CVE-2026-40179

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

CVE-2026-1564

Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role...

CVE-2026-1711

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role...

CVE-2026-1564

Affected product: Pega Platform (versions 8.1.0–25.1.1). Vulnerability: HTML Injection in a UI component. Root cause/impact: HTML injection possible in a high-privilege developer UI context; attack requires a high-privilege user with a developer role; affected confidentiality and integrity are ra...

CVE-2026-5189

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitatio...

@amitojsingh366/keepkey-hardware-controller (=0.0.10), @apsiocoin/protobuf-serialization (=0.0.1-alpha1) +178 more potentially affected by CVE-2026-5758 via protocol-buffers-schema (>=3.1.0 <=3.6.0)

protocol-buffers-schema NPM version =3.1.0, =2.0.9, =2.0.7, =2.1.2, =0.0.25, =0.0.19, =2.0.12, =2.0.11, =0.0.12, =6.1.2, =0.18.4, =0.18.4, =1.16.11, =1.4.2, =2.14.3 and more Source cves: CVE-2026-5758 Source advisory: SNYK:JS-PROTOCOLBUFFERSSCHEMA-16420259...

@cmmn/tools (>=3.0.0-alpha-1 <=3.0.0-alpha-6), mikr0 (=0.1.10) potentially affected by CVE-2026-33808 via @fastify/express (>=4.0.1 <=4.0.2)

@fastify/express NPM version =4.0.1, =3.0.0-alpha-1, =3.0.0-alpha-6 - mikr0 =0.1.10 Source cves: CVE-2026-33808 Source advisory: SNYK:JS-FASTIFYEXPRESS-16068303...

CVE-2026-30778 Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

CVE-2026-5588

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all pkix modules, Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All pkix modules, Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All pkix modules. This vulnerability...

org.bouncycastle:bcjmail-debug-jdk15to18 (>=1.81 <=1.83), org.bouncycastle:bcmail-debug-jdk15to18 (>=1.81 <=1.83) potentially affected by CVE-2026-5588 via org.bouncycastle:bcpkix-debug-jdk15to18 (>=1.81 <=1.83)

org.bouncycastle:bcpkix-debug-jdk15to18 MAVEN version =1.81, =1.81, =1.81, =1.83 Source cves: CVE-2026-5588 Source advisory: SNYK:JAVA-ORGBOUNCYCASTLE-16075256...

app.cash.bittycity:outie (=0.0.1), app.cash.bittycity:outie-jooq-provider (=0.0.1) +1448 more potentially affected by CVE-2026-5598 via org.bouncycastle:bcprov-jdk15to18 (>=1.71 <=1.83)

org.bouncycastle:bcprov-jdk15to18 MAVEN version =1.71, =0.0.2, =0.0.2.1, =0.2.9, =0.2.8, =0.2.8, =0.2.8, =0.1.0-M36, =0.1.0-M27, =1.0.1, =3.5.0.0, =3.5.5.3 - cn.lnkdoc.sdk:awesome-uia-alipay-sdk =3.0.0-RC1 - cn.lnkdoc.sdk:awesome-uia-alipay-sdk-solon-boot-2-starter =3.0.0-RC1 and more Source cves...

CVE-2026-0636 LDAP Injection Vulnerability in LDAPStoreHelper.java

Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all prov modules. This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from...

Composer 安全漏洞

Composer is an open-source application developed by Composer. It provides a tool for declaring, managing, and installing dependencies of PHP projects. Versions of Composer from 1.0 to 2.2.26, as well as from 2.3 to 2.9.5, have security vulnerabilities. These vulnerabilities stem from command...

Pega Platform 安全漏洞

Pega Platform is an enterprise management platform developed by Pega, Inc. Versions of Pega Platform from 8.1.0 to 25.1.1 have security vulnerabilities, which stem from HTML injection in the user interface components...

Bouncy Castle Java 安全漏洞

Bouncy Castle Java is an open-source encryption algorithm developed by Legion of the Bouncy Castle Inc. There were security vulnerabilities in Bouncy Castle Java versions from 2.17.3 to 1.84. These vulnerabilities stemmed from non-constant time comparisons, which could lead to the exposure of the...

Apache Log4j 2.12.0 < 2.25.4 SSL Hostname Verification Bypass (CVE-2026-34477)

The version of Apache Log4j on the remote host is 2.12.0 through 2.25.3. It is, therefore, affected by a vulnerability: - The verifyHostName configuration attribute of the Ssl element was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception via...

CVE-2026-40091

SpiceDB 1.49.0–1.51.0 logs startup configuration with the full datastore DSN (DatastoreConfig.URI), including plaintext password, when the log level is info. This exposes credentials in startup logs. The issue is fixed in 1.51.1. If upgrading is not possible, the recommended workaround is to set ...

CVE-2025-66447

Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2...

EUVD-2026-22339

A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via...

CVE-2025-61886

Fortinet FortiSandbox and FortiSandbox PaaS versions 5.0.0–5.0.4 are affected by a Cross-site Scripting (CWE-79) vulnerability due to improper input neutralization during web page generation. An attacker can trigger an XSS attack by sending crafted HTTP requests. The NVD/CVE entry lists a CVSS v3...