CVE-2026-11718

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

GHSA-G5H5-M4HM-XJRR ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider

Summary An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider IdP implementation. When validating JSON Web Tokens JWTs from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer iss, but it fails to validate the...

GHSA-WXG7-W2V3-W38G ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider

Summary Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider IdP implementation. Specifically, within the validation pipeline: Missing Expiration exp Enforcement: If an incoming JWT omits the exp claim entirely, the expiration...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the fixRequestBody function. An attacker can inject or override multipart form fields, potentially bypassing gateway-side validation or access controls, by supplying crafted input containing carriage return and line...

CVE-2026-11718

An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...

CVE-2026-11718

The CVE-2026-11718 entry concerns an authentication bypass in googleapis/mcp-toolbox: during opaque-token validation via an OAuth 2.0 introspection endpoint, the code decodes the response and checks issuer with the condition a.issuer != "" && iss != "". If the introspection response omits iss, is...

CVE-2026-50643 Out‑of‑Bounds Read in 8cc

8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line...

NoSQL Injection

Spring Data MongoDB is vulnerable to NoSQL Injection. The vulnerability is due to insufficient validation of parameters bound to regular expressions in @Query-annotated repository methods, where attacker-controlled input can break out of the intended regex quoting e.g., ^\Q?0\E$ and manipulate...

CVE-2026-11784

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...

CVE-2026-55742

Cotonti 1.0.0 (master, commit f43f1fc3) is vulnerable to CSRF in system/admin/admin.rights.php while performing the update action (a=update). The code path updates group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate an anti-CSRF token. A remote attack...

EUVD-2026-37848

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...

CVE-2026-11784

The CVE describes a Cross‑Site Request Forgery in the WordPress plugin Optimole – Optimize Images (

CVE-2026-10023 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the changeorderstatus, addordernote, deleteordernote,...

CVE-2026-10023

Dok an: AI Powered WooCommerce Marketplace Solution

SUSE CVE-2026-12453

Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: High...

CVE-2026-12151

A flaw was found in undici. A malicious WebSocket server can exploit this by streaming numerous small or empty continuation frames. This can bypass per-frame and cumulative-size validation, leading to unbounded memory growth in the client process. The primary consequence is memory exhaustion,...

PT-2026-50820

Name of the Vulnerable Software and Affected Versions AVer PTC500S affected versions not specified AVer PTC115 affected versions not specified AVer PTC500+ affected versions not specified AVer PTC115+ affected versions not specified Description Improper input validation in these networked...

PT-2026-50738

Name of the Vulnerable Software and Affected Versions ZITADEL versions 4.0.0 through 4.11.0 ZITADEL versions 3.0.0 through 3.4.11 Description An authentication bypass exists in the external JWT Identity Provider IdP implementation. While the system validates the cryptographic signature and the...

PT-2026-50824

Name of the Vulnerable Software and Affected Versions Daytona versions prior to 0.186 Description A sandbox volume reference volumeId which may also be a volume name was forwarded to the runner and used to build the host bind-mount source path without confinement. A reference containing...

PT-2026-50803

Name of the Vulnerable Software and Affected Versions Chef 360 versions prior to 1.7.1 Description Improper handling of URL-encoded paths during request processing can allow unauthorized access to protected API endpoints. An authenticated request may bypass standard access controls to gain...