PT-2026-47028

Name of the Vulnerable Software and Affected Versions HAX CMS versions 2.0.0 through 25.x Description The gitlist plugin is exposed to unauthenticated users, which allows them to browse git repositories and git history without authentication. Recommendations Update to version 26.0.0...

PT-2026-47090

Impact Three related defects on admin Livewire components allowed data tampering, sensitive data disclosure, and stored XSS: - IDOR via unlocked properties. Several Livewire components in the admin panel exposed Eloquent model identifiers as public properties without the Locked attribute. An...

ROOT-APP-NPM-CVE-2025-54798 CVE-2025-54798 in @rootio/tmp - Patched by Root

Root has patched CVE-2025-54798 in the @rootio/tmp package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2021-3803 CVE-2021-3803 in @rootio/nth-check - Patched by Root

Root has patched CVE-2021-3803 in the @rootio/nth-check package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2025-68665 CVE-2025-68665 in @rootio/langchain__core - Patched by Root

Root has patched CVE-2025-68665 in the @rootio/langchaincore package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-GHSA-7RX3-28CR-V5WH GHSA-7rx3-28cr-v5wh in @rootio/handlebars - Patched by Root

Root has patched GHSA-7rx3-28cr-v5wh in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2018-16487 CVE-2018-16487 in @rootio/lodash - Patched by Root

Root has patched CVE-2018-16487 in the @rootio/lodash package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2022-41940 CVE-2022-41940 in @rootio/engine.io - Patched by Root

Root has patched CVE-2022-41940 in the @rootio/engine.io package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-41672 CVE-2026-41672 in @rootio/xmldom__xmldom - Patched by Root

Root has patched CVE-2026-41672 in the @rootio/xmldomxmldom package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-3449 CVE-2026-3449 in @rootio/tootallnate__once - Patched by Root

Root has patched CVE-2026-3449 in the @rootio/tootallnateonce package for Root:npm. Multiple fixed versions available...

WebOb: Location header normalization during redirect leads to open redirect - again

Impact When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urllib.parse, and joining it to the base URL. urlsplit called internally by urljoin however treats a // at the start of a string ...

CVE-2026-45739

The CVE affects Strawberry GraphQL versions 0.288.4 through 0.315.3, where the bundled GraphiQL template could serialize sensitive HTTP header values (e.g., Authorization: Bearer ) into the browser URL query string via the GraphiQL headers editor. This could leak header data to browser history, c...

CVE-2026-10856 Open redirect in MISP dashboard button widget URL handling

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths...

CVE-2026-10856 Open redirect in MISP dashboard button widget URL handling

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths...

EUVD-2026-34262

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths...

ROOT-APP-PYPI-CVE-2026-27026 CVE-2026-27026 in rootio-pypdf - Patched by Root

Root has patched CVE-2026-27026 in the rootio-pypdf package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-59419 CVE-2025-59419 in io.root.io.netty:netty-codec-smtp - Patched by Root

Root has patched CVE-2025-59419 in the io.root.io.netty:netty-codec-smtp package for Root:Maven. Multiple fixed versions available...

Photon OS 5.0: Python3 PHSA-2026-5.0-0862

An update of the python3 package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-5.0-0862. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

EUVD-2026-34175

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hideversionpublic security setting. The FOSSBilling version is embedded in the query string of every a...

ROOT-APP-PYPI-CVE-2025-66471 CVE-2025-66471 in rootio-urllib3 - Patched by Root

Root has patched CVE-2025-66471 in the rootio-urllib3 package for Root:PyPI. Multiple fixed versions available...