CVE-2026-48997

CVE-2026-48997 affects e107 CMS

CVE-2026-54386

CVE-2026-54386 affects marimo prior to 0.23.9. A reflected XSS in the notebook page arises from improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string. An unauthenticated attacker can craft a link with a payload (notably starting with new ) that ...

CVE-2026-48991

XianYuLauncher (Minecraft Java Edition launcher) is affected in versions prior to 1.5.5. The legacy Microsoft account OAuth sign-in flow used a fixed localhost redirect URI and lacked PKCE and state validation, allowing sensitive authentication artifacts to be exposed under certain local attack c...

CVE-2026-48820

The CakePHP CVE-2026-48820 vulnerability affects View::_getElementFileName(), where the resolved element path is not validated to be within the application/plugin view template paths. This can allow crafted user-supplied data to include other PHP files on the server. Affected versions span 4.5.11...

CVE-2026-50196

CVE-2026-50196 – Steeltoe.Discovery.Eureka : In Steeltoe.Discovery.Eureka before versions 4.2.0 and 3.4.0, DataCenterInfo.FromJson throws an ArgumentException for any DataCenterInfo.name other than MyOwn, Amazon, or Netflix, causing the registry deserialization to fail and the cache refresh to sw...

CVE-2026-48990

In joserfc (Python), CVE-2026-48990 affects versions 1.3.4–1.6.5 where oversized RFC7797 b64=false JWS payloads bypass JWSRegistry.max_payload_length during deserialization, enabling potential resource exhaustion. The standard JWS compact/flattened paths enforce the payload limit via ExceededSize...

CVE-2026-8050

CVE-2026-8050 affects SignalRGB prior to 1.3.7.0: seven (out of sixteen) IOCTL handlers dereference SystemBuffer without validating non-NULL, causing a NULL pointer dereference and kernel crash when an IOCTL with an empty input buffer is sent. Mitigation is SignalRGB driver update to version 1.3....

CVE-2026-8049

The CVE-2026-8049 issue affects SignalRGB’s Windows kernel driver, SignalIo.sys, in versions prior to 1.3.7.0. The device object (.SignalIo) is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN, resulting in overly permissive default access. This permits any...

CVE-2026-12530

The issue CVE-2026-12530 affects the AWS Bedrock AgentCore Python SDK install_packages() in versions >= 1.1.3 and

CVE-2026-50194

Steeltoe CVE-2026-50194 affects management endpoints when configured to listen on an alternate port. Versions 3.2.2–3.3.0 and 4.1.0 use the Host header to gate access instead of the socket port, enabling port-isolation bypass. Patches are in 3.4.0 and 4.2.0. If upgrading isn’t possible, apply exp...

CVE-2026-48989

CVE-2026-48989 affects Windows-MCP HTTP transports that expose an unauthenticated control plane with wildcard CORS, enabling arbitrary PowerShell execution via the PowerShell tool when accessed from arbitrary origins. Root cause: FastMCP instance built without authentication and middleware applyi...

CVE-2026-48988

markdown-it is affected by a Denial-of-Service vulnerability (CVE-2026-48988) when typographer: true is enabled. Versions 14.1.1 and earlier process smartquotes with a quadratic time complexity due to repeated uses of replaceAt(), causing high CPU usage on quote-heavy inputs. The issue can degrad...

CVE-2026-48979

The CVE concerns PHP PSL versions 6.1.0, 6.1.1, and 6.2.0 where Psl\H2\ServerConnection fails to validate that the DATA frame length matches the content-length declared in the HEADERS frame, enabling HTTP request smuggling. This affects clients using Psl\H2\ServerConnection directly to process un...

CVE-2026-49133

Typemill before 2.24.0 has a path traversal vulnerability in Storage::getFile() that lets authenticated users with Author privileges read files outside the content directory by passing traversal sequences in the path query parameter with an empty folder argument. This can bypass traversal-prevent...

CVE-2026-48821

Shaarli versions ≤ 0.16.1 are affected by a DOM-based XSS in the Thumbnail Synchronizer. The ThumbnailsController::ajaxUpdate backend returns unescaped bookmark titles in JSON via an AJAX response, which are injected into the DOM by thumbnails-update.js using innerHTML. This requires an administr...

CVE-2026-11407

PIMCORE CMS/DXP 12.3.8 contains a sandbox bypass in the Twig SecurityPolicy (checkMethodAllowed and checkPropertyAllowed). Authenticated administrative attackers can craft malicious Twig templates via DataObject ClassDefinition Layout\Text to execute arbitrary PHP object methods, perform file rea...

CVE-2026-48823

Technical details are not publicly available in the provided documents. Monitor for updates from Shaarli advisories and releases.

CVE-2026-32682

The CVE-2026-32682 entry concerns NGINX Gateway Fabric. The vulnerability arises when GRPCRoutes are configured; an authenticated user with permission to create or modify GRPCRoute resources can cause the control plane to terminate by sending undisclosed GRPCRoute configurations containing backen...

CVE-2026-50107

CVE-2026-50107 : Affects NGINX Plus or NGINX Open Source used as the data plane for NGINX Gateway Fabric. The vulnerability lies in the configuration generator component: user-supplied values from the NginxProxy CRD access log format setting are rendered directly into NGINX configuration template...

CVE-2026-48822

Shaarli (versions ≤ 0.16.1) contains a stored XSS in the Bookmark Description field when a malicious javascript: URI is injected via Markdown reference links. The root cause is in BookmarkMarkdownFormatter.php: filterProtocols uses a regex that catches inline links but does not inspect Markdown r...

CVE-2026-54388

Tinyproxy (≤ 1.11.3) is affected by CVE-2026-54388. The issue occurs when a request contains multiple Content-Length headers with differing values: Tinyproxy forwards all duplicate headers to the backend but uses the first value to determine how many body bytes to consume. This desynchronizes pro...

CVE-2026-54387

CVE-2026-54387 affects Tinyproxy up to version 1.11.3. It fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to consume the request body. This desynchronizes frontend/backend parsers and can enab...

CVE-2026-48817

CVE-2026-48817 affects Starlette 1.0.1 and earlier, where HTTPEndpoint dispatch selects a handler by lowercased method name via getattr without validating against a known HTTP verb. If a Route is used without explicitly listing methods=, every method can reach the endpoint, and non-standard HTTP ...

CVE-2026-48814

Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions

CVE-2026-55202

Tinyproxy (up to version 1.11.3) contains a vulnerability in stathost detection where the Host header is not properly validated. This allows unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation, potentially misrouting req...

CVE-2026-55201

CVE-2026-55201 affects Evil-WinRM (up to version 3.9). A path traversal in download_dir() can cause the server to generate filenames with traversal sequences from Get-ChildItem output, which are passed unsanitized to File.join(), enabling writes outside the intended download directory. Attackers ...

CVE-2026-55200

CVE-2026-55200 affects libssh2 up to version 1.11.1. The vulnerability is an out-of-bounds write in ssh2_transport_read() caused by failure to enforce upper bounds on packet_length, allowing remote attackers to send crafted SSH packets to corrupt heap memory and achieve remote code execution. The...

CVE-2026-10741

Sonatype Nexus Repository Manager prior to 3.93.0 contains an authorization flaw in the proxy repository configuration that lets a delegated repository administrator disclose stored upstream proxy credentials. This affects confidentiality (credentials exposure) with a CVSS base score of 5.9 (MEDI...

CVE-2026-55590

The connected advisory GHSA-HHPQ-7WG4-36JM describes a backslash bypass in CakePHP’s getLoginRedirect() that permits open redirects to attacker-controlled hostnames. Affected versions include the integrity of redirect targets; remediation patches are available in CakePHP 3.3.6 and 4.1.1. If upgra...

CVE-2026-55518

The CVE entry CVE-2026-55518 is connected to GHSA-8FQ9-273G-6MRG, which describes a critical missing authorization flaw in Avo’s association attach endpoint. The vulnerability arises because the server-side authorization check runs only for the UI form (new) and not for the mutating create action...

CVE-2026-55471

CVE-2026-55471 is linked to a XXE/SSRF flaw in the HAPI FHIR org.hl7.fhir.utilities XsltUtilities.sax onTransform overloads. The issue arises because saxonTransform(...) creates a bare net.sf.saxon.TransformerFactoryImpl() without external-access restrictions, unlike the hardened transform() path...

CVE-2026-55470

Context: CVE-2026-55470 is reserved. Connected advice confirms a concrete issue previously identified in HAPI FHIR: DSTU2’s FHIRPathEngine.matches() uses a raw String.matches() without a timeout, enabling ReDoS via catastrophic backtracking. What’s affected: ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 mo...

CVE-2026-55199

CVE-2026-55199 affects libssh2 up to version 1.11.1. The vulnerability lies in the SSH_MSG_EXT_INFO handler (src/packet.c), where return values from _libssh2_get_string() are unchecked. During key exchange, a malicious SSH server can set nr_extensions to 0xFFFFFFFF, causing the client to spin in ...

CVE-2026-10696

CVE-2026-10696 affects Devolutions UniGetUI 2026.2.0 and earlier. The root cause is an incorrectly resolved name/reference in the pinget backend, which can allow a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog ...

CVE-2026-55760

CVE-2026-55760 concerns the Handlebars.java library, specifically when using FileTemplateLoader (or ClassPathTemplateLoader) with user-controlled input for template names. The advisory documents a path traversal vulnerability that can lead to arbitrary file reads in web applications that pass unt...

CVE-2026-55405

CVE-2026-55405 is reserved; connected advisory GHSA-2MFG-CC43-9PCJ documents a concrete SQL injection in LangChain4j’s embedding stores. The vulnerability arises when metadata filter keys are concatenated into SQL without proper escaping in langchain4j-mariadb and langchain4j-pgvector (JSON mode ...

CVE-2026-12529

The CVE concerns SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0, affecting the Student Self-Registration Endpoint (index.php). The vulnerability arises from improper access controls in an unknown function of /index.php, enabling remote exploitation. The impact is def...

CVE-2026-55636

Capsule v0.13.2 has an incomplete fix for CVE-2026-30963 due to a singular/plural typo in webhook rules: the rule uses namespace/finalize instead of namespaces/finalize, so the finalize defense is not applied. PoC demonstrates that a user with namespaces/finalize RBAC is denied in normal flow but...

CVE-2026-25779

The connected GHSA entry describes an open redirect in Gitea: open redirect via the redirect_to parameter despite validation inside urlIsRelative in modules/httplib/url.go. The PoC demonstrates redirection to example.com after successful login, enabling phishing, and potentially OAuth/SSO token l...

CVE-2026-24791

CVE-2026-24791 is a public-only bypass affecting Gitea self routes under /api/v1/user. Connected PoCs show that tokens marked public-only, when combined with route-required user scopes, can access or mutate private account resources via self routes such as /api/v1/user/keys, /api/v1/user/applicat...

CVE-2026-55198

Hermes WebUI prior to 0.51.443 contains an authorization bypass in the session export endpoint. The _handle_session_export handler in api/routes.py fails to verify active-profile ownership before serializing session data, allowing authenticated users to exfiltrate transcripts from other profiles ...

CVE-2026-55197

Hermes WebUI before 0.51.443 has a broken access control weakness in the /api/session endpoint. Authenticated users can bypass profile boundaries and query session IDs from other profiles via GET /api/session?session_id=&messages=1 to retrieve unauthorized transcripts and metadata. This affects t...

CVE-2026-55196

Hermes WebUI prior to version 0.51.409 contains an authentication bypass in passkey registration. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register are accessible without authentication, allowing an att...

CVE-2026-53871

Hermes WebUI prior to version 0.51.368 contains an authorization bypass in get_profile_cookie() that accepts unauthenticated profile names via the hermes_profile cookie. An authenticated attacker can forge the hermes_profile cookie to bypass profile-scoped authorization and access sessions, files...

CVE-2026-53870

Hermes Agent before 0.16.0 creates response_store.db and webhook_subscriptions.json with world-readable permissions (0644), exposing conversation history, tool payloads, prompts, and per-route HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obt...

CVE-2026-53869

CVE-2026-53869 : Hermes Agent prior to 0.16.0 has a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. The FastAPI HTTP middleware is not executed for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events, ena...

CVE-2026-48818

CVE-2026-48818 concerns Starlette’s StaticFiles on Windows. In versions up to 1.0.1, when handling UNC paths (for example, \attacker.com\share), os.path.realpath can initiate an outbound SMB connection before the path is rejected, triggering SSRF and exposing the service account’s NTLMv2 credenti...

CVE-2026-11525

The issue affects undici’s cookie parsing in Set-Cookie headers. The root cause is a permissive substring match for the SameSite attribute during parsing, accepting any value containing Strict, Lax, or None instead of enforcing a case-insensitive exact match per RFC 6265. This can cause downstrea...

CVE-2026-2674

CVE-2026-2674 is an Out-of-bounds Write vulnerability in RTI Connext Professional affecting Queueing Service, Core Libraries, and Persistence Service. Affected versions are Connext Professional: 6.1.0 through before 6.1.*; 7.0.0 through before 7.3.1.3; 7.4.0 through before 7.7.0. The root cause i...

CVE-2026-30803

RTI Connext Micro (Core Libraries) is affected by an Integer Underflow (wrap/wraparound) vulnerability that allows overread of buffers. Affected versions are Connext Micro 4.0.0 up to (but not including) 4.3.0. The issue is documented across CVE-2026-30803 entries in NVD and CVE records; no explo...