CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

CVE-2026-45147

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any...

CVE-2026-45619

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL for DNS pinning via CURLOPTRESOLVE, opening DNS-rebinding TOCTOU...

CVE-2026-6839

Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE Affected version is prior to commit 1.30.0...

CVE-2026-6332

CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it...

CVE-2026-42159

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised...

CVE-2026-45779

CVE-2026-45779 affects OpenXDMoD: an unauthenticated SQL injection in Open XDMoD versions prior to 10.0.3 can lead to arbitrary SQL execution and complete compromise of the underlying database. The issue impacts all deployments

CVE-2026-42926

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxyhttpversion to 2, and also uses proxysetbody, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support EoTS are not...

CVE-2026-45745

creationtimestamp| type| source ---|---|--- 2026-06-05 19:29:24+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkuqtqm6p2p 2026-06-05 22:00:52+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnl57o6vuw2r 2026-06-09 03:07:08+00:00| seen|...

CVE-2026-4852

The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2025-5088

creationtimestamp| type| source ---|---|--- 2026-06-05 19:26:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkume56ia2u 2026-06-05 19:50:03+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mnkvvrkemq23 2026-06-06 01:01:18+00:00| seen|...

CVE-2026-40446

Access of resource using incompatible type 'type confusion' vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335...

CVE-2026-39421

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LDPRELOAD-based...

CVE-2026-44352

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3...

CVE-2026-45743

creationtimestamp| type| source ---|---|--- 2026-06-05 19:24:35+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkui7pzna2l 2026-06-05 23:01:03+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnlalbga3t2r...

CVE-2026-8802

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument picfilename results in path traversal. The attack may be launched remotely. The patch is...

CVE-2026-43873

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/CloneSite/cloneClient.json.php echoes the local CloneSite shared secret $objClone-myKey, a constant md5$global'systemRootPath' . $global'salt' into the HTTP response body on every unauthenticated request. T...

CVE-2026-45327

creationtimestamp| type| source ---|---|--- 2026-06-05 19:22:25+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkueer6lc27 2026-06-05 23:01:11+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnlalinpd32r 2026-06-08 05:14:26+00:00| seen|...

CVE-2026-34358

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any...

CVE-2026-47310

Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3...