CVE-2026-41852

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

CVE-2026-28301

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website...

CVE-2026-46718

A flaw was found in Apache Calcite when processing specially crafted queries. An authenticated user could trigger unintended application behavior through affected query-processing functionality. Exploitation requires access to the vulnerable feature and is limited to the application's operating...

EUVD-2026-35451

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website...

CVE-2026-28301

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website...

CVE-2026-44083

An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later...

CVE-2026-44083

QuMagie is affected by CVE-2026-44083 due to an authorization bypass through a user-controlled key. The vulnerability could allow remote attackers to gain unintended privileges. The issue is fixed in QuMagie 2.9.1 and later. CVSS metrics indicate a network-exposed, low-attack-complexity flaw with...

EUVD-2026-35286

The Remote Function Call RFC modules of the Operational Data Provisioning Data Replication API ODP-RFC are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which...

PT-2026-47703

An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later...

PT-2026-47663

A vulnerability in Spring Expression Language SpEL evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2....

PT-2026-47827

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website...

USN-8404-1 transmission vulnerability

It was discovered that Transmission had a clickjacking weakness in the browser-facing WebUI and RPC response paths. An attacker could possibly use this issue to trick users into performing unintended actions...

USN-8404-1: Transmission vulnerability

It was discovered that Transmission had a clickjacking weakness in the browser-facing WebUI and RPC response paths. An attacker could possibly use this issue to trick users into performing unintended actions...

PT-2026-47597

It was discovered that Transmission had a clickjacking weakness in the browser-facing WebUI and RPC response paths. An attacker could possibly use this issue to trick users into performing unintended actions...

CVE-2025-66335

Apache Doris MCP Server versions earlier than 0.6.1 are affected by an improper neutralization flaw in query context handling that may allow execution of unintended SQL statements and bypass of intended query validation and access restrictions through the MCP query execution interface. Version...

CVE-2026-44925

Cross-Site Request Forgery CSRF vulnerability in InfoScale v.9.1.3 Operations Manager VIOM allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user's knowledge...

CVE-2026-0502

Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiali...

CVE-2026-44392

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed...

PT-2026-46988

Summary managementServer.CreateSchematic internal/backend/grpc/schematics.go passes the caller-controlled TalosVersion field directly to imageFactoryClient.OverlaysVersions, which embeds it verbatim into a fmt.Sprintf"/version/%s/overlays/official", talosVersion path template. url.URL.JoinPath...

CVE-2024-27892 On affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected (SSL Profiles Enabled).

Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch...