CVE-2026-5766 Potential denial-of-service vulnerability in ASGI requests via file upload limit bypass

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

phpVMS has an /importer authorization bypass causing full database wipe

Security Advisory: Unauthenticated Access to Legacy Import Feature Severity: Critical Affected versions: phpVMS 7.x up to 7.0.5 Fixed in: v7.0.6 Component: Legacy importer Summary A critical vulnerability in phpVMS 7.x allowed unauthenticated access to a legacy import feature. Although this featu...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the addWebhookAuthorization function. An attacker can cause excessive memory allocation by sending a large request body to the publicly accessible /api/v1/events/ endpoint,...

CVE-2026-7705

A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function setiptvinfo of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has...

GHSA-C96X-RPM4-349P Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory...

CVE-2026-42363

An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with variou...

BIT-ARGO-WORKFLOWS-2026-40886 Argo Workflows: Unchecked annotation parsing in pod informer crashes Argo Workflows controller

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod function causes a controller-wide panic when a workflow pod carries a malformed...

CVE-2026-40599

CVE-2026-40599 affects ClearanceKit on macOS. Before 5.0.5, a process with an empty Team ID but non-empty Signing ID can be misidentified as an Apple platform binary, enabling a malicious app to impersonate an Apple process in the global allowlist and access protected files. The issue is fixed in...

EUVD-2026-24209

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple...

PT-2026-34037

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.5, ClearanceKit incorrectly treats a process with an empty Team ID and a non-empty Signing ID as an Apple platform binary. This bug allows a malicious software to impersonate an apple...

EUVD-2026-23935

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store ...

CVE-2026-3995

CVE-2026-3995 concerns the OPEN-BRAIN WordPress plugin (versions up to 0.5.0). The vulnerability arises in the API Key settings field, where insufficient input sanitization and output escaping allow an authenticated Administrator to inject stored cross-site scripting payloads. Specifically, sanit...

CVE-2026-3995

The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield which strips HTML tags but does not...

PT-2026-33282

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp shareCount callback function in all versions up to, and including, 5.0.5. This makes it possible for...

ps459

Multi-Firmware PS4 WebKit & Kernel Exploit Chain An exploit c...

PT-2026-33035

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.5 Description An issue exists where the software fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows an unauthenticated...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Validation of Integrity Check Value in go-git [CVE-2026-25934]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Validation of Integrity Check Value in go-git, due to an issue where data integrity values for .pack and .idx files were not properly verified CVE-2026-25934. GO-git is used as a component of our ibm-watson-speech-catalog...

PT-2026-32679

A insufficiently protected credentials vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4 all versions, FortiSandbox PaaS 5.0.1 through 5.0.5 may allow an authenticathed administrator to read LDAP server credentials via client-side inspection...

CVE-2026-5998 zhayujie chatgpt-on-wechat CowAgent API Memory Content Endpoint service.py dispatch path traversal

A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This manipulation of the argument filename causes path traversal. The attack can be initiated remotely. Th...

CVE-2026-5998

The CVE-2026-5998 vulnerability affects zhayujie chatgpt-on-wechat CowAgent (up to 2.0.4) in the API Memory Content Endpoint’s dispatch function (service.py). An attacker can manipulate the filename argument, enabling path traversal and remote exploitation. The issue has been publicly reported wi...