CVE-2026-38967

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

CVE-2026-8878

Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover...

CVE-2026-3276

unicodedata.normalize can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms...

CVE-2026-46263

CVE-2026-46263: Linux kernel DRM/AMD display component fix for out-of-bounds access in stream_enc_regs. The issue stems from eng_id being used directly as an index into stream_enc_regs[] (size 5); eng_id can be 5 (ENGINE_ID_DIGF) or negative, risking memory past the end. A bounds check using ARRA...

CVE-2026-44581

A flaw was found in Next.js. This vulnerability, a type of stored cross-site scripting XSS, allows a remote attacker to inject malicious scripts into web pages. By manipulating nonce values derived from request headers, an attacker can poison cached responses, leading to arbitrary script executio...

EUVD-2026-34020

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

CVE-2026-48598

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.partheadersfordisposition/1 interpolates each disposition parameter as k="v" with no validation of CR \r, LF \n, o...

EEF-CVE-2026-48598 CRLF injection in Tesla.Multipart disposition parameters allows multipart part header injection

Summary Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.partheadersfordisposition/1 interpolates each disposition parameter as k="v" with no validation of CR \r, ...

Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure.

A flaw was found in Spring Boot. The $random.value property source utilizes a weak pseudo-random number generator PRNG, meaning the values it produces are not sufficiently random for use as cryptographic secrets. An attacker could potentially predict these values, which may lead to information...

SUSE CVE-2026-45372

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check isfieldvalue is run before decoding, so encode...

CVE-2026-38967

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

CVE-2026-38967

CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values...

PT-2026-45841

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part headers for disposition/1 interpolates each disposition parameter as k="v" with no validation of CR r, LF , o...

CVE-2026-10248

A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function createsupplier of the file /Exportcsv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...

EUVD-2026-33623

A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function createsupplier of the file /Exportcsv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...

EUVD-2026-33589

A bug in Apache Airflow's Variable response masker caused nested-key redaction triggered by secret-suffixed key names like password, token, secret, apikey to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nest...

SourceCodester Pharmacy Sales and Inventory System has security vulnerabilities

SourceCodester Pharmacy Sales and Inventory System is an open-source medication sales and inventory management system developed by SourceCodester. Versions of the SourceCodester Pharmacy Sales and Inventory System prior to version 1.0 contained security vulnerabilities. These vulnerabilities were...

Apache Airflow security vulnerabilities

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Prior to Apache Airflow 3.2.2, there were security...

SUSE CVE-2026-48156

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W 0 0 0 values and large /Size values. This vulnerability is fixed in 6.12.0...

GHSA-MCH8-WF3H-6X88 Admidio writes session IDs and auto-login cookie values to application logs

Summary When debug logging is enabled, Session::setCookie logs full cookie values and Session::start logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink can recover live...