CVE-2026-5736 PowerJob detailPlus Endpoint InstanceController.java sql injection

A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument...

com.instaclustr:cassandra-ldap-4.1.0 (=1.0.0), com.instaclustr:ic-sstable-tools-4.1.0 (=1.0.0) +12 more potentially affected by CVE-2026-32588 via org.apache.cassandra:cassandra-all (>=4.1.0 <=4.1.10)

org.apache.cassandra:cassandra-all MAVEN version =4.1.0, =4.1.0, =4.1.0, =4.1.0, =1.0-Beta3, =3.15, =3.15, =4.2 - org.odpi.egeria:open-metadata-assemblies =3.15 Source cves: CVE-2026-32588 Source advisory: OSV:GHSA-QFFM-GF3J-6MVG...

com.instaclustr:cassandra-ldap-4.1.0 (=1.0.0), com.instaclustr:ic-sstable-tools-4.1.0 (=1.0.0) +12 more potentially affected by CVE-2026-32588 via org.apache.cassandra:cassandra-all (>=4.1.0 <=4.1.10)

org.apache.cassandra:cassandra-all MAVEN version =4.1.0, =4.1.0, =4.1.0, =4.1.0, =1.0-Beta3, =3.15, =3.15, =4.2 - org.odpi.egeria:open-metadata-assemblies =3.15 Source cves: CVE-2026-32588 Source advisory: SNYK:JAVA-ORGAPACHECASSANDRA-15954234...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.5) +16 more potentially affected by CVE-2026-41372 via openclaw (>=2026.3.22 <=2026.4.12)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =2.0.1, =0.0.7, =0.0.11 and more Source cves: CVE-2026-41372 Source advisory: SNYK:JS-OPENCLAW-15928881...

@fedify/botkit (>=0.4.0-dev.182 <=0.4.0-dev.183), @fedify/botkit-sqlite (>=0.4.0-dev.182 <=0.4.0-dev.183) +5 more potentially affected by CVE-2026-34148 via @fedify/vocab-runtime (>=2.0.0-dev.100 <=2.0.7)

@fedify/vocab-runtime NPM version =2.0.0-dev.100, =0.4.0-dev.182, =0.4.0-dev.182, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.18 Source cves: CVE-2026-34148 Source advisory: OSV:GHSA-GM9M-GWC4-HWGP...

CVE-2026-22683

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

ai.pipestream:account-service (>=0.0.2 <=0.0.8), ai.pipestream:connector-admin-service (>=0.1.1 <=0.1.8) +438 more potentially affected by CVE-2026-35554 via org.apache.kafka:kafka-clients (>=4.0.0 <=4.0.1)

org.apache.kafka:kafka-clients MAVEN version =4.0.0, =0.0.2, =0.1.1, =0.2.7, =0.2.7, =0.2.7, =0.2.7, =0.1.7, =0.0.1, =0.0.1, =0.0.6, =1.2.4, =1.2.11 and more Source cves: CVE-2026-35554 Source advisory: OSV:GHSA-5QCV-4RPC-JP93...

ai.pipestream:account-service (>=0.0.10 <=0.0.18), ai.pipestream:connector-admin-service (>=0.1.10 <=0.1.18) +528 more potentially affected by CVE-2026-35554 via org.apache.kafka:kafka-clients (>=4.1.0 <=4.1.1)

org.apache.kafka:kafka-clients MAVEN version =4.1.0, =0.0.10, =0.1.10, =0.1.3, =0.7.21, =0.7.21, =0.7.21, =0.1.21, =0.7.2, =0.7.2, =0.2.0, =0.2.0, =0.7.5 and more Source cves: CVE-2026-35554 Source advisory: OSV:GHSA-5QCV-4RPC-JP93...

arthexis (>=0.2.6 <=0.8.0), cg-django-uaa (=2.1.9) +29 more potentially affected by CVE-2026-33033 via django (>=5.2.0 <=5.2.12)

django PYPI version =5.2.0, =0.2.6, =0.1.0, =0.1.0, =1.3.0, =1.92.0.5, =4.2.0, =0.0.7, =3.0.0, =0.1.0, =0.1.1 and more Source cves: CVE-2026-33033 Source advisory: OSV:PYSEC-2026-48...

PT-2026-30756

IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack...

PT-2026-30910

Name of the Vulnerable Software and Affected Versions Addressable versions 2.3.0 through 2.8.9 Description Addressable, an alternative URI implementation for Ruby, contains a flaw in its URI template implementation. Templates utilizing the '' explode modifier with any expansion operator e.g., foo...

Addressable 安全漏洞

Addressable is a Ruby library developed by Bob Aman. Versions of Addressable from 2.3.0 to 2.9.0 contained a security vulnerability. This vulnerability stemmed from the URI template implementation; two types of regular expressions generated by the URI templates had catastrophic backtracking, whic...

mise-en-place 访问控制错误漏洞

Mise-en-place is a development environment management tool developed by JDX’s individual developers. It supports multiple language versions, environment variables, and task management. In the versions of Mise-en-place from 2026.2.18 to 2026.4.5, there was an access control vulnerability. This...

Vite 路径遍历漏洞

Vite is a new type of front-end build tool developed by Vite itself. Versions of Vite from 6.0.0 to 6.4.2, before 7.3.2, and before 8.0.5 contained a path traversal vulnerability. This vulnerability stemmed from insufficient path traversal restrictions on .map requests, which could allow bypassin...

CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

@agregio-solutions/design-system (>=1.89.2 <=1.89.4), @altipla/directus-sdk-utils (=0.7.2) +226 more potentially affected by CVE-2026-39365 via vite (>=7.0.0 <=7.3.1)

vite NPM version =7.0.0, =1.89.2, =20.1.0, =20.1.0, =0.1.0, =0.0.4, =0.2.9, =0.79.1, =1.0.0-beta.23, =2.1.2-alpha.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.23.0, =2.29.0 and more Source cves: CVE-2026-39365 Source advisory: OSV:GHSA-4W7W-66W2-5VF9...

@1771technologies/oneplay (>=0.0.1 <=0.0.6), @aicblock/cli (>=1.0.0 <=1.0.1) +197 more potentially affected by CVE-2026-39363 via vite (>=6.0.0 <=6.4.1)

vite NPM version =6.0.0, =0.0.1, =1.0.0, =1.0.0, =0.2.0, =4.25.19-patch.2, =19.1.0, =19.1.0, =0.55.0, =0.21.2-4.1, =0.21.23 and more Source cves: CVE-2026-39363 Source advisory: OSV:GHSA-P9FF-H696-F583...

CVE-2026-35166 Hugo does not properly escape some Markdown links

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in...

CVE-2026-35166 Hugo does not properly escape some Markdown links

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in...

CVE-2026-26026

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6...