CVE-2026-11833

Overview: A vulnerability has been found in FAST/TOOLS and CI Server. The web server may return a response containing the CI Server setting information. This information could be exploited by an attacker for other attacks. The affected products and versions are as follows: FAST/TOOLS Packages:...

CVE-2026-10658

CVE-2026-10658 affects Zephyr’s Bluetooth Host ISO RX path, specifically bt_iso_recv() in subsys/bluetooth/host/iso.c. The vulnerability arises from missing minimum length checks for SDU headers when processing PB=START/SINGLE, allowing a malformed HCI ISO payload to bypass the inner header lengt...

CVE-2026-10651

The CVE-2026-10651 affects Zephyr’s Bluetooth Classic SDP parser (subsys/bluetooth/host/classic/sdp.c) where bt_sdp_parse_attribute() reads a 3-byte attribute (1-byte type, 2-byte id) but then unconditionally pulls an extra value type byte without verifying remaining length. A truncated 3-byte at...

CVE-2026-10645

Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2026-10645; no additional specifics on affected products or fixes are provided here.

CVE-2026-54353

The CVE entry CVE-2026-54353 is tied to a GitHub advisory for Budibase backend-core describing a TOCTOU DNS rebinding-based SSRF: outbound fetch validation resolves hostnames for a blacklist, but the real socket connection performs another DNS lookup, allowing an attacker-controlled hostname to r...

CVE-2026-54352

The connected GitHub advisory describes a file-read vulnerability in Budibase server (Budibase/budibase <= 3.39.0) via the workspace-builder permission. A POST /api/pwa/process-zip endpoint accepts a zip; it unpacks with [email protected] to a temp dir, then validates icons.json entries by pat...

CVE-2026-54351

The CVE entry is tied to Budibase: a mass-assignment vulnerability in the webhook trigger allows an attacker to overwrite the internal appId in the request body, causing the async workflow to run in the victim workspace context. The public webhook endpoint passes the full HTTP body into automatio...

CVE-2026-49229

The connected GHSA advisory for @actual-app/sync-server discloses a flaw where disabling a user does not invalidate existing sessions. In OpenID multi-user mode, login-time checks enforce enabled=1, but the session validation path (validateSession) accepts any non-expired token without rechecking...

CVE-2026-50137

The connected GitHub advisory describes a security hole in Budibase: an unauthenticated POST to /api/attachments/:datasourceId/url can mint AWS S3 pre-signed PUT URLs using the datasource’s IAM credentials, enabling anonymous users to write to buckets those credentials can access. The route lacks...

CVE-2026-50136

Budibase exposes an unauthenticated endpoint that generates S3 PutObject signed URLs using credentials stored in a workspace datasource. The POST /api/attachments/:datasourceId/url route is only protected by recaptcha and does not require authentication or datasource/builder access. The server si...

CVE-2026-50132

Budibase has an account-linking CSRF/ACL vulnerability exposed via public GET endpoint GET /api/chat-links/:instance/:token/handoff. An attacker can generate a chat identity link session (token contains attacker’s externalUserId) and, when a victim visits the URL while authenticated, upserts a ch...

CVE-2026-48170

The connected advisory GHSA-9M6G-WC8R-Q59C describes a prototype pollution vulnerability in the scim-patch library. Affected versions are

CVE-2026-47267

Technical details for CVE-2026-47267 are not publicly available in the provided documents. Monitor for updates as more information may be released.

CVE-2026-47155

CVE-2026-47155 affects vLLM prior to 0.22.0. Description: revision pinning controls do not consistently apply to all artifacts loaded for a model, enabling loading of dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/d...

CVE-2026-41523

vLLM prior to 0.22.0 is affected by an assert-based security check in the activation function loading that can permit arbitrary code execution when a malicious HuggingFace model is loaded and vLLM runs in Python optimized mode. The attacker-controlled inputs are the activation function names from...

CVE-2026-54232

vLLM prior to 0.22.1 is affected by a dependency confusion flaw in its Dockerfile. The vulnerability arises from installing flashinfer-jit-cache from a private index (flashinfer.ai/whl/) via --extra-index-url while the package name was not registered on PyPI and UV_INDEX_STRATEGY is set to unsafe...

CVE-2026-54233

Affected software: vLLM (inference/serving engine). Vulnerability: decoding an audio file on the /v1/audio/transcriptions endpoint can cause extreme memory growth. A 25 MB OPUS upload decodes to about 14.9 GB of float32 PCM, because the audio decoder concatenates all frames in memory before retur...

CVE-2026-54236

CVE-2026-54236 affects vLLM versions before 0.23.1rc0. Five code paths bypass the sanitize_message global exception handler, leaking heap addresses via exception messages: (1) Anthropic API router POST /v1/messages and POST /v1/messages/count_tokens (vllm/entrypoints/anthropic/api_router.py), (2)...

CVE-2026-54235

Summary: CVE-2026-54235 affects vLLM prior to 0.23.1rc0, where temperature validation gates using can silently mis-handle NaN and positive Infinity due to Python IEEE 754 behavior. This allows non-finite temperatures to bypass guards and propagate to GPU sampling kernels, causing undefined behav...

CVE-2026-48746

vLLM OpenAI auth bypass (CVE-2026-48746) affects vLLM versions 0.3.0 through 0.21.0. Root cause: ASGI servers and Starlette trust the Host header from the request scope, enabling manipulation of the reconstructed URL path and bypassing the OpenAI API AuthenticationMiddleware for routes beginning ...

CVE-2026-53923

CVE-2026-53923 affects vLLM GGUF dequantize kernels. Root cause: integer truncation due to using int for the element count parameter, causing m*n (potentially > INT_MAX) to be truncated when passing to CUDA kernels, leading to unfilled output tensor memory that may retain data from previous in...

CVE-2026-55409

Filament (Laravel) v3 contains a vulnerability where a disabled RichEditor field renders its raw HTML state without sanitization. If the form state data isn’t sanitized when populated, an attacker could inject malicious HTML/JavaScript, causing XSS to execute for users viewing the form. Affected ...

CVE-2026-48067

CVE-2026-48067 affects Filament components where the recordSelectOptionsQuery() used to scope options in AttachAction and AssociateAction Select fields did not apply the same scope in validation. From filament/actions 4.0.0–4.11.4 and 5.6.4, and filament/tables 3.0.0–3.3.51, an attacker could tri...

CVE-2026-48167

CVE-2026-48167 (Filament) affects the ImageColumn and ImageEntry components of Filament (Laravel ecosystem). From versions 4.0.0 through 4.11.5 and 5.6.5, these components render raw database values without HTML escaping, enabling stored XSS if unvalidated data is passed. The vulnerability impact...

CVE-2026-46700

CVE-2026-46700: In @actual-app/sync-server, GET /secret/:name does not enforce an admin authorization check (unlike POST /secret/), allowing authenticated non-admin OpenID users to enumerate admin-managed secrets (e.g., gocardless_secretId, gocardless_secretKey, simplefin_token, simplefin_accessK...

CVE-2026-46672

The connected advisory confirms a concrete vulnerability in @actual-app/cli related to CSV export. The vulnerable code is in packages/cli/src/output.ts (escapeCsv), which only escapes commas, quotes, and newlines, leaving strings that start with formula triggers (e.g., =, +, -, @, tab) unneutrali...

CVE-2026-48500

Summary: Filament (Laravel components) had an unauthenticated temporary file upload issue on some auth-related schemas. Affected versions: 3.0.0–3.3.52, 4.11.5, and 5.6.5. Root cause: The Livewire component embeddings could apply WithFileUploads to forms that don’t require uploads, allowing unaut...

CVE-2026-48166

CVE-2026-48166 — Filament timing-based user enumeration on login page . Affects Filament login page in versions 4.0.0–4.11.5 and 5.6.5 of Filament (Laravel component library). An observable timing discrepancy on login allows unauthenticated attackers to determine whether a given email is register...

CVE-2026-48505

Filament’s MFA recovery-code handling (versions 4.0.0–4.11.5 and 5.6.5) allows the same recovery code to be reused under concurrent submissions. When recovery codes are enabled, an attacker with the user’s password and codes can establish multiple authenticated sessions per code, extending access...

CVE-2026-44889

WebOb (HTTP request/response utilities) is affected prior to version 1.8.10 by an open redirect in Location header normalization during redirects. The vulnerability arises from how WebOb uses urljoin/urlsplit to combine the redirect target with the request URL; since Python 3.10, urlsplit strips ...

CVE-2026-48109

CVE-2026-48109 affects MessagePack-CSharp in the optional LZ4 decompression path (Lz4Block, Lz4BlockArray). The vulnerability stems from a deprecated fast-decompression algorithm that does not enforce a source-length bound, enabling a remote attacker to craft payloads with manipulated LZ4 token/l...

CVE-2026-48502

MessagePack-CSharp contains a Denial of Service vulnerability in MessagePackReader.ReadDateTime() where a stack allocation is driven by attacker-controlled extension length. In the slow path, tokenSize includes the extension body length and is used in a stackalloc before the extension length is v...

CVE-2026-48506

The CVE-2026-48506 entry concerns MessagePack-CSharp: MessagePackReader.TrySkip() can recurse without incrementing depth checks, bypassing MaximumObjectGraphDepth and risking unbounded recursion leading to StackOverflow. Affected: MessagePack-CSharp (reader Skip usage in nested arrays/maps). Root...

CVE-2026-48509

The CVE affects MessagePack-CSharp (ASP.NET Core) where the default parameterless MessagePackInputFormatter() uses MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData, exposing ASP.NET Core MVC request bodies to DoS likely via UntrustedData protections. Affected versions: M...

CVE-2026-48510

CVE-2026-48510 affects MessagePack-CSharp. Prior to versions 2.5.301 and 3.1.7, during Lz4Block/Lz4BlockArray decompression the library reads declared uncompressed lengths from the wire and allocates output buffers before validating payload integrity or expansion reasonableness. This can allow a ...

CVE-2026-48511

The CVE affects MessagePack for C# (MessagePack-CSharp) prior to versions 2.5.301 and 3.1.7. The issue lies in ExpandoObjectFormatter.Deserialize, which populates System.Dynamic.ExpandoObject by repeatedly calling IDictionary.Add for each map entry. ExpandoObject stores member names in array-like...

CVE-2026-48512

CVE-2026-48512 affects MessagePack-CSharp’s JSON conversion helpers. Before versions 2.5.301 and 3.1.7, ConvertFromJsonCore and related paths can recurse without enforcing a consistent depth limit, and TinyJsonReader can parse tokens with unbounded recursion. The typeless ext-100 path also recurs...

CVE-2026-48513

CVE-2026-48513 — MessagePack-CSharp : Vulnerability in runtime-generated union deserializers by DynamicUnionResolver allows depth enforcement gaps. Prior to versions 2.5.301 and 3.1.7, deserializers did not call MessagePackSecurity.DepthStep(ref reader) or properly adjust reader.Depth during recu...

CVE-2026-48514

MessagePack-CSharp vulnerability CVE-2026-48514 affects Unity UnsafeBlitFormatterBase.Deserialize, where an attacker-controlled byteLength inside an extension payload can cause allocation of a very large T[] before validating header/remaining payload bounds. This unbounded allocation is possible ...

CVE-2026-48515

MessagePack-CSharp (MessagePack for C#) contains a vulnerability in its multi-dimensional array formatters that allocate a T[,], T[,,], or T[,,,] before validating the encoded element count. Prior to versions 2.5.301 and 3.1.7, the formatter reads dimension lengths from the payload and allocates ...

CVE-2026-46495

OpenDJ suffers a pre-auth RCE via Java deserialization in the JMX RMI connector (CWE-502). Affected: OpenDJ Community Edition up to 5.1.0 with JMX enabled. Exploitation requires only TCP reachability and does not require prior authentication. Patch: upgrade to OpenDJ 5.1.1 (latest release). Recom...

CVE-2026-48516

MessagePack-CSharp vulnerable in the InterfaceLookupFormatter before versions 2.5.301 and 3.1.7 , which constructs an internal Dictionary with the default equality comparer rather than the security-aware comparer from options.Security.GetEqualityComparer(). This omission enables a hash-collision ...

CVE-2026-56698

Nuxt CVE-2026-56698 affects Nuxt 4.0.0–4.4.6 and 3.x up to 3.21.6 (versions before the fixed releases). The navigateTo open option fails to validate script-capable URLs, allowing attacker-controlled javascript: URLs to execute arbitrary scripts in the application's origin when user input is passe...

CVE-2026-56697

Nuxt security note: Nuxt versions 4.0.0–4.4.6 and 3.x before 3.21.7 are affected by an open redirect in the reloadNuxtApp function. Protocol-relative paths like //evil.com pass the script-protocol check but resolve to a cross-origin URL against the current page protocol, enabling attackers to red...

CVE-2026-56357

n8n’s GitHub Webhook Trigger node is affected in versions before 1.123.15 and 2.5.0 due to missing HMAC-SHA256 signature verification. This allows an attacker who knows the webhook URL to send unsigned POST requests, potentially triggering workflows with arbitrary data and spoofing GitHub webhook...

CVE-2026-56348

CVE-2026-56348 affects n8n prior to 2.20.0. A vulnerability in POST /rest/dynamic-node-parameters/options allows an authenticated user to bypass Allowed HTTP Request Domains restrictions, enabling the server to issue HTTP requests with credentials to unauthorized hosts. This can lead to credentia...

CVE-2026-56324

Capgo contains a rate limit bypass in the channel_self endpoint prior to version 12.128.2. The vulnerability lets an attacker rotate the user-controlled device_id parameter to bypass rate limiting, enabling multiple requests per second and flooding the channel_devices table, potentially causing d...

CVE-2026-56326

Nuxt.js (versions 4.0.0–4.4.6 and 3.x up to 3.21.6) contains a server-side open redirect vulnerability in navigateTo due to improper validation of path-normalized payloads (e.g., /..//evil.com, /.//evil.com). Attackers can bypass external-host checks via path-normalization techniques to redirect ...

CVE-2026-56323

Capgo CVE-2026-56323 affects Capgo before 12.128.2. The /functions/v1/channel_self endpoint allows unauthenticated information disclosure, enabling enumeration of non-public channel names, app existence, and subscription status. Remote attackers can issue GET requests with arbitrary app_id to rev...

CVE-2026-56321

Capgo (backend Supabase edge functions) before 12.128.2 fails to apply the global authentication middleware to GET /private/role_bindings/:org_id, unlike POST/DELETE for the same resource. Unaunthenticated requests reach the handler instead of middleware rejection, but the handler still performs ...