Eaton Intelligent Power Manager 1.6 - Directory Traversal

Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via directory traversal, which can lead to sensitive information disclosure, denial of service and code execution. id: CVE-2018-12031 info: name: Eaton Intelligent Power Manager 1.6 - Directory Traversal author: daffainfo...

Jenzabar 9.2x-9.2.2 - Cross-Site Scripting

Jenzabar 9.2.x through 9.2.2 contains a cross-site scripting vulnerability. It allows /ics?tool=search&query. id: CVE-2021-26723 info: name: Jenzabar 9.2x-9.2.2 - Cross-Site Scripting author: pikpikcu severity: medium description: Jenzabar 9.2.x through 9.2.2 contains a cross-site scripting...

Structurizr on-premises - Cross Site Scripting

Cross-site Scripting XSS - Reflected in GitHub repository structurizr/onpremises prior to 3194. id: CVE-2023-5556 info: name: Structurizr on-premises - Cross Site Scripting author: shankaracharya severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository...

EUVD-2026-34067

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

Security update for python-pip (moderate)

openSUSE security update: security update for python-pip ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20880-1 Rating: moderate References: bsc1262429 bsc1263442 Cross-References: CVE-2026-1703 CVE-2026-3219 CVE-2026-6357 CVSS scores: CVE-2026-170...

PT-2026-46105

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

PT-2026-45900

Name of the Vulnerable Software and Affected Versions Laravel affected versions not specified Description A CRLF injection flaw allows for mail relay abuse, email hijacking, and header abuse. CRLF injection occurs when an attacker inserts Carriage Return CR and Line Feed LF characters into an inp...

CVE-2026-10692

The CVE-2026-10692 affects johnhuang316 code-index-mcp up to version 2.14.0, specifically the is_safe_regex_pattern function in the search_code_advanced component. Manipulating the regex argument can cause inefficient regex processing (potentially a denial-of-service), with remote attack potentia...

CVE-2026-42849

The CVE-2026-42849 entryffects authentik, an open-source identity provider. Affected component: SFE (Simple Flow Executor) autosubmit stage, where legacy-browser compatibility logic enabled a reflected XSS. Root cause: XSS in AutosubmitStage enables an attacker to potentially take over an IDP acc...

CVE-2026-41569

CVE-2026-41569 concerns authentik, an open-source identity provider. Before 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter with a raw string prefix check instead of proper URL parsing, enabling an attacker to craft a login link with a wreply on a different origi...

CVE-2026-47265

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. If a developer uses the cookies parameter on a per-request basis then sensitive data might ...

EUVD-2026-33983

NamelessMC is website software for Minecraft servers. In version 2.2.4, core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private...

CVE-2026-45080 Klaw: Improper Access Control Allows Disclosure of Password Hash

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4...

EUVD-2026-33953

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate...

CVE-2026-45678

The CVE-2026-45678 vulnerability affects OpenTelemetry eBPF Instrumentation before version 0.9.0, where the Postgres BIND parsing logic mishandles BIND payloads that are empty or unterminated. The issue arises in the Postgres protocol parser that assumes a NUL-terminated portal name; a crafted pa...

ROOT-APP-MAVEN-CVE-2026-43512 CVE-2026-43512 in io.root.org.apache.tomcat.embed:tomcat-embed-core - Patched by Root

Root has patched CVE-2026-43512 in the io.root.org.apache.tomcat.embed:tomcat-embed-core package for Root:Maven. Multiple fixed versions available...

Apache Superset - Authentication Bypass

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset...

Codoforum 5.1 - Arbitrary File Upload

Codoforum 5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code. As a result, an attacker can potentially obtain...

MetInfo 7.0.0 beta - SQL Injection

MetInfo 7.0.0 beta is susceptible to SQL injection via the admin/?n=language&c=languagegeneral&a=doSearchParameter appno parameter a different issue than CVE-2019-16997. id: CVE-2019-17418 info: name: MetInfo 7.0.0 beta - SQL Injection author: ritikchaddha severity: high description: | MetInfo...

Chamilo Command Injection

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11. up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. id: CVE-2023-34960 info: name: Chamilo Command Injection author: DhiyaneshDK severity: critical...