EUVD-2026-33999

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPEERROR deserialization leading to Unauth RCE...

EUVD-2026-33996

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation...

EUVD-2026-34001

AIOHTTP is Vulnerable to Deserialization of Untrusted Data...

CVE-2026-43924

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect...

CVE-2026-40495

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hideversionpublic security setting. The FOSSBilling version is embedded in the query string of every a...

CVE-2026-10766

A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculatedataframehash of the file mlrun/utils/helpers.py of the component DataFrame Hash Handler. The manipulation leads to use of weak hash. The attack can only be performed from a local...

CVE-2026-43924

Summary: CVE-2026-43924 affects FOSSBilling prior to v0.8.0, where the Redirect module does not validate URL schemes for administrator-configured redirect targets, allowing open redirects. This can cause legitimate user traffic to be redirected to attacker-controlled sites via a 301 response (bro...

CVE-2026-40495

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hideversionpublic security setting. The FOSSBilling version is embedded in the query string of every...

CVE-2026-40495

FOSSBilling prior to 0.8.0 leaks the exact system version via asset cache buster parameters in HTML output. The version is embedded in the query string of every [removed] and tag created by the script_tag and stylesheet_tag Twig filters, making it visible to all visitors, including unauthenticat...

EUVD-2026-34175

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hideversionpublic security setting. The FOSSBilling version is embedded in the query string of every a...

CVE-2026-40495 FOSSBilling version exposed via asset cache buster

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hideversionpublic security setting. The FOSSBilling version is embedded in the query string of every a...

CVE-2026-46251

A flaw was found in the Linux kernel's Btrfs filesystem. When the EXTENTTREEV2 incompatibility flag is enabled, the block group tree's dirty list can become corrupted. This corruption occurs because the block group tree is incorrectly added to a commit list while already being tracked, leading to...

CVE-2026-42061

Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis DeviceLock DLP Windows before build 9.0.15051.93227...

CVE-2026-8878

Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover...

CVE-2026-42839

An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the itemname, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale POS cart interface for every operator who adds that item to a transaction.This issue...

CVE-2026-42840

An authenticated user can persist arbitrary HTML/JavaScript in the emailid or mobileno fields of a Customer record and trigger unescaped rendering in the Point of Sale POS interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0...

CVE-2026-26378

Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features...

ROOT-APP-PYPI-CVE-2024-53899 CVE-2024-53899 in rootio-virtualenv - Patched by Root

Root has patched CVE-2024-53899 in the rootio-virtualenv package for Root:PyPI. Multiple fixed versions available...

Important: Red Hat Security Advisory: Red Hat Web Terminal Operator 1.15.0 release.

Red Hat Web Terminal Operator 1.15.0 has been released. The Web Terminal provides a way to access a fully in-browser terminal emulator within the OpenShift Console. Command-line tools for interacting with the OpenShift cluster are pre-installed...

Important: Red Hat Security Advisory: Red Hat Web Terminal Operator 1.14.0 release.

Red Hat Web Terminal Operator 1.14.0 has been released. The Web Terminal provides a way to access a fully in-browser terminal emulator within the OpenShift Console. Command-line tools for interacting with the OpenShift cluster are pre-installed...