Astro Cloudflare Adapter - Server Side Request Forgery

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

CVE-2026-48794

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may b...

EUVD-2026-38039

The GridTime 3000 GNSS Time Server has an open redirect vulnerability in the password change form submission. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...

CVE-2026-12619

The CVE-2026-12619 entry concerns Microchip GridTime 3000 GNSS Time Server, where an improper neutralization during web page generation enables Cross-Site Scripting (XSS). A CSRF-to-XSS chain affects GridTime 3000 versions 1.0r0.03–1.1r0.0. Exploit maturity is listed as ATTACKED, indicating in-th...

CVE-2026-44915

CVE-2026-44915 is an open redirect vulnerability in Apache APISIX caused by an unsanitized cookie value in the cas-auth plugin. Affected versions are 3.0.0 through 3.16.0. The issue can enable phishing/credential theft. Mitigation: upgrade to version 3.17.0, which contains the fix.

CVE-2026-47339

Affected software: Apache APISIX (versions 2.14.1–3.16.0). Vulnerability: Incorrect Authorization in the authz-casdoor plugin, allowing an attacker to authenticate using credentials from another source under default configuration. Impact: Authentication bypass vector in practice; upgrade required...

EUVD-2025-210248

Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3...

CVE-2026-46880

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards component: Enterprise Infrastructure Security. Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise ...

CVE-2026-46881

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards component: Enterprise Infrastructure Security. Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise ...

CVE-2026-47277 Runtipi: Unauthenticated arbitrary file read through app-store logo symlinks

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only...

CVE-2024-22451

Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious executable, leading to arbitrary code execution...

CVE-2026-42089

The CVE concerns yeoman-environment. Vulnerable versions 2.9.0 through 6.0.0 install missing local generator packages from attacker-controlled names without user confirmation, via installLocalGenerators() calling repository.install(). This can cause arbitrary package installation and code executi...

CVE-2024-22451

Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious executable, leading to arbitrary code execution...

CVE-2026-49772

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2...

PT-2026-50019

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards component: Web Runtime Security. Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards...

EUVD-2026-36797

In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service DoS condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is...

CVE-2026-41708

In Spring Cloud Sleuth, it is possible for a user to provide specially crafted calls that may cause a denial-of-service DoS condition. The application is vulnerable when it uses a vulnerable version of org.springframework.cloud:spring-cloud-sleuth-instrumentation and Spring TX instrumentation is...

CVE-2026-5233 Missing Rate Limiting in Mia Technologies' Pizzy Library

Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...

CVE-2026-53520 Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing. This issue has been patched in version 2.1.0...

CVE-2026-4870 Qiskit SDK is vulnerable to specific functions may recurse too deeply and overflow the available stack space, when encountering certain classical expressions.

IBM Qiskit SDK 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontrolled recursion in the parser...