CVE-2026-45668

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via docName path traversal and XSS by combining a payload note type: code, mime:...

CVE-2026-27788

Incorrect permission assignment for critical resource issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege...

CVE-2026-45400

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. This vulnerability is fixed in 0.9.5...

CVE-2026-45727

CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakser...

CVE-2026-45714

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input using the...

CVE-2026-45211

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through = 4.7.1...

CVE-2026-45037

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without validating the protocol scheme. This allows a malicious SSH or Telnet server to send crafted termina...

CVE-2026-45082

Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery SSRF protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward...

CVE-2026-45158

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability i...

CVE-2026-45042

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

CVE-2026-45209

Missing Authorization vulnerability in edwardplainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MyCryptoCheckout: from n/a through 2.161...

CVE-2026-45083

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to th...

CVE-2026-45137

Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in progra...

GHSA-XVMR-9P7M-JMWV vulnerabilities

Vulnerabilities for packages: openjdk-11-openj9, openjdk-25-openj9, openjdk-26-openj9, openjdk-8-openj9, openjdk-21-openj9, openjdk-17-openj9...

CVE-2026-45218

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through = 11.4.0...

GHSA-Q4WQ-4WHJ-CXHX vulnerabilities

Vulnerabilities for packages: openjdk-11-openj9, openjdk-25-openj9, openjdk-26-openj9, openjdk-8-openj9, openjdk-21-openj9, openjdk-17-openj9...

CVE-2025-10911 vulnerabilities

Vulnerabilities for packages: openjdk-11-openj9, openjdk-25-openj9, openjdk-26-openj9, openjdk-8-openj9, openjdk-21-openj9, openjdk-17-openj9...

GHSA-5FXQ-F64V-57FQ vulnerabilities

Vulnerabilities for packages: openjdk-11-openj9, openjdk-25-openj9, openjdk-26-openj9, openjdk-8-openj9, openjdk-21-openj9, openjdk-17-openj9...

CVE-2026-34268 vulnerabilities

Vulnerabilities for packages: openjdk-11-openj9, openjdk-25-openj9, openjdk-26-openj9, openjdk-8-openj9, openjdk-21-openj9, openjdk-17-openj9...

CVE-2026-45214

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through = 1.5.1...