ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +160 more potentially affected by CVE-2026-4282 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.5.6)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.0, =1.2.0 and more Source cves: CVE-2026-4282 Source advisory: OSV:GHSA-HJ93-H7PG-FH6Vhttps://vulners.com/osv/OSV:GHSA-HJ93-H7PG-...

EUVD-2025-209182

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking...

EUVD-2025-209186

IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequency that an authenticated user can send emails, which could result in email flooding or a denial of service...

Convoy 数据伪造问题漏洞

Convoy is an open-source platform developed by Convoy for hosting providers and enthusiasts. Versions of Convoy from 3.9.0-beta to 4.5.1 contained a data manipulation vulnerability due to insufficient validation of JWT token signatures, which could lead to authentication bypasses...

Rack 注入漏洞

Rack is a modular Ruby web server interface developed by the Rack open-source project. Versions of Rack from 3.2.0 to 3.2.6 contained an injection vulnerability. This vulnerability stemmed from an error in the multi-part resolver that improperly expanded and folded headers, which could lead to HT...

listmonk 安全漏洞

ListMonk is a high-performance, self-hosted newsletter and mailing list manager developed by Kailash Nadh. Versions of ListMonk from 4.1.0 to 6.1.0 had security vulnerabilities due to defects in list permission checks. These vulnerabilities could allow users in multi-user environments to access...

CVE-2025-66484

IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

CVE-2025-66483

IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system...

@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +27 more potentially affected by CVE-2026-34784 via parse-server (>=2.0.8 <=7.5.4)

parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2026-34784 Source advisory: OSV:GHSA-HPM8-9QX6-JVWV...

CVE-2025-66487

IBM Aspera Shares 1.9.9 through 1.11.0 does not properly rate limit the frequency that an authenticated user can send emails, which could result in email flooding or a denial of service...

CVE-2025-62184

Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none...

CVE-2025-66484

CVE-2025-66484 affects IBM Aspera Shares 1.9.9–1.11.0. A stored cross-site scripting vulnerability exists in the Web UI due to failure to adequately filter user input, allowing an attacker to embed arbitrary JavaScript and potentially cause credential disclosure within a trusted session. Remediat...

algokit (>=2.9.0 <=2.10.0), biopipen (>=1.0.0 <=1.3.8) +9 more potentially affected by CVE-2026-34730 via copier (>=9.0.1 <=9.11.3)

copier PYPI version =9.0.1, =2.9.0, =1.0.0, =2.2.2, =1.2.1, =4.13.6, =4.13.6, =5.0.0b4, =4.13.6, =4.13.6, =2.14.1, =2.51.0 Source cves: CVE-2026-34730 Source advisory: SNYK:PYTHON-COPIER-15874120...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1217 more potentially affected by CVE-2026-34525 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34525 Source advisory: SNYK:PYTHON-AIOHTTP-15873733...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1346 more potentially affected by CVE-2026-34518 via aiohttp (>=0.13.1 <=3.13.3)

aiohttp PYPI version =0.13.1, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34518 Source advisory: OSV:GHSA-966J-VMVW-G2G9...

@01.software/cli (>=0.1.1 <=0.2.0-dev.260310.cf511cb), @01.software/sdk (>=0.0.1-251008.90016 <=0.3.0) +77 more potentially affected by CVE-2026-34746 via payload (>=0.12.3 <=3.79.0)

payload NPM version =0.12.3, =0.1.1, =0.0.1-251008.90016, =0.0.6, =0.0.1, =1.0.1-beta.0, =1.0.1, =1.0.0, =1.0.6, =1.0.0, =0.1.0, =1.0.0, =1.1.29 - @linkshop/ui-components =1.0.1 and more Source cves: CVE-2026-34746 Source advisory: OSV:GHSA-6R7F-Q7F5-WPX8...

a-mailx (=0.1.0), a2a-acl (=0.0.15) +1217 more potentially affected by CVE-2026-34513 via aiohttp (>=3.0.0b0 <=3.13.3)

aiohttp PYPI version =3.0.0b0, =0.1.1, =0.1.0b0, =1.1.0, =1.0.1, =0.0.0, =0.0.2, =4.8.2, =0.0.3, =0.1.3, =0.4.0, =56.0.0, =72.0.0 and more Source cves: CVE-2026-34513 Source advisory: SNYK:PYTHON-AIOHTTP-15873737...

CVE-2026-34544

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via...

EUVD-2026-18062

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write...

EUVD-2026-17927

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11...