CVE-2026-45087

Dalfox (server mode) prior to v2.13.0 is vulnerable to unauthenticated remote code execution. When running dalfox server with default 0.0.0.0:6664 and no API key, POST /scan deserializes attacker-controlled options (FoundAction and FoundActionShell) into scan config, then shell commands are execu...

CVE-2026-45089

Dalfox AOSS (CVE-2026-45089) allows unauthenticated arbitrary file creation/append when running in REST server mode. Before v2.13.0, the API accepts attacker-controlled OutputFile, OutputAll, and Debug in model.Options; the logger writes to the attacker-specified path via os.OpenFile with O_APPEN...

CVE-2026-45090

Dalfox (CVE-2026-45090) suffers a channel lifecycle bug in ParameterAnalysis.go: two sequential worker stages share a single results channel, which is closed after the first stage and then reused by the second stage for POST-body parameters. When a parameter is reflected, the second-stage writer ...

CVE-2026-42553

Cinny (Matrix client) before version 4.10.3 is affected by a token-disclosure vulnerability in two parts: (1) EmojiBoard fallback uses an untrusted pack.meta.avatar as a MXC URL, enabling an attacker-controlled HTTP(S) URL in a malicious emote pack; (2) the service worker attaches the user’s Auth...

CVE-2026-5509

The CVE-2026-5509 entry describes an authenticated command-injection flaw in TP-Link Archer BE450 v1 and BE7200 v1 routers. After logging into the admin web interface, an attacker can inject crafted input via the browser’s developer console that is passed to backend system commands without suffic...

CVE-2026-44345

CVE-2026-44345 affects BentoML. A multi-line value supplied to docker.base_image in bento.yaml is interpolated into the Dockerfile without escaping or validation, allowing an attacker-controlled Dockerfile fragment to inject arbitrary RUN directives. When bentoml containerize runs docker build, t...

CVE-2026-45334

CVE-2026-45334 corresponds to a Kirby CMS vulnerability (GHSA-39VQ-49QM-R2MC) involving the Panel content-locking feature. When a user’s role has restricted visibility (users.access or users.list set to false), the lock information (including the editing user’s email and internal ID) could be ret...

CVE-2026-44346

CVE-2026-44346 affects BentoML. A malicious bentofile.yaml with a newline-injected value in envs[*].name yields unquoted RUN directives in the BentoML-generated Dockerfile, causing those RUN commands to run on the host during docker build when running bentoml containerize. The issue stems from un...

CVE-2026-45081

Frappe HRMS (HRMS) has a permission bypass in the Leave Details API. Before version 16.5.0, authenticated employees could access other employees’ leave details due to improper authorization checks; the issue is fixed in 16.5.0.

CVE-2026-45260

CVE-2026-45260 (Pimcore WebDAV MOVE issue) : Pimcore 2026.1.0 WebDAV asset MOVE endpoint (/asset/webdav{path}) can perform asset mutation and deletion without enforcing authentication or permissions during Tree::move(). The MOVE path deletes the source asset before validating the current user, al...

CVE-2026-44521

elFinder contains an authenticated SQL injection in the MySQL volume driver (elFinderVolumeMySQL). A logged-in user, including those with read-only access, can inject SQL via a crafted target file hash, potentially leading to unauthorized data disclosure and denial of service. Affected installati...

CVE-2026-48147

Budibase (open-source low-code platform) prior to 3.35.4 contains a vulnerability in buildMatcherRegex()/matches() within packages/backend-core/src/middleware/matchers.ts where route patterns are compiled into unanchored regexes and tested against ctx.request.url (including the full query string)...

CVE-2026-48148

Budibase prior to 3.35.3 exposes an unvalidated VectorDB host parameter in its configuration endpoint. An authenticated builder-level user can supply a host like 169.254.169.254 or localhost, allowing the server to initiate outbound TCP connections to internal network addresses or cloud metadata ...

CVE-2026-45548

The CVE-2026-45548 entries describe a Server-Side Request Forgery (SSRF) in Budibase where processUrlFile (AI Extract File step) calls fetch(fileUrl) without the IP blacklist, bypassing protections used by other automation steps. This allowed an authenticated builder to trigger server-side reques...

CVE-2026-45715

Budibase (open-source low-code platform) is affected by CVE-2026-45715 via the REST datasource integration. The vulnerable component is the REST datasource code at packages/server/src/integrations/rest.ts, where redirects are followed without re-checking the IP blacklist, allowing an authenticate...

CVE-2026-45716

Budibase vulnerability CVE-2026-45716 affects the onboardUsers endpoint: when SMTP is not configured, POST /api/global/users/onboard allows a builder to create new global admin accounts by injecting attacker-controlled roles, returning the generated password in the response and enabling full priv...

CVE-2026-45717

Budibase (prior to 3.38.1) exposed PUT /api/datasources/:datasourceId under TABLE/READ authorization, allowing any authenticated user with BASIC or higher to overwrite a datasource’s config (host, port, database, URL, credentials). The update merges attacker-controlled fields without builder-leve...

CVE-2026-45718

Budibase (open-source low-code platform) fixed in 3.38.1 a vulnerability in the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger). Before 3.38.1, the endpoint did not validate that the provided rowId was within the view’s filters, allowing a user with access to a ...

CVE-2026-45719

Budibase is vulnerable to CouchDB reduce injection via the V1 Views API (POST /api/views) where the calculation parameter is interpolated into a CouchDB reduce function without validation. A Builder-permission user can inject arbitrary JavaScript into the reduce function, which CouchDB executes w...

CVE-2026-46425

Budibase contains a SCIM authorization flaw prior to version 3.38.2: the SCIM router (packages/worker/src/api/routes/global/scim.ts) attaches only requireSCIM and doInScimContext middlewares, with no role check. This allows any authenticated user (including BASIC role) who reaches the worker to p...

CVE-2026-46424

Budibase vulnerability CVE-2026-46424 affects versions before 3.38.2. The public API endpoint POST /api/public/v1/roles/unassign updates CouchDB user documents but does not invalidate the Redis cache entries used by authentication middleware, so revoked admin/builder/app roles may persist up to 1...

CVE-2026-46426

Budibase (open-source low-code) has a stored XSS flaw tracked as CVE-2026-46426. Before version 3.38.2, the file upload endpoint POST /api/attachments/process did not consistently enforce active-content restrictions for authenticated builders. The checks for dangerous extensions (html, svg, js, p...

CVE-2026-46427

Budibase prior to 3.38.3 exposes Snowflake private keys via the datasource API. The removeSecrets filter masks only datasource config fields with schema type DatasourceFieldType.PASSWORD; Snowflake integration marks privateKey as SENSITIVE_LONGFORM, which is not filtered, allowing a BASIC-authent...

CVE-2026-48128

Budibase prior to 3.39.0 is vulnerable to SSRF via the executeQuery automation step. The executeQuery step accepts a queryId from automation inputs and forwards it to the query execution controller without additional validation. When a REST datasource targets internal infrastructure, this can cau...

CVE-2026-48146

Budibase - CVE-2026-48146: Before 3.39.0, the OAuth2 token fetch in packages/server/src/sdk/workspace/oauth2/utils.ts calls raw fetch(config.url) without SSRF protection, while a safe wrapper fetchWithBlacklist() exists and is used for other outbound calls. This allows a user with BUILDER rights ...

CVE-2026-4392

CVE-2026-4392 affects TeamSpeak 3 Server versions up to 3.13.7, involving the Handshake Handler component. The issue arises from manipulation of the argument proof, which results in a reachable assertion. The advisory states that remote exploitation is possible. A fix is available in TeamSpeak 3 ...

CVE-2026-48149

CVE-2026-48149 affects Budibase prior to version 3.39.0, where the Budibase Text component in Markdown mode rendered markdown by assigning marked.parse(markdown) directly to innerHTML without sanitization (MarkdownViewer.svelte:22). This creates a stored-XSS sink in any column bound to a Text com...

CVE-2026-48150

Budibase CVE-2026-48150 describes a privilege-escalation flaw in the /api/public/v1/roles/assign endpoint prior to 3.39.0. The builderOrAdmin middleware trusts the x-budibase-app-id header to identify the app’s builder, and then the controller propagates the request body to the SDK, which can gra...

CVE-2026-48151

Budibase (open-source low-code platform) contains an authorization bypass in the webhook schema-building endpoint prior to 3.39.0. The endpoint under builderRoutes allowed an unauthenticated caller to update the body schema for a known webhook and mutate the associated automation trigger output s...

CVE-2026-45162

The CVE-2026-45162 entry is linked to concrete, public advisories for Pimcore in Pimcore v11 that expose unsafe PHP deserialization in multiple locations without allowed_classes. The vulnerabilities occur when data sourced from databases (tmp_store, sites, custom_layouts) or filesystem (WebDAV de...

CVE-2026-48152

Budibase (open-source low-code) prior to 3.39.0 exposes a vulnerability where a Basic app user (mapped to WRITE permissions) can read an existing REST datasource, obtain redacted authConfigs, and update only the config.url. During update, mergeConfigs() restores the original secret when it detect...

CVE-2026-48153

Budibase: CVE-2026-48153 affects Budibase before 3.39.0. The OAuth2 SDK’s fetchToken makes a POST to a builder-supplied URL using plain node-fetch and bypasses the isBlacklisted outbound-fetch path check, and the OAuth2 URL Joi schema has no scheme/host restrictions. This enables SSRF to reach in...

CVE-2026-45061

CVE-2026-45061 : Budibase (open-source low-code platform) remains vulnerable to SSRF due to a trivial substring URL check in the Plugin URL upload endpoint (/api/plugin). Before 3.35.10, the code validates only that the URL contains “.tar.gz” anywhere in the string (path, query, or fragment). The...

CVE-2026-4391

CVE-2026-4391 affects TeamSpeak 3 Server up to version 3.13.7. The issue is in an unknown code path of the ECC Key Parser, causing a heap-based buffer overflow that could be triggered remotely. A fixed version is 3.13.8, which upgrades the affected component. If exploiting details are not provide...

CVE-2026-44460

FileRise (self-hosted web-based file manager) contains a vulnerability in /api/totp_setup.php prior to version 3.12.0. If a session has passed password check (state pending_login_user) and the target account already has TOTP configured, the endpoint decrypts and returns the existing TOTP secret i...

CVE-2026-45047

The CVE affects the Go project bird-lg-go. Before version 1.4.5, apiHandler (and webHandlerTelegramBot) directly decode user-provided JSON via json.NewDecoder(r.Body).Decode(&request) without a maximum read size, enabling an unauthenticated attacker to stream a very large or endless JSON payload ...

CVE-2026-44378

Botan (C++ cryptography library) is affected prior to version 3.12.0. Indefinite-length BER encodings could trigger quadratic parser behavior, even in structures that must be DER, leading to denial of service. The issue is fixed in 3.12.0. There are no explicit exploit details or in-the-wild expl...

CVE-2026-42328

CVE-2026-42328 : go-ipld-prime prior to 0.23.0 had unbounded recursion in the DAG-CBOR and DAG-JSON decoders when processing deeply nested maps/lists. Each nesting level increases the goroutine stack, potentially causing a fatal stack overflow. The issue is resolved by a fix in version 0.23.0 . I...

CVE-2026-4390

CVE-2026-4390 affects TeamSpeak 3 Server (up to version 3.13.7). The vulnerability is in the process_resend_queue function of the Connection State Management component, where a manipulation leads to a use-after-free condition. The issue permits remote initiation of an attack under NETWORK, with L...

CVE-2026-42081

CVE-2026-42081 — free5GC AMF UE Security Capabilities bypass (NGAP PathSwitchRequest) Affected software: free5GC AMF (prior to 4.2.2). What is vulnerable: The AMF does not verify UE security capabilities received in NGAP PathSwitchRequest against locally stored values, allowing a malicious gNB to...

CVE-2026-42082

Free5GC AMF prior to v4.2.2 is vulnerable to missing concurrent NAS SMC validation during NGAP handover. The vulnerability arises because the AMF does not enforce the cross-procedure rules in 3GPP TS 33.501 §6.9.5.1, allowing a NAS Security Mode Command (SMC) to be issued while an N2 handover pro...

CVE-2026-42083

CVE-2026-42083 affects free5GC PCF Npcf_SMPolicyControl where missing router authorization middleware in the smPolicyGroup allowed unauthenticated access to SM policy endpoints (e.g., POST /npcf-smpolicycontrol/v1/sm-policies, GET /sm-policies/{id}, POST /sm-policies/{id}/update, POST /sm-policie...

CVE-2026-42459

CVE-2026-42459 documents an improper input validation flaw in free5GC UDM: the SDM (nudm-sdm) service does not validate the SUPI parameter in six GET handlers, allowing an unauthenticated attacker to inject control characters into SUPI. This can cause UDM to forward a malformed URL to UDR and ret...

CVE-2026-44315

The CVE describes a vulnerability in free5GC NEF where the 3gpp-pfd-management API is mounted without inbound OAuth2/bearer-token authorization prior to version 4.2.2. An attacker reachable on the SBI can forge Bearer tokens to create, read, and delete PFD-management transactions, with these acti...

CVE-2026-44316

The CVE describes a nil-pointer dereference in free5GC PCF (POST /npcf-smpolicycontrol/v1/sm-policies) HandleCreateSmPolicyRequest. When a downstream OpenAPI (UDR) lookup returns 404 and the wrapper returns err != nil with a nil response, the code logs the error but does not return, then derefere...

CVE-2026-44317

Summary of findings (CVE-2026-44317) : In free5GC’s PCF component, the POST /npcf-policyauthorization/v1/app-sessions handler can panic on a single authenticated request when ascReqData.suppFeat == "1" (traffic-routing feature negotiation) and medComponents includes an AfAppId but no AfRoutReq. T...

CVE-2026-48027

Summary: CVE-2026-48027 affects Nx Console, a UI for Nx & Lerna. A malicious copy of Nx Console version 18.95.0 was published briefly in Visual Studio Marketplace (and OpenVSX) around 12:30–12:48 UTC (≈18 minutes) and 12:33–13:09 UTC (≈36 minutes) respectively. The compromised package allowed cod...

CVE-2026-44319

Summary (fact-grounded): CVE-2026-44319 affects free5GC NEF prior to version 4.2.2, where an attacker-controlled PFD notifyUri can trigger asynchronous delivery failures that cause NEF to call Fatal and exit, resulting in a complete availability outage until restart. The vulnerability occurs in P...

CVE-2026-44320

Summary: CVE-2026-44320 affects free5GC’s NEF, specifically the nnef-callback route group, which mounts without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token can reach the SMF-callback handler, allowing the callback body to be parsed and dispatched into NEF busines...

CVE-2026-44321

The CVE concerns free5GC SMF (v4.2.x) where the UPI route group lacked inbound OAuth middleware, allowing an unauthenticated POST to /upi/v1/upNodesLinks to trigger a validation failure that calls Fatalf, terminating the entire SMF process. Specifically, an attacker-controlled JSON payload can tr...