PT-2026-4043

Name of the Vulnerable Software and Affected Versions favethemes Homey Core versions through 2.4.3 Description The software contains a flaw related to improper input handling during web page creation, which allows for Reflected Cross-site Scripting XSS. This means an attacker could potentially...

go-tuf data falsification vulnerability

go-tuf is a framework developed by The Update Framework for protecting software update systems. Versions of go-tuf from 2.0.0 to 2.3.1 had a data manipulation vulnerability due to improper configuration of the signature threshold. This vulnerability could allow unauthorized modifications to TUF...

4game-support-ckeditor5-custom-build (>=0.0.1 <=0.0.5), 87-midnight-ckeditor5 (>=0.0.3 <=0.0.5) +4347 more potentially affected by CVE-2025-13465 via lodash-es (>=4.0.0 <=4.17.22)

lodash-es NPM version =4.0.0, =0.0.1, =0.0.3, =0.0.1, =1.0.0, =2.14.1, =41.3.1, =2.1.0, =0.7.0, =1.0.0, =0.1.3, =0.0.4, =0.1.0, =0.0.1-alpha.4, =1.0.1, =0.0.1, =0.0.7 and more Source cves: CVE-2025-13465 Source advisory: SNYK:JS-LODASHES-15053836...

CVE-2025-58744

Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from...

CVE-2025-58741

Insufficiently Protected Credentials vulnerability in the Credential Field of Milner ImageDirector Capture allows retrieval of credential material and enables database access.This issue affects ImageDirector Capture: from 7.0.9 through 7.6.3.25808...

CVE-2026-21926

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM component: Server Infrastructure. Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successfu...

CVE-2026-23526

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to...

CVE-2026-23526 CVAT vulnerable to privilege escalation of users with staff status

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to...

CVE-2025-13465

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original...

EUVD-2025-206319

Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original...

@aexol/opencode-tui (>=0.2.5 <=0.2.10), @agent-embed/js (>=0.0.1 <=0.0.45) +273 more potentially affected by CVE-2026-23956 via seroval (>=0.2.1 <=1.3.2)

seroval NPM version =0.2.1, =0.2.5, =0.0.1, =2.11.0, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =0.0.7, =0.0.1, =0.0.1, =1.0.0, =0.1.26, =0.0.1, =0.0.17-demo-01 and more Source cves: CVE-2026-23956 Source advisory: OSV:GHSA-HX9M-JF43-8FFR...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +149 more potentially affected by CVE-2025-14559 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.4.7)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.1, =1.1.7 and more Source cves: CVE-2025-14559 Source advisory: OSV:GHSA-WV3H-X6C4-R867...

EUVD-2026-3553

Vulnerability in the Oracle Workflow product of Oracle E-Business Suite component: Workflow Loader. Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful...

EUVD-2025-206309

Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle AiTM by modifying the 'Server' field to redirect client...

CVE-2025-65482

An XML External Entity XXE vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file...

CVE-2025-64087

A Server-Side Template Injection SSTI vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions...

PT-2026-3766

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 18.6 through 18.8.1 Description GitLab CE/EE is affected by a high-severity issue that allows an attacker with knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device response...

PT-2026-3877

Name of the Vulnerable Software and Affected Versions Docmost versions 0.3.0 through 0.23.2 Description Docmost is collaborative wiki and documentation software. Versions 0.3.0 through 0.23.2 are susceptible to stored Cross-Site Scripting XSS due to improper sanitization when rendering Mermaid co...

Flux-Operator security vulnerabilities

Flux-Operator is a lifecycle management software developed by ControlPlane Enterprise for Flux CD. Versions of Flux-Operator from 0.36.0 to 0.40.0 contained security vulnerabilities. These vulnerabilities stemmed from the Web UI authentication code not verifying whether the generated username and...

CVE-2026-21950

Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks o...