CVE-2026-53689

CVE-2026-53689 relates to libnfs up to 6.0.2 (before commit 55c18ea). The issue is that libnfs_zdr_string in lib/libnfs-zdr.c does not validate a string size, causing an integer overflow when connecting to a crafted NFS server. The CVSS data indicates network attacker, high impact to confidential...

CVE-2026-48031

The connected advisories describe CVE-2026-48031 context as a hardcoded JWT signing secret (“random”) in the Go REST API boilerplate project github.com/dhax/go-base. This weakness enables token forgery, allowing an attacker to forge admin or privileged tokens and access protected API endpoints. T...

CVE-2026-48051

Summary of CVE-2026-48051 / GHSA-5G86-85RP-F9HX : Papra’s webhook delivery system contains an SSRF protection bypass that allows an authenticated user to cause the server to fetch internal addresses (127.0.0.0/8, RFC-1918, ::1, etc.) by abusing redirects. The vulnerable code uses ofetch.raw() wit...

CVE-2026-48037

The connected OSV/GHSA entry for GHSA-CJ8G-PRCM-MFG5 documents a vulnerability in @hulumi/baseline (

CVE-2026-48036

The connected advisories describe a vulnerability in the drift classifier of the npm package @hulumi/drift prior to version 1.4.0. The root cause is that the classifier used each adapter’s detected flag and did not verify adapter success, leading to two issues: (1) transient adapter failures coul...

CVE-2026-48035

The connected advisories indicate a concrete issue in the npm package @hulumi/baseline prior to version 1.4.0, where the startup-hardened audit bucket could be weakened (three failure modes: false objectLock on startup bucket, forceDestroy risk on teardown, and sandbox tier omission). This could ...

CVE-2026-48034

An advisory describes a vulnerability in @hulumi/policies

CVE-2026-48033

Technical details for CVE-2026-48033 are not publicly available in the provided documents. Monitor for updates.

CVE-2026-48032

The connected advisories describe a vulnerability in @hulumi/policies prior to version 1.4.0 where a JSON array of Federated providers in an IAM trust policy could bypass the G_OIDC wildcard checks, treating a GitHub OIDC provider as non-GitHub and allowing overly permissive sub: conditions. Impa...

CVE-2026-53442

CVE-2026-53442 affects Jenkins 2.567 and earlier, LTS 2.555.2 and earlier. The issue: secrets posted via config.xml are not encrypted before being stored in job config.xml files on the Jenkins controller, allowing disclosure to users with Item/Extended Read permissions or filesystem access. This ...

CVE-2026-53441

Summary: CVE-2026-53441 affects Jenkins core 2.483–2.567 and LTS 2.492.1–2.555.2, where the description field for an offline cause can be stored via the POST config.xml API, enabling stored XSS. This requires attacker permission at Agent/Configure level. What’s known from provided sources: The vu...

CVE-2026-53439

CVE-2026-53439 : In Jenkins up to 2.567 and earlier, and LTS up to 2.555.2, missing permission checks allow users with Overall/Read to determine other users’ configured timezone and to enumerate other users’ My Views. The CVSS v3.1 base score is 4.3 (Medium; AV N, AC L, PR L, UI N, S U, C L, I N,...

CVE-2026-53440

Technical details are not publicly available in the provided documents. Monitor for updates.

CVE-2026-53438

Summary: CVE-2026-53438 affects Jenkins 2.567 and earlier (including LTS 2.555.2 and earlier). A missing permission check allows attackers who have Item/Cancel permission but lack Item/Read permission to cancel queue items they are not allowed to view. What’s affected: Jenkins core queue cancella...

CVE-2026-53437

Jenkins 2.567 and earlier, and LTS 2.555.2 and earlier, are affected by a vulnerability where the redirect URL after login is improperly determined to point to Jenkins if it contains tab or newline characters between //, enabling phishing attacks. The root cause is improper handling/validation of...

CVE-2026-53436

Jenkins 2.567 and earlier, and LTS 2.555.2 and earlier, are affected by a login-redirect validation issue: the system may treat a redirect URL containing relative path segments (./ or ../) as legitimate, which enables phishing attacks by steering users to attacker-controlled destinations after lo...

CVE-2026-53435

CVE-2026-53435 affects Jenkins 2.567 and earlier, including LTS 2.555.2 and earlier. The root cause is unsafe deserialization due to a deserialization sink that bypasses a ClassFilter, allowing an attacker who can POST a config.xml to deserialize arbitrary core/plugin types and reach them via HTT...

CVE-2025-71329

The CVE-2025-71329 vulnerability affects image-size up to version 2.0.2 and is triggered by a crafted image buffer containing a zero-valued size field in a recognized box-type, causing an infinite loop in the JXL or HEIF parsers and permanently blocking the Node.js event loop (DoS). Impact is den...

CVE-2025-71330

The CVE-2025-71330 issue affects image-size

CVE-2026-52759

Ghidra is affected by CVE-2026-52759 through the Mach-O binary parser prior to version 12.1.1. The vulnerability arises from an uncontrolled memory allocation when parsing Mach-O files with an arbitrarily large ncmds load command count, causing the parser to allocate excessive heap memory without...

CVE-2026-52758

Summary: Ghidra before 12.1 suffers a SQL injection in the BSim filter types where user-supplied values are directly concatenated into SQL queries without escaping or parameterization. This enables remote attackers to inject arbitrary SQL via the BSim network query protocol, potentially reading, ...

CVE-2026-52757

Ghidra before 12.1 is affected by a heap-use-after-free in the decompiler’s HighVariable::merge() during the variable merging pass. The issue can be triggered by a crafted binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, leading to reads/writes of ...

CVE-2026-52756

CVE-2026-52756 affects Ghidra before 12.2. The IsfServer component accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation, enabling unauthenticated path traversal. Remote attackers can connect to port 54321 and send crafted protob...

CVE-2026-52755

Ghidra prior to version 12.0.4 is affected by a path traversal vulnerability in the theme import functionality. An attacker can craft theme ZIP files containing traversal sequences in filenames to write outside the intended theme directory, enabling arbitrary code execution or modification of sen...

CVE-2026-52754

Ghidra prior to 12.1 is affected by an authentication bypass in PKIAuthenticationModule.authenticate(). An attacker presenting a valid CA-signed certificate with a null signature can impersonate other users, enabling privilege escalation. Documented impacts include modifying repository access con...

CVE-2026-52753

Ghidra

CVE-2026-52752

CVE-2026-52752 affects Ghidra prior to 12.0.2. The path traversal flaw is in the extension installer and arises from insufficient validation of ZIP entry names during extraction, allowing crafted extensions with ../ sequences to write files outside the intended directory and potentially achieve c...

CVE-2026-49069

The CVE-2026-49069 entry refers to the WordPress WPZOOM Portfolio plugin (versions

CVE-2026-52751

Affected software : Ghidra before 12.1. Vulnerability : Unsafe deserialization in client-side Shared-Project RMI connection code enables unauthenticated remote code execution when a crafted ghidra:// project file is opened via File → Open Project. The attack deserializes untrusted objects using a...

CVE-2026-52750

Ghidra prior to 12.1 on Windows contains a command-injection in URL annotation handling: cmd.exe metacharacters are not properly escaped. This allows an attacker to execute arbitrary commands under the Ghidra user by embedding a malicious URL in a program comment and having a victim click it. Aff...

CVE-2026-49498

Ghidra 11.0 before 12.1 is affected by a SQL injection in PostgresFunctionDatabase.changePassword(), which fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can craft username parameters in PasswordChange network messages to inject SQL com...

CVE-2026-49497

CVE-2026-49497 concerns Ghidra before 12.1, which contains a path traversal flaw in the SameDirDebugInfoProvider. The bug arises because filenames from ELF binary .gnu_debuglink sections are not validated before file paths are built, enabling a local attacker to craft malicious ELF binaries with ...

CVE-2026-49496

Ghidra

CVE-2026-49495

Ghidra 10.2 before 12.1 contains an uncontrolled resource-consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie can cause unbounded queue growth and exponential...

CVE-2024-58350

Ghidra prior to 11.2 contains a use-after-free in the Sleigh backend caused by undefined static initialization order of SleighArchitecture::translators and XmlArchitectureCapability singletons. This can enable an attacker to trigger an infinite loop or denial of service during shutdown due to uns...

CVE-2026-9758

Technical details (affected versions, root cause specifics, exploitation status) are not publicly available in the provided documents. Monitor for updates from CVE sources and connected feeds.

CVE-2026-24067

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool (com.slatedigital.connect.privileged.helper.tool) that exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The root cause is a PID-based client validation that is vulnerable to a time-of-check time-of-u...

CVE-2026-24066

Slate Digital Connect 1.37.0 for macOS exposes a privileged helper tool (com.slatedigital.connect.privileged.helper.tool) that serves an XPC service (com.slatedigital.connect.privileged.helper.tool2). The root cause is that the helper validates connecting XPC clients by checking only the subject....

CVE-2026-11859

CVE-2026-11859 concerns an HTML injection vulnerability in the Canarytokens Canarytokens 'fetch links' email. Affected: Canarytokens builds derived from Docker tag sha-c0f3cf142 before sha-08c3f93d and Git commit c0f3cf142 before 08c3f93d. Root cause: HTML injection in the email content used for ...

CVE-2026-11853

CVE-2026-11853 affects Debusine. The vulnerability arises in the parser for Debian source packages (.dsc) and upload artifacts (.changes), where it accepts arbitrary fully user-controlled paths. The mergeuploads task could be exploited to create arbitrary symbolic links on a worker, overwriting a...

CVE-2026-11852

Debusine CVE-2026-11852 affects a Debian-based distribution tool. The vulnerability arises because endpoints that create or delete relationships between artifacts perform no permission checks beyond artifact visibility, enabling unauthorized relationship management. The CVSS indicates Network acc...

CVE-2026-3018

The WordPress Newsletters plugin (versions

CVE-2025-6254

The Doctreat Core plugin for WordPress is affected up to version 1.6.8. The root cause is doctreat_process_registration() not properly restricting the roles a user can register with, enabling unauthenticated users to register as an administrator. This is a Privilege Escalation vulnerability. The ...

CVE-2026-8613

The CVE-2026-8613 entry concerns the WordPress plugin aThemes Addons for Elementor (

CVE-2026-8853

The CVE-2026-8853 entry concerns the WordPress plugin MW WP Form (versions up to and including 5.1.3) with a Stored Cross-Site Scripting vulnerability via the memo parameter. The root cause is insufficient input sanitization and output escaping, enabling authenticated attackers with editor-level ...

CVE-2026-10721

Concrete CMS

CVE-2026-9019

CVE-2026-9019 affects the WordPress plugin Easy Image Collage (versions up to and including 1.13.6). The issue is a Stored Cross-Site Scripting (Stored XSS) vulnerability arising from insufficient input sanitization and output escaping in the parameters grid[properties][borderColor] and grid[imag...

CVE-2026-11815

CVE-2026-11815 describes insecure deserialization via MITM between a client application and an API Gateway server, potentially allowing deserialization of arbitrary objects and leading to broken security expectations or remote code execution. The vulnerability is associated with the Layer 7 Polic...

CVE-2026-10846

CVE-2026-10846 affects nlnts ldns used as a stub resolver over UDP. FreeBSD advisories confirm that ldns failed to verify response provenance (source IP/port, transaction ID, and question matching), enabling off‑path spoofing of UDP responses and arbitrary data delivery to programs using ldns (e....

CVE-2026-29116

The CVE-2026-29116 entry concerns certain Dahua products. A vulnerability allows an unauthenticated remote attacker to send a crafted packet that triggers an exception, causing the system to reboot and resulting in denial of service. The CVSS baseline score is 8.7 (HIGH) with network access, no p...