CVE-2026-39617 WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability

Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through = 1.7.3...

Multiple vulnerabilities in MATCHA series

Overview MATCHA series provided by ICZ Corporation contains multiple vulnerabilities listed below. SQL injection CWE-89 - CVE-2026-24913 Cross-site scripting CWE-79 - CVE-2026-27787 Unrestricted upload of file with dangerous typeCWE-434 - CVE-2026-33273 CVE-2026-24913, CVE-2026-27787 Kenta...

@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @abyedev/hono-dotenv (=1.0.0) +497 more potentially affected by CVE-2026-39407 via hono (>=0.5.10 <=4.12.10)

hono NPM version =0.5.10, =0.1.8-fix.3, =5.0.0, =0.2.0, =0.2.0, =0.4.0, =0.2.0, =2026.4.4, =1.0.2, =0.1.1, =0.0.1, =0.0.2-a, =0.1.22, =1.1.1, =0.0.1, =0.0.8 and more Source cves: CVE-2026-39407 Source advisory: OSV:GHSA-WMMM-F939-6G9C...

Vulnerability Abundance: A Formal Proof of Infinite Vulnerabilities in Code

We present a constructive proof that a single C program, the Vulnerability Factory, admits a countably infinite set of distinct, independently CVE-assignable software vulnerabilities. We formalise the argument using elementary set theory, verify it against MITRE's CVE Numbering Authority counting...

PT-2026-31406

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.1 Description The Orbit agent’s FileVault disk encryption key rotation flow collects a local user’s password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect",...

PT-2026-31450

Name of the Vulnerable Software and Affected Versions OpenTelemetry-Go versions 1.15.0 through 1.42.0 Description The fix for a previous issue changed the path used for one command but left another command vulnerable to a PATH hijacking attack on BSD and Solaris platforms. Specifically, the kenv...

Zammad 安全漏洞

Zammad is a ticketing management software developed by the German company Zammad. Versions of Zammad prior to 7.0.1 contained security vulnerabilities; these vulnerabilities were due to server-side template injection, which could potentially allow remote code execution through AI agents...

PT-2026-31552

Name of the Vulnerable Software and Affected Versions PHPGurukul Online Course Registration version 3.1 Description A security issue exists in PHPGurukul Online Course Registration 3.1 related to the processing of the /admin/check availability.php file. Manipulation of the regno argument can lead...

Linux Distros Unpatched Vulnerability : CVE-2026-26027

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated user can store an XSS payload through the inventory...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-006699)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006699 advisory. In the Linux kernel, the following vulnerability has been resolved: xhci: Remove device endpoints from bandwidth list when freeing the device Endpoints are normally...

CVE-2026-5672

A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. Affected by this issue is some unknown functionality of the file /edit-category.php of the component Parameter Handler. The manipulation of the argument catid leads to sql injection. It is possible to initiate the...

CVE-2026-35568

The CVE-2026-35568 entry corresponds to a DNS rebinding vulnerability in the MCP Java SDK (official Java SDK for Model Context Protocol servers/clients). Prior to version 1.0.0, the java-sdk did not validate the Origin header, enabling an attacker-controlled webpage on local or adjacent networks ...

CVE-2026-35568 MCP Java-SDK has a DNS Rebinding Vulnerability

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to 1.0.0, the java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, o...

CVE-2026-27949

Affected software: Plane (open‑source project management tool). Vulnerability: Before v1.3.0, the authentication flow exposed the user’s email address as a query parameter in the URL during error handling (e.g., invalid magic code submissions), revealing PII via GET queries. Location of root caus...

CVE-2026-32864

There is a memory corruption vulnerability due to an out-of-bounds read in mgcoreSH253!alignedfree in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file...

EUVD-2026-19761

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are...

EUVD-2025-209265

Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application...

EUVD-2026-19857

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability...

Untrusted Search Path

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Untrusted Search Path via the CLI backend runner process. An attacker can inject arbitrary environment variables by providing a malicious workspace configuration, potentially leading to...

EUVD-2026-19839

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...