CVE-2026-25160 Alist has Insecure TLS Config

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle MitM attacks. This...

CVE-2026-24844 melange pipeline working-directory could allow command injection

melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses $vars. or $inputs. substitutions in...

CVE-2026-25482

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowi...

CVE-2026-25483

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script...

GHSA-9G95-QF3F-GGRW n8n has OS Command Injection in Git Node

Impact Vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. Patches The issue has been fixed in n8n versions 2.5.0, and 1.123.10. Users should upgrade to this version...

GHSA-GFVG-QV54-R4PC n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users

Impact A vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of a...

n8n Vulnerable to Command Injection in Community Package Installation

Impact A Command Injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. Important context - Exploitation...

CVE-2026-22044 GLPI is Vulnerable to Authenticated SQL Injection

GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23...

EUVD-2026-5417

n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting XSS vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user...

ROOT-OS-DEBIAN-13-CVE-2025-59529 CVE-2025-59529 in rootio-avahi - Patched by Root

Root has patched CVE-2025-59529 in the rootio-avahi package for Root:Debian:13. Multiple fixed versions available...

ROOT-OS-DEBIAN-13-CVE-2024-52616 CVE-2024-52616 in rootio-avahi - Patched by Root

Root has patched CVE-2024-52616 in the rootio-avahi package for Root:Debian:13. Multiple fixed versions available...

AWStats <= 7.5 - Full Path Disclosure

AWStats 7.6 contains a full path disclosure caused by improper handling of framename and update parameters in awstats.pl, letting remote attackers determine server file paths, exploit requires sending crafted parameters. id: CVE-2018-10245 info: name: AWStats = 7.5 - Full Path Disclosure author:...

PT-2026-6422

Impact A vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of a...

PT-2026-6448

Impact Affected versions of Winter CMS allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage asse...

PT-2026-6357

Impact The use of Buffer.allocUnsafe and Buffer.allocUnsafeSlow in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process for example, data from prior requests, tasks, secrets, or tokens,...

PT-2026-6386

Impact A Command Injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. Important context - Exploitation...

CVE-2026-25150

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj function within @builder.io/qwik-city middleware. The function processes form field names with dot notation e.g., user.name to create nested objects, but fails ...

CVE-2026-25148 Qwik SSR XSS via Unsafe Virtual Node Serialization

Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successfu...

EUVD-2026-5167

Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued...

CVE-2026-25149

CVE-2026-25149 describes an Open Redirect in Qwik City’s default request handler middleware (fixTrailingSlash) affecting qwik-city prior to v1.19.0. The vulnerability lets remote attackers craft links that redirect victims to arbitrary protocol-relative URLs, enabling phishing-like redirects from...