CVE-2026-49143

CVE-2026-49143 affects BrowserStack Runner up to version 0.9.5. The vulnerability is in the /_log HTTP handler, permitting unauthenticated, network-adjacent attackers to achieve remote code execution by sending crafted JSON bodies that are passed to vm.runInNewContext() with eval(); attackers can...

CVE-2026-49443

This CVE affects authentik, an open-source identity provider. Affected: UserSourceConnection.user and GroupSourceConnection.group are changeable via the API, allowing an attacker who can modify a source connection and possesses an account in one configured source to log into any account. Root cau...

CVE-2026-47201

The CVE-2026-47201 entry affects authentik’s SAML Source ACS endpoint, where XML Signature Wrapping can allow an attacker with any upstream-IdP account to authenticate as a different federated user. The issue arises during validation of upstream SAML responses and has been patched in authentik ve...

CVE-2026-42849

The CVE-2026-42849 entryffects authentik, an open-source identity provider. Affected component: SFE (Simple Flow Executor) autosubmit stage, where legacy-browser compatibility logic enabled a reflected XSS. Root cause: XSS in AutosubmitStage enables an attacker to potentially take over an IDP acc...

CVE-2026-41569

CVE-2026-41569 concerns authentik, an open-source identity provider. Before 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter with a raw string prefix check instead of proper URL parsing, enabling an attacker to craft a login link with a wreply on a different origi...

CVE-2026-10624

The vulnerability affects SourceCodester Human Resource Management 1.0, in the Employee View Page’s detailview.php. Manipulating the employeeid parameter leads to improper control of resource identifiers (an IDOR-style issue). Exploitation can be performed remotely, and public disclosure of the e...

CVE-2026-10620

The CVE-2026-10620 entry applies to code-projects Student Admission System 1.0, with a SQL injection flaw in /index.php triggered by tampering with eid/did arguments. The underlying issue is an input handling fault that enables remote SQL injection (attack vector: NETWORK; complexity: LOW). The e...

CVE-2026-10619

Technical details about CVE-2026-10619 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-33956

Technical details for CVE-2026-33956 are not publicly available in the provided documents. Monitor for updates from the issuing organization when details are released.

CVE-2026-33966

Technical details for CVE-2026-33966 are not publicly available in the provided documents. No affected products, impact, or remediation are disclosed. Monitor for updates.

CVE-2026-23788

Technical details for CVE-2026-23788 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-33968

Technical details for CVE-2026-33968 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-0054

Technical details for CVE-2026-0054 are not publicly available in the provided documents; monitor for updates as the entry remains reserved.

CVE-2026-23786

Technical details for CVE-2026-23786 are not publicly available in the provided documents. No affected products, vectors, or remediation are disclosed. Monitor for updates.

CVE-2026-23790

Technical details for CVE-2026-23790 are not publicly available in the provided documents. The entry appears reserved/placeholder. Monitor for updates and new public disclosure.

CVE-2026-23789

Technical details for CVE-2026-23789 are not publicly available in the provided documents. No affected products, vectors, or fixes are disclosed. Monitor for updates.

CVE-2026-33970

Technical details for CVE-2026-33970 are not publicly available in the provided documents. Monitor for updates as the candidate is reserved with no disclosed specifics.

CVE-2026-23791

Technical details are not publicly available in the provided documents. Monitor for updates to CVE-2026-23791 for any disclosed affected products, impact, or remediation.

CVE-2026-23787

Technical details for CVE-2026-23787 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-33960

Technical details for CVE-2026-33960 are not publicly available in the provided documents. Monitor for updates as the candidate remains reserved and no impact, vector, or remediation details are disclosed.

CVE-2024-53922

Technical details for CVE-2024-53922 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-33967

Technical details for CVE-2026-33967 are not publicly available in the provided documents. No information on affected products, root cause, or remediation is present. Monitor for updates as details are released.

CVE-2026-33964

Technical details are not publicly available in the provided documents for CVE-2026-33964. Monitor for updates to obtain affected products, impact, and remediation.

CVE-2026-33963

Technical details for CVE-2026-33963 are not publicly available in the provided documents; monitor for updates.

CVE-2026-23793

Technical details for CVE-2026-23793 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-28299

The CVE-2026-28299 entry concerns SolarWinds Web Help Desk with a denial-of-service vulnerability that could cause the server to crash due to insufficient memory. Connected sources confirm the issue and provide CVSS:3.1 base score 8.2 (HIGH) with Network attack vector, low attack complexity, no p...

CVE-2021-4479

Dräger Atlan A350 vulnerable software versions 1.00–1.01 due to improper input handling in the Medibus interface. An attacker can send crafted non‑Medibus‑compliant data to trigger a denial of service by overloading the internal processor, potentially causing device operation disruption over seve...

CVE-2021-4478

Dräger CC-Vision Basic prior to 7.5.3 and CC-Vision E-Cal prior to 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. A crafted .gdt file can trigger a buffer overflow during parsing, potentially crashing the application or allowing code execution on the host. The avail...

CVE-2019-25724

The CVE-2019-25724 entry describes a network-based Denial of Service impacting Dräger Infinity M300 patient-worn monitors running VG2.x and earlier. The underlying issue allows an attacker with access to the hospital network or Infinity Network to repeatedly trigger device reboots, driving the de...

CVE-2026-48596

Summary: CVE-2026-48596 affects the Elixir Tesla library (tesla) in its multipart handling. The vulnerability is in Tesla.Multipart.add_content_type_param/2, which appends caller-supplied strings to content_type_params without validating CR (\r) or LF (\n). Tesla.Multipart.headers/1 then joins th...

CVE-2026-48594

The CVE-2026-48594 issue affects elixir-tesla/tesla: when Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is used, HTTP responses are decompressed eagerly without a size cap. The decompress_body/2 path passes the full body to :zlib.gunzip/1 or :zlib.unzip/1, and compression_al...

CVE-2026-48595

The CVE-2026-48595 entry describes an Authorization header leakage in Tesla’s Elixir Tesla middleware (FollowRedirects) due to a case-sensitive comparison against a lowercase filter list for headers like Authorization/host. HTTP header names are case-insensitive, but Tesla preserves header keys a...

CVE-2026-48597

The vulnerability CVE-2026-48597 affects elixir-tesla (Tesla) where Tesla.Adapter.Mint.open_conn/2 converts each outgoing request URL scheme to a BEAM atom using String.to_atom(uri.scheme) without an allow-list. Since BEAM atoms are not garbage-collected, an attacker who can influence the request...

CVE-2026-48598

The CVE-2026-48598 entry affects the Elixir Tesla library, specifically Tesla.Multipart.part_headers_for_disposition/1. The vulnerability arises from improper encoding of disposition parameters, treating each parameter as k="v" without sanitizing CR (\r), LF (\n), or double-quote characters. Mali...

CVE-2026-10584

Graph Explorer before 3.0.1 uses an HTTP fallback when certificate files are missing, exposing potential interception of HTTPS requests. The vulnerability affects the proxy component of Graph Explorer and can lead to disclosure of sensitive information. The recommended remediations are to upgrade...

CVE-2026-35202

Summary of vulnerability (CVE-2026-35202) : Pterodactyl Panel’s Client API suffers a race-condition in the database resource limiter. The code path in DatabaseController.php attempts to lock database allocations with lockForUpdate(), but the Laravel call is a no-op (no terminal operation is sent)...

CVE-2019-25723

CVE-2019-25723 describes an improper input handling vulnerability in Dräger Perseus A500 software 2.00–2.02 . An external attacker can cause a DoS by sending specially crafted, non-Medibus‑compliant data through the Medibus interface , flooding the internal processor and triggering a warm restart...

CVE-2026-10617

The CVE-2026-10617 entry describes a vulnerability in nextlevelbuilder GoClaw up to version 3.11.3, affecting the resolveAuth function in internal/http/auth.go of the Webhook Verification Handler. The issue results from a manipulation that leads to missing authentication, enabling remote exploita...

CVE-2019-25722

The CVE-2019-25722 entry concerns Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL). Affected component: source code contains hard-coded plaintext credentials that can be used by a local attacker to access service and clinical accounts; a remote attacker can send m...

CVE-2026-35049

The CVE-2026-35049 entry affects the wire-ios iOS client. Before version 4.16.0, processing a crafted Proteus external message with an encrypted payload under 16 bytes causes an automatic crash after receipt. The malicious message remains in the conversation and causes a crash loop on relaunch, p...

CVE-2026-47265

AIOHTTP prior to 3.14.0 is vulnerable: cookies provided via the cookies parameter on per-request calls are sent after following a cross-origin redirect, which may leak sensitive data if an attacker can control the redirect. Version 3.14.0 patches the issue. As a workaround, using a Cookie header ...

CVE-2026-5385

Summary : CVE-2026-5385 is a stored XSS in GLPI prior to 11.0.7. An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. Affected versions : GLPI before 11.0.7. Impact : authenticated? No — attacker needs knowledge-base write access; impa...

CVE-2026-5073

CVE-2026-5073 affects WordPress ARMember Premium (all versions up to 7.3.1). The vulnerability is an unauthenticated SQL Injection via the order/orderby parameters in the AJAX action arm_directory_paging_action , caused by insufficient escaping and inadequate SQL query preparation in the function...

CVE-2026-5074

The CVE concerns the ARMember Premium WordPress plugin. A SQL Injection exists in the get_private_content_data AJAX action via the sSortDir_0 parameter, in all versions up to and including 7.3.1. The user-supplied value is concatenated into the ORDER BY clause without a whitelist, allowing authen...

CVE-2026-5076

CVE-2026-5076 concerns ARMember Premium for WordPress (

CVE-2026-10616

CVE-2026-10616 affects nextlevelbuilder GoClaw up to 3.11.3. The vulnerability resides in TeamTasksTool.executeComplete (internal/tools/team_tasks_lifecycle.go), where a manipulation can lead to missing authorization. The issue can be exploited remotely and the exploit has been made publicly avai...

CVE-2026-34993

In CVE-2026-34993, AIOHTTP prior to 3.14.0 is vulnerable: using CookieJar.load() with untrusted input may lead to arbitrary code execution. The issue stems from deserializing untrusted data in the cookie jar. The advisory notes that most applications will be unaffected since data are user-owned, ...

CVE-2026-42342

CVE-2026-42342 affects React Router and Remix Server Runtime: versions 7.0.0–7.14.x of react-router and 2.10.0–2.17.4 of @remix-run/server-runtime are vulnerable to DoS via unbounded path expansion on the __manifest endpoint, causing high resource usage and potential unavailability for Framework ...

CVE-2025-64390

CVE-2025-64390 describes a privilege-escalation in PlayStation 4 firmware 13.00–13.02 where the BD-J sandbox can be escaped via a malformed JAR. Connected sources (NVD, CVE list mirrors, AttackersKB, and HackerOne report) explain the root cause: a mismatch between security policy path canonicaliz...

CVE-2026-42211

CVE-2026-42211 affects React Router versions 7.0.0–7.14.1 when used in Framework Mode. A combination of steps could enable a prototype pollution condition that an attacker could leverage in a two-step process to trigger unauthorized remote code execution on the remote server. The issue does not i...