CVE-2026-53577

CVE-2026-53577 – Kestra : Affects the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview). Before versions 1.0.45 and 1.3.21, there was an access control bypass that allowed any authenticated user to read output files from any other execution within the ...

CVE-2026-52783

OpenProject stores OneDrive/SharePoint userless OAuth access_token in plaintext in Rails.cache within the Storages module prior to versions 17.3.3 and 17.4.1. None of the allowed backends (file_store, memcache, redis) encrypts data at rest. An attacker with read access to the cache can retrieve t...

CVE-2026-48497

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long...

CVE-2026-47220

The CVE describes a crash in Envoy when using %REQUESTED_SERVER_NAME(X:Y)% in log format with host-related options (e.g., HOST_FIRST, SNI_FIRST) and the specified host header is missing in the request headers. Affected versions are 1.37.0 through 1.37.5 and 1.38.3. The vulnerability arises from t...

CVE-2026-47221 Envoy: Null pointer deref in internal redirects

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.18.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the router filter contains a null pointer dereference vulnerability when handling HTTP 303 See Other internal redirects for body-less non-GET/HEAD requests...

ROOT-OS-DEBIAN-12-CVE-2025-39931 CVE-2025-39931 in rootio-linux - Patched by Root

Root has patched CVE-2025-39931 in the rootio-linux package for Root:Debian:12. Multiple fixed versions available...

ROOT-OS-UBUNTU-2204-CVE-2025-39898 CVE-2025-39898 in rootio-linux - Patched by Root

Root has patched CVE-2025-39898 in the rootio-linux package for Root:Ubuntu:22.04. Multiple fixed versions available...

ROOT-OS-UBUNTU-2204-CVE-2022-50322 CVE-2022-50322 in rootio-linux - Patched by Root

Root has patched CVE-2022-50322 in the rootio-linux package for Root:Ubuntu:22.04. Multiple fixed versions available...

ROOT-OS-UBUNTU-2204-CVE-2024-46820 CVE-2024-46820 in rootio-linux - Patched by Root

Root has patched CVE-2024-46820 in the rootio-linux package for Root:Ubuntu:22.04. Multiple fixed versions available...

ROOT-OS-UBUNTU-2404-CVE-2025-39961 CVE-2025-39961 in rootio-linux - Patched by Root

Root has patched CVE-2025-39961 in the rootio-linux package for Root:Ubuntu:24.04. Multiple fixed versions available...

CVE-2026-54513

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray allowlists any array type based only on clazz.isArray, without validating th...

CVE-2026-54517 jackson-databind: @JsonView bypass for setterless creator properties

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...

CVE-2026-48020

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a...

CVE-2026-54307

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to...

CVE-2026-48500

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, so...

CVE-2026-48067

CVE-2026-48067 affects Filament components where the recordSelectOptionsQuery() used to scope options in AttachAction and AssociateAction Select fields did not apply the same scope in validation. From filament/actions 4.0.0–4.11.4 and 5.6.4, and filament/tables 3.0.0–3.3.51, an attacker could tri...

CVE-2026-48505 Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not...

CVE-2026-54264

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Servi...

CVE-2026-50557

CVE-2026-50557 concerns Angular’s template sanitization bypass via namespace handling in @angular/compiler and @angular/core. The issue allows namespaced elements (e.g., svg:script or ) to escape script-element recognition and for security context attribute mappings to bypass runtime/compile-time...

EUVD-2026-38179

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...