CVE-2026-1751

CVE-2026-1751 affects GitLab CE/EE versions starting with 16.8 up to before 18.5.0, enabling unauthorized edits to merge request approval rules under certain conditions. OSV sources corroborate the description, but no exploit details or active exploitation are provided in the supplied documents. ...

CVE-2026-20711

Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords...

CVE-2026-22888

Improper input verification issue exists in Cybozu Garoon 5.0.0 to 6.0.3, which may lead to unauthorized alteration of portal settings, potentially blocking access to the product...

CVE-2026-20711

CVE-2026-20711 describes a Cross-site scripting vulnerability in the E-mail function of Cybozu Garoon, affecting version range 5.0.0 through 6.0.3. The issue is triggered via the E-mail component and is reported to allow an attacker to reset arbitrary users’ passwords. The provided documents iden...

IBM WebSphere Application Server Liberty 路径遍历漏洞

IBM WebSphere Application Server Liberty is a Java application server developed by IBM, based on the Open Liberty project. Versions of IBM WebSphere Application Server Liberty from 17.0.0.3 to 26.0.0.1 have a path traversal vulnerability. This vulnerability arises when privileged users can upload...

PT-2026-5617

Improper input verification issue exists in Cybozu Garoon 5.0.0 to 6.0.3, which may lead to unauthorized alteration of portal settings, potentially blocking access to the product...

PT-2026-5616

Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords...

CVE-2025-36366

IBM Db2 for Linux, UNIX and Windows (including Db2 Connect Server) is affected by CVE-2025-36366. A local user could cause a denial of service by executing a query that invokes the JSON_Object scalar function, triggering an unhandled exception and abnormal server termination. The bulletin specifi...

@activepieces/piece-amazon-s3 (>=0.5.4 <=0.5.8), @activepieces/piece-amazon-ses (>=0.0.1 <=0.1.3) +988 more potentially affected by CVE-2026-25128 via fast-xml-parser (>=5.0.9 <=5.3.3)

fast-xml-parser NPM version =5.0.9, =0.5.4, =0.0.1, =13.1.4, =1.0.0, =1.9.12, =1.0.3, =1.1.31, =1.0.0, =1.7.16, =2.33.6, =1.4.37, =1.6.11, =1.7.1 and more Source cves: CVE-2026-25128 Source advisory: SNYK:JS-FASTXMLPARSER-15155603...

app.valuationcontrol:webservice (>=0.5.0 <=0.5.1), ba.sake:deder-publish-example_3 (=0.0.1) +1353 more potentially affected by CVE-2024-4027 via io.undertow:undertow-core (>=2.3.0.Alpha1 <=2.3.20.Final)

io.undertow:undertow-core MAVEN version =2.3.0.Alpha1, =0.5.0, =0.10.0, =0.0.7, =1.1.15, =1.0.6, =1.0.6, =1.0.6, =2.0.1, =1.0.6, =1.0.6, =1.0.6, =1.0.6, =1.0.6, =2.1.1 and more Source cves: CVE-2024-4027 Source advisory: SNYK:JAVA-IOUNDERTOW-15166617...

EUVD-2026-5026

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-rang...

CVE-2026-25128

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 5.0.9 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-rang...

Fast-XML-Parser security vulnerability

fast-xml-parser is an open-source library developed by Natural Intelligence. It is used for quickly validating, parsing, and processing XML files without relying on C/C++-based libraries or callbacks. There are security vulnerabilities in the versions of fast-xml-parser from 4.3.6 to 5.3.3. These...

IBM Db2 code-related vulnerabilities

IBM Db2 is a relational database management system developed by IBM. The system can run on various operating systems such as UNIX, Linux, IBMi, z/OS, and Windows server versions. Versions 12.1.0 to 12.1.3 of IBM Db2 contain code vulnerabilities. These vulnerabilities stem from search path element...

EUVD-2026-4970

alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplgdecodecontrolmixer1 function reads the numchannels field from untrusted .tplg data and uses it as a loop bound without validating it...

WordPress Search Atlas SEO plugin 2.4.4 - 2.5.12 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover vulnerability

WordPress Search Atlas SEO plugin 2.4.4 - 2.5.12 - Missing Authorization to Authenticated Subscriber+ Authentication Bypass via Account Takeover vulnerability discovered by kr0d in WordPress Plugin Search Atlas SEO versions 2.4.4-2.5.12...

@activfinancial/activ-workstation (>=0.3.0 <=0.4.35), @activfinancial/time-series-chart (>=0.3.40 <=0.3.51) +36 more potentially affected by CVE-2026-1513 via billboard.js (>=1.0.1 <=3.14.0)

billboard.js NPM version =1.0.1, =0.3.0, =0.3.40, =3.0.0, =0.0.55, =1.0.0, =1.0.0, =4.0.0, =1.0.0, =1.0.0, =0.0.1-alpha.1, =5.4.0, =1.5.0, =2.0.0 and more Source cves: CVE-2026-1513 Source advisory: OSV:GHSA-RPC5-PM7Q-HJMP...

WordPress Recooty plugin <= 1.0.6 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by omer yeshayahu in WordPress Plugin Recooty versions 1.0.1-1.0.6...

OpenProject data falsification vulnerability

OpenProject is an open-source web-based project management software. In versions 17.0.0 to 17.0.2 of OpenProject, there was a data manipulation vulnerability. This vulnerability stemmed from the BlockNote editor extension not properly verifying work package IDs, allowing arbitrary GET requests to...

PT-2026-5189

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal Form Builder allows Cross-Site Scripting XSS.This issue affects Drupal: from 7.X-1.0 through 7.X-1.22...