CVE-2026-34222 Open WebUI has Broken Access Control in Tool Valves

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11...

CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

CVE-2026-33978

Notesnook prior to version 3.3.17 contains a stored XSS in the mobile share/web clip flow. Attacker-controlled clip metadata is concatenated into HTML and rendered with innerHTML in the mobile editor WebView, e.g., via shared title metadata (TITLE/SUBJECT) or link-preview title data, allowing inj...

EUVD-2026-17214

CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS...

Linux Distros Unpatched Vulnerability : CVE-2026-32883

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate...

PT-2026-29628

Name of the Vulnerable Software and Affected Versions: CI4MS versions prior to 0.31.0.0 Description: The application does not properly sanitize user-controlled input when handling backup uploads and processing backup metadata. An attacker can inject a malicious JavaScript payload into the backup...

PT-2026-29610

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4 Description Multiple Host headers were permitted in AIOHTTP, potentially allowing a reverse proxy's security rules to be bypassed. This could lead to a request being processed by AIOHTTP in a privileged sub...

PT-2026-29629

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description The application does not properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Management functionality. Page-related data selected via the Pages section is...

EUVD-2026-17699

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack overflow SO in SIccCalcOp::ArgsUsed. The issue is observable under AddressSanitizer as a stack-overflow when iccApplyProfiles processes ...

CVE-2026-34406

APTRS Automated Penetration Testing Reporting System is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edituser endpoint POST /api/auth/edituser/ allows Any user who can reach that endpoint and submit...

Security Bulletin: Maximo AI Service uses tar-7.4.3.tgz which is vulnerable to CVE-2026-23745 and CVE-2026-23950.

Summary Maximo AI Service uses tar-7.4.3.tgz which is vulnerable to CVE-2026-23745 and CVE-2026-23950. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-23950 DESCRIPTION: node-tar,a Tar for Node.js, has a race condition...

CVE-2026-32734

CVE-2026-32734 concerns baserCMS, a website development framework. According to the provided documents, prior to version 5.2.3 baserCMS is vulnerable to a DOM-based cross-site scripting (XSS) issue in tag creation. The vulnerability is described as allowing malicious JavaScript execution in the b...

PT-2026-29305

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an attacker with the ability to create shared AI conversations could inject arbitrary HTML and JavaScript via crafted...

CVE-2026-31799 Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "sectionid" and "userid", the /api/v2?cmd=gethomestats endpoint passe...

ROOT-OS-DEBIAN-11-CVE-2026-25971 CVE-2026-25971 in rootio-imagemagick - Patched by Root

Root has patched CVE-2026-25971 in the rootio-imagemagick package for Root:Debian:11. Multiple fixed versions available...

ROOT-OS-ALPINE-318-CVE-2023-49286 CVE-2023-49286 in rootio-squid - Patched by Root

Root has patched CVE-2023-49286 in the rootio-squid package for Root:Alpine:3.18. Multiple fixed versions available...

ROOT-OS-DEBIAN-12-CVE-2025-6297 CVE-2025-6297 in rootio-dpkg - Patched by Root

Root has patched CVE-2025-6297 in the rootio-dpkg package for Root:Debian:12. Multiple fixed versions available...

SUSE CVE-2026-33215

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The nats-server provides an MQTT client interface. Prior to versions 2.11.15 and 2.12.5, Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Versions 2.11.15 and 2.12.5 patch the issu...

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's...

CVE-2026-33205

calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.6.0, a Server-Side Request Forgery vulnerability in the background-image endpoint of calibre e-book reader's web view allows an attacker to perform blind GET requests to arbitra...