CVE-2026-49102

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type e.g., text/plain...

CVE-2026-48973 WordPress SVG Support plugin <= 2.5.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SVG Support: from n/a through 2.5.14...

CVE-2026-48973

The CVE-2026-48973 entry applies to the WordPress plugin SVG Support (versions up to 2.5.14). The vulnerability is described as a Missing Authorization / Broken Access Control issue caused by incorrectly configured access control security levels, affecting SVG Support. The CVSS 3.1 base score is ...

CVE-2026-48973 WordPress SVG Support plugin <= 2.5.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SVG Support: from n/a through 2.5.14...

WordPress SVG Support plugin <= 2.5.14 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Steven Julian in WordPress Plugin SVG Support versions = 2.5.14...

CVE-2026-47119

CVE-2026-47119 concerns Agent Zero before version 1.15, which is affected by a stored XSS via the image_get API endpoint. The vulnerability arises when SVG files are served without proper headers (no Content-Security-Policy, X-Content-Type-Options, or Content-Disposition), allowing an attacker to...

CVE-2026-47119 Agent Zero < 1.15 Stored XSS via image_get API Endpoint

Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the imageget API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Dispositio...

CVE-2026-46028

In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - snapshot IV for async AEAD requests AFALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the...

EUVD-2026-32409

In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - snapshot IV for async AEAD requests AFALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the...

CVE-2026-46028

Technical details about CVE-2026-46028 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-46028 crypto: algif_aead - snapshot IV for async AEAD requests

In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - snapshot IV for async AEAD requests AFALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the...

SUSE CVE-2026-48848

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets CSS injection via an SVG document that has an animate element with the attributeName attribute...

BIT-JOOMLA-2026-48905 Joomla! Framework - [20260520] - Inadequate content filtering within the cleanAttributes filter code.

Lack of input filtering leads to an XSS vector in the HTML filter code...

CVE-2026-48962 IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. parseOutputGlob wraps the caller-supplied output glob string in double quotes and stores it in the parser state; getFiles then runs the stored expression through eval...

Google Chrome 资源管理错误漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.216 contained a resource management vulnerability, which stemmed from issues with reusing SVG elements after its release. This vulnerability could allow remote attackers to execute arbitrary code...

PT-2026-44563

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.216 Description A use after free issue exists in the Scalable Vector Graphics SVG component, which is an XML-based format for describing two-dimensional graphics. This flaw allows a remote attacker to...

PT-2026-44030

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type e.g., text/plain...

DEBIAN-CVE-2026-44983

smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption...

CVE-2026-44832

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the...

CVE-2026-9451

A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has...