CVE-2026-47740

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

CVE-2026-47741 Shopper: Race condition on Discount.usage_limit allows silent over-redemption

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

CLSA-2026-1779212122 sos: Fix of CVE-2022-2806

CVE-2022-2806: ovirt plugin: filter out all password keys in answer files...

CVE-2026-39424

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

CVE-2026-39419

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged resu...

CVE-2026-39424 MaxKB has CSV Injection in its Application Chat Export Functionality

MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file .xlsx via the...

EUVD-2026-22182

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface /ui/chat/accesstoken, the...

CVE-2026-39417

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path loading MCP config from the...

CVE-2026-39420

CVE-2026-39420 (MaxKB) affects MaxKB

GHSA-2328-F5F3-GJ25 Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)

Summary pki.verifyCertificateChain does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate without these extensions to act as a CA and sign other certificates, which node-for...

EUVD-2026-16271

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a...

EUVD-2026-15565

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Theme-one The Grid the-grid allows Stored XSS.This issue affects The Grid: from n/a through 2.8.0...

CVE-2026-33720

n8n (open source workflow automation) has a vulnerability in pre-2.8.0 where setting N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true causes the OAuth callback to skip ownership verification of the OAuth state. An attacker can trick a victim into completing an OAuth flow for a credential the attacker control...

CVE-2026-33548 MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline

Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...

CVE-2025-59060

Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions = 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue...

CVE-2025-59060

Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions = 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue...

CVE-2025-59060

Summary: CVE-2025-59060 describes a hostname verification bypass in Apache Ranger’s NiFiRegistryClient/NiFiClient. The issue is reported for Apache Ranger versions ≤ 2.7.0 and is fixed by upgrading to version 2.8.0. Affected components: NiFiRegistryClient and NiFiClient within Apache Ranger. Root...

CVE-2025-59059 Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator

Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions = 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue...

CVE-2025-59059

Apache Ranger CVE-2025-59059 is a remote code execution issue affecting Ranger versions

Improper Authentication

Overview @n8n/rest-api-client is a This package contains the REST API calls for n8n. Affected versions of this package are vulnerable to Improper Authentication via the Self-Service Settings API. An attacker can circumvent centralized identity management and multi-factor authentication by disabli...