, ip6dstidev can return NULL, and this value must...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap API: Fixed a possible memory leak for vcapduprule. A fault occurs when CONFIGVCAPKUNITTEST is selected. A memory leak occurs if kzalloc for duprule succeeds, but kmemdup fails. As a result, memory associated...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent deadlock while disabling aRFS When disabling aRFS under the priv-statelock, any scheduled aRFS operations are canceled using the cancelworksync function. This function waits for the operation to finish if it ha...

EUVD-2026-37845

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'ruleid' parameter due to missing validation on a user controlled key. This makes it possible for...

CVE-2026-10623

The CVE-2026-10623 entry concerns the WordPress plugin PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin. Affected versions are all up to and including 2.3.0, with an Insecure Direct Object Reference via the 'rule_id' parameter caused by missing validation on a user-controlle...

netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation

A flaw was found in netty-handler, a component of the Netty network application framework. A remote attacker can exploit an incorrect masking operation in the IpSubnetFilterRule.compareTo function to bypass configured IPv6 subnet rules. This allows valid public IP addresses to circumvent intended...

netty-handler: netty-handler: IPv6 subnet rule bypass due to incorrect masking operation

A flaw was found in netty-handler, a component of the Netty network application framework. A remote attacker can exploit an incorrect masking operation in the IpSubnetFilterRule.compareTo function to bypass configured IPv6 subnet rules. This allows valid public IP addresses to circumvent intended...

EUVD-2026-36427

Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher...

PT-2026-50165

Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.8 Description The Docker API server contains a Server-Side Request Forgery SSRF flaw where the protection mechanisms in the validate webhook url and validate url destination functions used an incomplete IPv4/IPv6...

PT-2026-49555

Name of the Vulnerable Software and Affected Versions markdown-it affected versions not specified Description A quadratic time complexity issue exists in the smartquotes rule when the typographer: true option is enabled. An attacker can provide markdown input containing a large number of...

CVE-2026-47120

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks no ownership check. This issue has been patched in version 2.0.8...

File Browser has incorrect access control for public directory shares via rule path rebasing

Summary File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, a...

CVE-2026-47120 Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks no ownership check. This issue has been patched in version 2.0.8...

EUVD-2026-36593

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks no ownership check. This issue has been patched in version 2.0.8...

CVE-2026-53721 Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher

Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4...

CVE-2026-53721 Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher

Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4...