CVE-2026-44243 GitPython: Path traversal in GitPython reference APIs allows arbitrary file write and delete outside the repository

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory...

CVE-2026-41902 FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

CVE-2026-41505

RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's makesigninkey function and exam.py's genticketcode function. This issue has been patched via commit 2f68e16...

CVE-2026-41687

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php line 42 and endpoints/payments/add.php line 40 uses an inline IP validation check FILTERFLAGNOPRIVRANGE | FILTERFLAGNORESRANGE that does not block...

CVE-2026-41519

CVE-2026-41519 affects Weblate prior to 5.17.1, where DRF API tokens with wlu_ prefix stored in authtoken_token are not revoked on password change, while browser sessions are invalidated via cycle_session_keys(). The connected advisory confirms the issue impact and provides remediation: upgrade t...

CVE-2026-41650

CVE-2026-41650 affects fast-xml-parser XMLBuilder prior to v5.7.0, where unescaped "-->" in comments and "]]>" in CDATA can lead to XML injection when user-controlled data is built into XML from JavaScript objects. This can enable XSS, SOAP injection, or data manipulation as described in th...

CVE-2026-41659

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

CVE-2026-41674 xmldom: XML injection through unvalidated DocumentType serialization

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...

CVE-2026-41674

CVE-2026-41674 affects the xmldom/xmldom package. Before version 0.9.10 and 0.8.13 (and for the 0.6.0 line), DocumentType node fields internalSubset, publicId, and systemId are serialized verbatim by XMLSerializer without escaping or validation. If attackers set these fields to malicious strings,...

CVE-2026-41890

CVE-2026-41890 affects CI4MS prior to 0.31.8.0. The issue arises in the deleteProcess() action where the POST parameter tables[] is passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view uses the theme’s own migration...

CVE-2026-41201

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated vi...

GHSA-FQPH-J6V6-JVGX docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler

Impact The URLInputHandler class in doclinggraph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no...

CVE-2026-41670

Admidio before 5.0.9 permits an attacker who knows a registered SP’s Entity ID to craft a SAML AuthnRequest with an attacker-controlled AssertionConsumerServiceURL, causing the IdP to send a signed SAML response containing user attributes to the attacker’s URL. The root cause is that ACS URL is t...

CVE-2026-41662

Admidio suffers a Missing Minimum Administrator Check in Role::stopMembership(), before 5.0.9. The code path removes a member from the administrator role without verifying that at least one admin remains; with two admins, sequential removals can leave zero admins, locking out administrative acces...

CVE-2026-41659

CVE-2026-41659 (Admidio) : The Admidio member assignment data endpoint before 5.0.9 includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in the SQL search condition, regardless of visibility settings. While JSON output hides these fields, the server-side search runs on the h...

[SECURITY] Fedora 43 Update: nano-8.5-3.fc43

GNU nano is a small and friendly text editor...

CVE-2026-41674

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...

PT-2026-38410

Name of the Vulnerable Software and Affected Versions Diffusers versions prior to 0.38.0 Description A bypass of the trust remote code security gate in the DiffusionPipeline.from pretrained function allows arbitrary remote code execution, even when trust remote code is set to False or left as...

PT-2026-38468

Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remo...

PT-2026-38340

Name of the Vulnerable Software and Affected Versions Math.js versions 13.1.0 through 15.1.x Description Arbitrary JavaScript can be executed through the expression parser of the library. Recommendations Update to version 15.2.0...