CISA-KEV
CRITICAL
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA-KEV
CRITICAL
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
Required action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
GitHub-GHSA
CRITICAL
utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
GHSA-33p6-5jxp-p3x4
pkg: utcp-cli
eco: pip
published: May 14, 2026
## Summary
The `_substitute_utcp_args` method in `cli_communication_protocol.py` inserts user-controlled `tool_args` values directly into shell command strings without any sanitization or escaping. These commands are then executed via `/bin/bash -c` (Unix) or `powershell.exe -Command` (Windows), al…
CVE-2026-45369
NVD
CRITICAL
CVE-2026-44523
Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4.
CWE: CWE-326, CWE-345
NVD
CRITICAL
CVE-2026-44006
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.
CWE: CWE-94
NVD
CRITICAL
CVE-2026-44005
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled …
CWE: CWE-94, CWE-1321
NVD
CRITICAL
CVE-2026-43997
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability …
CWE: CWE-94
GitHub-GHSA
CRITICAL
Dalfox Server Mode Vulnerable to Unauthenticated Remote Code Execution via `found-action`
GHSA-v25v-m36w-jp4h
pkg: github.com/hahwul/dalfox/v2
eco: go
published: May 12, 2026
# GHSA: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode
## Summary
When dalfox is started in REST API server mode (`dalfox server`), the server binds to `0.0.0.0:6664` by default and requires no API key unless the operator explicitly passes `–api-key`. Because `mode…
CVE-2026-45087
NVD
CRITICAL
CVE-2026-42869
SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWT_SECRET…
CWE: CWE-287, CWE-522, CWE-798
GitHub-GHSA
CRITICAL
SandboxJS has a sandbox escape via Function.caller leakage of internal call op
GHSA-g8f2-4f4f-5jqw
pkg: @nyariv/sandboxjs
eco: npm
published: May 11, 2026
### Summary
Sandbox-defined functions expose `Function.caller`, allowing sandboxed code to recover the internal `LispType.Call` runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function con…
CVE-2026-43898
NVD
CRITICAL
CVE-2026-44643
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.
CWE: CWE-95
NVD
CRITICAL
CVE-2026-43999
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host context, completely byp…
CWE: CWE-863
NVD
CRITICAL
CVE-2026-43948
wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the atta…
CWE: CWE-863
NVD
CRITICAL
CVE-2026-7813
Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's pri…
CWE: CWE-284
NVD
CRITICAL
CVE-2026-44717
MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical expressions without proper input sanitization leads to remote code execution. This vulnerability is fixed in 0.1.1.
CWE: CWE-94
NVD
CRITICAL
CVE-2026-5229
The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email address…
CWE: CWE-287
GitHub-GHSA
CRITICAL
vm2 Has a Sandbox Breakout Using Async Generator
GHSA-248r-7h7q-cr24
pkg: vm2
eco: npm
published: May 14, 2026
### Summary
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
It is possible to catch a host exception using the `yield*` expression inside an async generator.…
CVE-2026-45411
GitHub-GHSA
CRITICAL
Marten has an injection vulnerability in its full-text search regConfig parameter
GHSA-vmw2-qwm8-x84c
pkg: Marten
eco: nuget
published: May 14, 2026
## Summary
Marten's full-text search APIs interpolated the user-supplied `regConfig` parameter directly into the generated SQL without parameterization or validation, making every code path that exposes `regConfig` to untrusted input a SQL injection sink.
## Affected APIs
– `IQuerySession.SearchA…
CVE-2026-45288
NVD
CRITICAL
CVE-2026-42589
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a…
CWE: CWE-78
NVD
CRITICAL
CVE-2026-45411
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the …
CWE: CWE-668
NVD
CRITICAL
CVE-2026-44009
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
CWE: CWE-668
NVD
CRITICAL
CVE-2026-44008
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and…
CWE: CWE-668
GitHub-GHSA
CRITICAL
Goobi viewer – Core: Unauthenticated Solr Streaming Expression Proxy
GHSA-2rgp-f66f-4499
pkg: io.goobi.viewer:viewer-core
eco: maven
published: May 13, 2026
### Summary
The Goobi viewer REST endpoint `POST /api/v1/index/stream` accepted an arbitrary Solr streaming
expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction.
An attacker could read the complete Solr index and, in default Solr deployment…
CVE-2026-45083
GitHub-GHSA
CRITICAL
SillyTavern has Authentication Bypass via SSO Header Injection
GHSA-gxx6-h3g6-vwjh
pkg: sillytavern
eco: npm
published: May 12, 2026
## Resolution
SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user's needs.
Documentation: https://docs.sillytavern.app/administration/sso/
…
CVE-2026-44649
NVD
CRITICAL
CVE-2026-45185
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to hea…
CWE: CWE-416
NVD
CRITICAL
CVE-2026-31239
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the security-restrictive …
CWE: CWE-502
NVD
CRITICAL
CVE-2026-31238
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load() without enabling the security-restrictive weights_only=True param…
CWE: CWE-502
NVD
CRITICAL
CVE-2026-31237
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is loaded using pandas.…
CWE: CWE-502
NVD
CRITICAL
CVE-2026-31236
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its –functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function with…
CWE: CWE-94
NVD
CRITICAL
CVE-2026-31235
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method without any safety c…
CWE: CWE-502
NVD
CRITICAL
CVE-2026-31231
Cognee thru v0.4.0 contains a critical remote code execution vulnerability in its notebook cell execution API endpoint. The endpoint is designed to execute arbitrary Python code provided by the user, but it does so using the unsafe exec() function without any sandboxing, validation, or security cont…
CWE: CWE-94
NVD
CRITICAL
CVE-2026-31230
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string values provided via the –clip_values and –input_shape command-…
CWE: CWE-88
NVD
CRITICAL
CVE-2026-31229
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the secu…
CWE: CWE-502
NVD
CRITICAL
CVE-2026-31228
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval() function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters w…
CWE: CWE-94
NVD
CRITICAL
CVE-2026-31220
PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions (via @sy.syft_function()) for remote execution on the server. While…
CWE: CWE-94
NVD
CRITICAL
CVE-2026-31217
The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the –model command-line argument, the function reads a module.py file …
CWE: CWE-94
NVD
CRITICAL
CVE-2026-31214
The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restr…
CWE: CWE-502
GitHub-GHSA
CRITICAL
WebdriverIO BrowserStack Service has a Command Injection issue
GHSA-5c46-x3qw-q7j7
pkg: @wdio/browserstack-service
eco: npm
published: May 11, 2026
### Summary
A command injection vulnerability exists in `@wdio/browserstack-service` that allows remote code execution (RCE) when processing git branch names in test orchestration. An attacker can exploit this by providing a malicious git repository with a branch name containing shell command inject…
CVE-2026-25244
GitHub-GHSA
CRITICAL
DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
GHSA-72w5-pf8h-xfp4
pkg: deepseek-tui
eco: rust
published: May 14, 2026
### Summary
The `task_create` tool spawns durable sub-agents that inherit two insecure defaults:
– `allow_shell` defaults to `true` (`config.rs:1499`: `self.allow_shell.unwrap_or(true)`)
– `auto_approve` defaults to `true` (`task_manager.rs:297`: `auto_approve: Some(true)`)
When a user approves a…
CVE-2026-45374
GitHub-GHSA
CRITICAL
DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval
GHSA-wx44-2q6h-j6p8
pkg: deepseek-tui, deepseek-tui-cli, deepseek-tui
eco: npm
published: May 14, 2026
### Summary
The `run_tests` tool executes `cargo test` in the workspace with `ApprovalRequirement::Auto`, meaning it runs without any user approval prompt. The source code explicitly states this design choice:
“`rust
fn approval_requirement(&self) -> ApprovalRequirement {
// Tests are encoura…
CVE-2026-45311
NVD
CRITICAL
CVE-2026-8511
Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
CRITICAL
CVE-2026-44482
soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the…
CWE: CWE-20, CWE-79, CWE-94, CWE-862
GitHub-GHSA
CRITICAL
Obot has an authorization bypass in /mcp-connect/{id} that allows any authenticated user to use any registered MCP server
GHSA-vw82-7fv8-r6gp
pkg: github.com/obot-platform/obot
eco: go
published: May 13, 2026
## Summary
If you have the MCP Server ID, you can connect to the MCP server even if you don't have permissions to the server.
The MCP gateway endpoint `/mcp-connect/{mcp_id}` does not enforce Access Control Rules (ACRs). Any authenticated Obot user who possesses an MCP Server ID can connect to tha…
GitHub-GHSA
CRITICAL
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
GHSA-g7cv-rxg3-hmpx
pkg: @tanstack/arktype-adapter, @tanstack/eslint-plugin-router, @tanstack/eslint-plugin-start
eco: npm
published: May 12, 2026
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 `@tanstack/*` packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for `TanStack/router`, but the publish wo…
CVE-2026-45321
GitHub-GHSA
CRITICAL
PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection
GHSA-9mqq-jqxf-grvw
pkg: PraisonAI
eco: pip
published: May 11, 2026
## Summary
PraisonAI's MCP (Model Context Protocol) server (`praisonai mcp serve`) registers four file-handling tools by default — `praisonai.rules.create`, `praisonai.rules.show`, `praisonai.rules.delete`, and `praisonai.workflow.show`. Each accepts a path or filename string from MCP `tools/call…
CVE-2026-44336
NVD
CRITICAL
CVE-2026-42596
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127…
CWE: CWE-918
NVD
CRITICAL
CVE-2026-42882
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware and the bucket handler. The authentication middleware evaluates resource path patterns against the per…
CWE: CWE-22, CWE-863
GitHub-GHSA
CRITICAL
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
GHSA-rpr9-rxv7-x643
pkg: sanitize-html
eco: npm
published: May 14, 2026
### Summary
Under the default configuration, `sanitize-html` can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sani…
CVE-2026-44990
NVD
CRITICAL
CVE-2026-43900
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting (XSS) vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer (s…
CWE: CWE-79
NVD
CRITICAL
CVE-2026-41258
OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The Velocit…
CWE: CWE-94
GitHub-GHSA
CRITICAL
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
GHSA-wf8q-wvv8-p8jf
pkg: @samanhappy/mcphub
eco: npm
published: May 14, 2026
### Summary
A critical identity spoofing vulnerability in MCPHub allows any unauthenticated user to impersonate any other user — including administrators — on SSE (Server-Sent Events) and MCP transport endpoints. The server accepts a username from the URL path parameter and creates an internal …
NVD
CRITICAL
CVE-2026-42555
Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions fr…
CWE: CWE-94
NVD
CRITICAL
CVE-2026-44351
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an …
CWE: CWE-287, CWE-326, CWE-1391
NVD
CRITICAL
CVE-2026-44007
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM w…
CWE: CWE-284
GitHub-GHSA
CRITICAL
SillyTavern has a Path Traversal issue
GHSA-886q-f44j-h6wh
pkg: sillytavern
eco: npm
published: May 12, 2026
## Summary
`POST /api/extensions/delete` endpoint accepts `extensionName: "."` which bypasses
`sanitize-filename` validation, causing the entire user extensions directory to be
recursively deleted. No authentication is required in the default configuration.
## Affected File
`src/endpoints/exten…
CVE-2026-44650
GitHub-GHSA
CRITICAL
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
GHSA-x3r2-fj3r-g5mv
pkg: sealed-env, io.github.davidalmeidac:sealed-env-core
eco: npm
published: May 12, 2026
In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token (CI build logs, container env dumps, …
CVE-2026-45091
NVD
CRITICAL
CVE-2026-45091
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded J…
CWE: CWE-200, CWE-522
GitHub-GHSA
CRITICAL
Unity Catalog has a JWT Issuer Validation Bypass tht Allows Complete User Impersonation
GHSA-qqcj-rghw-829x
pkg: io.unitycatalog:unitycatalog-server
eco: maven
published: May 11, 2026
**Context:**
A critical authentication bypass vulnerability exists in the Unity Catalog token exchange endpoint (/api/1.0/unity-control/auth/tokens). The endpoint extracts the issuer (iss) claim from incoming JWTs and uses it to dynamically fetch the JWKS endpoint for signature validation without va…
CVE-2026-27478
NVD
CRITICAL
CVE-2026-42457
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scr…
CWE: CWE-79
GitHub-GHSA
CRITICAL
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
GHSA-27qc-m5gf-jv5r
pkg: github.com/siyuan-note/siyuan/kernel
eco: go
published: May 13, 2026
### Summary
SiYuan's Bazaar (community marketplace) renders the `name` and `version` fields of a package's `plugin.json` (and the equivalent `theme.json` / `template.json` / `widget.json` / `icon.json`) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper `sanitizePack…
CVE-2026-45375
NVD
CRITICAL
CVE-2026-41901
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expression…
CWE: CWE-917, CWE-1336
GitHub-GHSA
CRITICAL
Amazon Redshift Vulnerable to Remote Code Execution via Unsafe Class Loading
GHSA-wmmv-vvg5-993q
pkg: com.amazon.redshift:redshift-jdbc42
eco: maven
published: May 14, 2026
### Summary
Amazon Redshift JDBC Driver is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs). An issue exists in versions prior to 2.2.2 where the driver could load arbitrary classes when processing certain connection URL paramet…
CVE-2026-8178
GitHub-GHSA
CRITICAL
Electerm Local code through electerm's single-instance socket
GHSA-7p5m-v798-f8vv
pkg: electerm
eco: npm
published: May 14, 2026
### Impact
_Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the machine._
### …
CVE-2026-45353
GitHub-GHSA
CRITICAL
Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark
GHSA-jgg9-rw32-44pj
pkg: electerm
eco: npm
published: May 14, 2026
### Impact
_Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject `exec*` fields or global config to cause remote code to run when a bookmark is …
CVE-2026-45058
GitHub-GHSA
CRITICAL
Portainer has an endpoint security bypass via Swarm service create/update
GHSA-5fxq-qcf3-244w
pkg: github.com/portainer/portainer, github.com/portainer/portainer, github.com/portainer/portainer
eco: go
published: May 14, 2026
## Summary
Portainer enforces seven `EndpointSecuritySettings` restrictions that administrators configure to restrict the container configurations non-admin users can launch: **privileged mode**, **host PID namespace**, **device mapping**, **capabilities**, **sysctls**, **security-opt (Seccomp / Ap…
CVE-2026-44849
GitHub-GHSA
CRITICAL
Portainer missing authorization on Docker plugin endpoints, which allows host RCE
GHSA-rrmm-9v76-h3p4
pkg: github.com/portainer/portainer, github.com/portainer/portainer, github.com/portainer/portainer
eco: go
published: May 14, 2026
## Summary
Portainer enforces Role-Based Access Control (RBAC) on top of the Docker API. The proxy layer routes incoming Docker API requests to per-resource handlers (containers, images, services, volumes, etc.) that apply authorization checks.
The Docker plugin management endpoints (`/plugins/*`)…
CVE-2026-44848
GitHub-GHSA
CRITICAL
n8n Has an XML Node Prototype Pollution Patch Bypass
GHSA-wrwr-h859-xh2r
pkg: n8n, n8n, n8n
eco: npm
published: May 14, 2026
## Impact
An authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host.
## Patches
The issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Use…
CVE-2026-44791
GitHub-GHSA
CRITICAL
n8n Has an Arbitrary File Read via Git Node
GHSA-57g9-58c2-xjg3
pkg: n8n, n8n, n8n
eco: npm
published: May 14, 2026
## Impact
An authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise.
## Patches
The issue has been fixed in n8n versions 1.123.43…
CVE-2026-44790
GitHub-GHSA
CRITICAL
n8n: HTTP Request Node Pagination Prototype Pollution to RCE
GHSA-c8xv-5998-g76h
pkg: n8n, n8n, n8n
eco: npm
published: May 14, 2026
## Impact
An authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance.
## Patches
The issue has been fixed in n8n …
CVE-2026-44789
GitHub-GHSA
CRITICAL
FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
GHSA-9rvc-vf7m-pgm2
pkg: flowise
eco: npm
published: May 14, 2026
### Summary
`POST /api/v1/node-custom-function` lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the `Custom JS Function` node.
When `E2B_APIKEY` is not configured — the common deployment case — Flowise executes this code inside a `N…
CVE-2026-46442
GitHub-GHSA
CRITICAL
Strapi may leak sensitive data via relational filtering due to lack of query sanitization
GHSA-rjg2-95×7-8qmx
pkg: @strapi/strapi
eco: npm
published: May 14, 2026
### Summary of CVE-2026-27886 Vulnerability Details
– CVE: CVE-2026-27886
– CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N` (9.3 — Critical)
– Affected Versions: `@strapi/strapi` <=5.36.1
– How to Patch: Immediately update your Strapi to >=5.37.0
### Descripti…
CVE-2026-27886
GitHub-GHSA
CRITICAL
Strapi Vulnerable to SQL Injection in Content Type Builder
GHSA-3xcq-8mjw-h6mx
pkg: @strapi/content-type-builder, @strapi/plugin-content-type-builder
eco: npm
published: May 13, 2026
### Summary of CVE-2026-22599 Vulnerability Details
– CVE: CVE-2026-22599
– CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N` (9.3 — Critical)
– Affected Versions: `@strapi/content-type-builder` <=5.33.1 (v5), `@strapi/plugin-content-type-builder` <=4.26.0 (v4)
-…
CVE-2026-22599
GitHub-GHSA
CRITICAL
Mapfish Print: Remote Code Injection (RCE) in Dynamic table
GHSA-q7m6-wpvf-mvwx
pkg: org.mapfish.print:print-lib, org.mapfish.print:print-lib, org.mapfish.print:print-lib
eco: maven
published: May 13, 2026
### Impact
The attacker can execute arbitrary code without being authenticated
### Mitigation
Upgrade to a patched version (please check affected/patched version matrix)
### Credits
Bug Bounty of Canton du Jura
CVE-2026-44672
GitHub-GHSA
CRITICAL
esm.sh: Legacy Route Path Traversal Can Lead to RCE
GHSA-3636-h3vx-6465
pkg: github.com/esm-dev/esm.sh
eco: go
published: May 12, 2026
### Impact
– Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for.
– Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges.
### Exploit
The l…
CVE-2026-44593
GitHub-GHSA
CRITICAL
OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
GHSA-m77w-p5jj-xmhg
pkg: openclaude
eco: npm
published: May 12, 2026
### Summary
The `dangerouslyDisableSandbox` parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to `true` in any `tool_use` response. Combined with the default `allowUnsandboxedCommands: true` setting, a pr…
CVE-2026-42074
GitHub-GHSA
CRITICAL
Angular Expressions – Remote Code Execution using filters
GHSA-pw8r-6689-xvf4
pkg: angular-expressions
eco: npm
published: May 11, 2026
## Impact
An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.
Example of vulnerable code:
“`
const expressions = require("angular-expressions");
const result = expressions.compile("a | __proto__")({}, {});
“`
This should throw the erro…
CVE-2026-44643
GitHub-GHSA
CRITICAL
CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
GHSA-423p-g724-fr39
pkg: github.com/cloudnative-pg/cloudnative-pg, github.com/cloudnative-pg/cloudnative-pg
eco: go
published: May 11, 2026
### Impact
The CloudNativePG metrics exporter opens its PostgreSQL connection as the `postgres` superuser via the pod-local Unix socket, then demotes the session with `SET ROLE pg_monitor`. `SET ROLE` changes only `current_user`; `session_user` remains `postgres`. That residual superuser identity i…
CVE-2026-44477
NVD
HIGH
CVE-2026-8719
The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be g…
CWE: CWE-269
GitHub-GHSA
HIGH
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
GHSA-44m2-crh7-f4q2
pkg: @budibase/server
eco: npm
published: May 15, 2026
## Summary
Budibase exposes a REST API for datasource management. The route `PUT /api/datasources/:datasourceId` is registered in the `authorizedRoutes` group with `TABLE/READ` permission. This is the same authorization level as the read endpoint (`GET /api/datasources/:datasourceId`). Every authen…
CVE-2026-45717
GitHub-GHSA
HIGH
Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed
GHSA-482j-2pq6-q5w4
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
The `/api/v1/utils/code/execute` endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set `ENABLE_CODE_EXECUTION=false`. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes.
###…
CVE-2026-45672
NVD
HIGH
CVE-2026-8532
Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-472
NVD
HIGH
CVE-2026-8531
Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-122
NVD
HIGH
CVE-2026-8529
Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
CWE: CWE-122
NVD
HIGH
CVE-2026-8527
Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20
NVD
HIGH
CVE-2026-8526
Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-787
NVD
HIGH
CVE-2026-8524
Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-787
NVD
HIGH
CVE-2026-8522
Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-8519
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-472
NVD
HIGH
CVE-2026-8518
Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-8517
Object lifecycle issue in WebShare in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-664
NVD
HIGH
CVE-2026-8509
Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-122
NVD
HIGH
CVE-2026-43909
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the loop index expression i * 4 inside SwapRGBABytes() causes the function to compute a large negative…
CWE: CWE-125, CWE-190, CWE-787
NVD
HIGH
CVE-2026-43908
OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in the pixel-loop index expression i * 3 inside ConvertCbYCrYToRGB() causes the function to compute a lar…
CWE: CWE-190, CWE-787
NVD
HIGH
CVE-2026-44827
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.…
CWE: CWE-94
NVD
HIGH
CVE-2026-44293
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default val…
CWE: CWE-94
NVD
HIGH
CVE-2026-45227
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __impo…
CWE: CWE-693
NVD
HIGH
CVE-2026-44224
Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without an…
CWE: CWE-269
NVD
HIGH
CVE-2026-34329
Heap-based buffer overflow in Windows Message Queuing allows an unauthorized attacker to execute code over an adjacent network.
CWE: CWE-122
NVD
HIGH
CVE-2026-31232
The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the –model_dir argument), the code uses torch.load()…
CWE: CWE-502
NVD
HIGH
CVE-2026-31225
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Altho…
CWE: CWE-94
NVD
HIGH
CVE-2026-31224
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This …
CWE: CWE-502
NVD
HIGH
CVE-2026-31223
The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or se…
CWE: CWE-502, CWE-502
NVD
HIGH
CVE-2026-31222
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior all…
CWE: CWE-502, CWE-502
NVD
HIGH
CVE-2026-31219
The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When a user provides a single model file path (e.g., .pt or .pth) via the –model command-lin…
CWE: CWE-502
NVD
HIGH
CVE-2026-31218
The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via torch.load(), the functio…
CWE: CWE-502
GitHub-GHSA
HIGH
LiteLLM has a sandbox escape in custom-code guardrail
GHSA-wxxx-gvqv-xp7p
pkg: litellm
eco: pip
published: May 11, 2026
### Impact
The `POST /guardrails/test_custom_code` endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.
**Reaching the …
CVE-2026-40217
GitHub-GHSA
HIGH
Dockerfile command injection via envs[*].name in bentofile.yaml (sibling fix-bypass of CVE-2026-33744 and CVE-2026-35043)
GHSA-w2pm-x38x-jp44
pkg: bentoml
eco: pip
published: May 11, 2026
# BentoML `envs[*].name` Dockerfile command injection — sibling of CVE-2026-33744 / CVE-2026-35043
A malicious `bentofile.yaml` containing a newline-injected value in `envs[*].name` produces unquoted `RUN` directives in the BentoML-generated Dockerfile. When the victim runs `bentoml containerize`…
CVE-2026-44346
GitHub-GHSA
HIGH
BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043)
GHSA-78f9-r8mh-4xm2
pkg: bentoml
eco: pip
published: May 11, 2026
The same Dockerfile template that mishandles `envs[*].name` (pending GHSA-w2pm-x38x-jp44) also interpolates `docker.base_image` raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line `docker.base_image` value smuggles arbitrary Dockerfile directives into the…
CVE-2026-44345
GitHub-GHSA
HIGH
pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal
GHSA-fcjq-435v-jx94
pkg: pyload-ng
eco: pip
published: May 14, 2026
## Summary
The `packages.js` template at `src/pyload/webui/app/themes/modern/templates/js/packages.js:172` interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via `$(div).html(html)`. No escaping runs between the API value and `inne…
CVE-2026-45348
GitHub-GHSA
HIGH
Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions
GHSA-m8f9-9whg-f4xr
pkg: open-webui
eco: pip
published: May 14, 2026
## Summary
The audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHE_DIR/audio/tran…
CVE-2026-45315
GitHub-GHSA
HIGH
protobuf.js: Code injection in pbjs static output from crafted schema names
GHSA-6r35-46g8-jcw9
pkg: protobufjs-cli, protobufjs-cli
eco: npm
published: May 12, 2026
## Summary
`pbjs` static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output with…
CVE-2026-44295
GitHub-GHSA
HIGH
Local Path Provisioner Vulnerable to HelperPod Template Injection
GHSA-7fxv-8wr2-mfc4
pkg: github.com/rancher/local-path-provisioner
eco: go
published: May 11, 2026
### Impact
A malicious user with permission to edit the `local-path-config` ConfigMap in the `local-path-storage` namespace can manipulate the `helperPod.yaml` template used by `rancher/local-path-provisioner`.
The `helperPod.yaml` template is loaded by the provisioner and used to create HelperPod…
CVE-2026-44543
NVD
HIGH
CVE-2026-42595
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated attacker can point Chro…
CWE: CWE-918
NVD
HIGH
CVE-2026-44578
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server t…
CWE: CWE-918
NVD
HIGH
CVE-2026-44001
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2)…
CWE: CWE-248
GitHub-GHSA
HIGH
Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload
GHSA-87m7-qffr-542v
pkg: github.com/klever-io/klever-go
eco: go
published: May 13, 2026
## Summary
A remote, unauthenticated denial-of-service vulnerability in
`Batch.Decompress` (`data/batch/batch.go`) allows any peer that
participates in a topic served by `MultiDataInterceptor` to allocate
multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip
payload. A single packet i…
CVE-2026-44697
GitHub-GHSA
HIGH
Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
GHSA-c4j6-fc7j-m34r
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or…
CVE-2026-44578
GitHub-GHSA
HIGH
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
GHSA-gmjg-hv98-qggq
pkg: praisonaiagents, PraisonAI
eco: pip
published: May 11, 2026
### Summary
`praisonaiagents` resolves unresolved tool names against module globals and `__main__` after it fails to match the declared tool list and the registry. With the default agent configuration, `_perm_allow` is `None`, so undeclared non-dangerous tool names are not rejected by the permission…
CVE-2026-44339
GitHub-GHSA
HIGH
Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
GHSA-chwh-f6gm-r836
pkg: github.com/gotenberg/gotenberg/v8
eco: go
published: May 11, 2026
A review of 4 published Gotenberg security advisories exposed an SSRF issue. GHSA-pjrr-jgp4-v2fm covers SSRF via the `downloadFrom` endpoint. GHSA-pcrp-7g9h-7qhp covers SSRF via the `webhook` endpoint. Neither advisory addresses SSRF through the primary Chromium URL-to-PDF conversion endpoint (`/for…
CVE-2026-42595
GitHub-GHSA
HIGH
Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)
GHSA-rh5x-h6pp-cjj6
pkg: open-webui
eco: pip
published: May 14, 2026
# Server-Side Request Forgery (SSRF) Bypass via HTTP Redirect Following in Web-Fetch, Image-Load, and Chat-Completion Endpoints
## Summary
The `validate_url()` function in `backend/open_webui/retrieval/web/utils.py` only validates the *initial* URL submitted by the caller. The HTTP clients used do…
CVE-2026-45401
GitHub-GHSA
HIGH
Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`
GHSA-8w7q-q5jp-jvgx
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
In the open-webui project, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability.
### Details
In the current project, URL validation is performed using the function validate_url.
<img width="1323" height="1145" alt="QQ20260322-202854-22-1"…
CVE-2026-45400
GitHub-GHSA
HIGH
Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature
GHSA-4v7r-f4w8-8972
pkg: open-webui
eco: pip
published: May 14, 2026
# SSRF Bypass via IPv6/IPv4-mapped IPv6/IPv4-reserved-ranges in `validate_url()`
## Summary
`validate_url()` in `backend/open_webui/retrieval/web/utils.py` calls `validators.ipv6(ip, private=True)`, but the `validators` library does NOT implement the `private` keyword for IPv6 — the call raises …
CVE-2026-45331
GitHub-GHSA
HIGH
Portainer has a bind-mount restriction bypass via HostConfig.Mounts
GHSA-7fw3-x4r2-g7wc
pkg: github.com/portainer/portainer, github.com/portainer/portainer, github.com/portainer/portainer
eco: go
published: May 14, 2026
## Summary
Portainer offers an environment-level **Disable bind mounts for non-administrators** security setting that blocks regular users from binding host paths into containers they create through the Portainer-mediated Docker API. The check that enforces this setting only inspected the legacy `H…
CVE-2026-44850
NVD
HIGH
CVE-2026-43998
vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve() (which does not dere…
CWE: CWE-59
GitHub-GHSA
HIGH
Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)
GHSA-c35q-vxrp-ph26
pkg: nautobot, nautobot
eco: pip
published: May 13, 2026
### Impact
Nautobot's `Webhook` data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF).
### Patches
F…
CVE-2026-44797
NVD
HIGH
CVE-2026-44015
Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forward…
CWE: CWE-918
NVD
HIGH
CVE-2026-25705
A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A malicious UI …
CWE: CWE-35
NVD
HIGH
CVE-2026-45369
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Un…
CWE: CWE-78
NVD
HIGH
CVE-2026-8534
Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-472
NVD
HIGH
CVE-2026-8533
Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-8530
Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-8525
Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-122
NVD
HIGH
CVE-2026-8523
Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-416
NVD
HIGH
CVE-2026-8520
Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-362
NVD
HIGH
CVE-2026-8515
Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-8514
Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-8513
Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-8512
Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-44586
SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are …
CWE: CWE-79, CWE-94
NVD
HIGH
CVE-2026-42313
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist …
CWE: CWE-441, CWE-863, CWE-918
GitHub-GHSA
HIGH
Open WebUI has inconsistent authorization controls within memories API
GHSA-hmjq-crxp-7rjw
pkg: open-webui
eco: pip
published: May 11, 2026
### Summary
Authorization controls surrounding the memories API were inconsistent, resulting in the ability of a standard user to delete, restore, and view the contents of other users' memories.
### Details
Using a newly created non-admin user with no existing memories, it is possible to view ex…
CVE-2026-44570
GitHub-GHSA
HIGH
Open WebUI has a CORS misconfiguration and session validation issue
GHSA-6xcp-7mpr-m7wm
pkg: open-webui
eco: pip
published: May 11, 2026
# GitHub Security Lab (GHSL) Vulnerability Report, open-webui: `GHSL-2024-174`, `GHSL-2024-175`
The [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [open-webui](https://github.com/open-webui/open-webui).
We are committed to working wi…
GitHub-GHSA
HIGH
@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files
GHSA-gcmj-c9gg-9vh6
pkg: @joplin/onenote-converter
eco: npm
published: May 15, 2026
### Summary
A path traversal vulnerability in the OneNote importer allows overwriting arbitrary files on disk.
### Details
The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious `.one` file th…
CVE-2026-22810
GitHub-GHSA
HIGH
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj
GHSA-x7q7-fchv-8h2j
pkg: @ranfdev/deepobj
eco: npm
published: May 14, 2026
### Impact
Prototype pollution is possible when property paths contain `__proto__`/`constructor`/`prototype`. The property path must not be exposed as user input.
CVE-2026-46509
NVD
HIGH
CVE-2026-42591
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely …
CWE: CWE-918
NVD
HIGH
CVE-2026-42590
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix synt…
CWE: CWE-184
NVD
HIGH
CVE-2026-40893
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files. Th…
CWE: CWE-73, CWE-184
NVD
HIGH
CVE-2026-32992
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
CWE: CWE-295
GitHub-GHSA
HIGH
Anchor: Program<'info, System> is not properly validated
GHSA-c6rc-8jpp-2fgc
pkg: anchor-lang
eco: rust
published: May 13, 2026
### Summary
An logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions.
### Details
In the TryFrom<&'a AccountInfo<'a>> implementation for Pro…
CVE-2026-45137
NVD
HIGH
CVE-2026-43929
ssrfcheck is a library that checks if a string contains a potential SSRF attack. In 1.3.0 and earlier, ssrfcheck fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address (e.g. http://[::ffff:127.0.0.1]/). The WHATWG URL parser bu…
CWE: CWE-184, CWE-918
GitHub-GHSA
HIGH
Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option
GHSA-8hf9-3q64-q2qf
pkg: github.com/hahwul/dalfox/v2
eco: go
published: May 12, 2026
## Summary
When dalfox is run in REST API server mode, the `output`, `output-all`, and `debug` fields in `model.Options` are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through `dalfox.Initialize` into the scan engine's logging path. The logger …
CVE-2026-45089
NVD
HIGH
CVE-2026-43893
exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ – mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments wi…
CWE: CWE-88
NVD
HIGH
CVE-2026-43886
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope() uses Array.some() to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle th…
CWE: CWE-269
GitHub-GHSA
HIGH
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
GHSA-c567-44rc-m5hq
pkg: @rvf/set-get, @rvf/set-get
eco: npm
published: May 11, 2026
## Summary
`setPath` in `@rvf/set-get` (used by `@rvf/core` to flatten incoming form data into a nested object) does not block the keys `__proto__`, `constructor`, or `prototype` when walking a path. Because field names in submitted form data are passed directly to `setPath` via `preprocessFormData…
CVE-2026-44483
GitHub-GHSA
HIGH
GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration
GHSA-587r-mc96-6f2p
pkg: guarddog
eco: pip
published: May 11, 2026
# Summary
The programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and ca…
CVE-2026-44971
NVD
HIGH
CVE-2026-45675
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (signup_handler in auths.py, lin…
CWE: CWE-269, CWE-362
GitHub-GHSA
HIGH
epa4all-client: TLS Certificate Validation Disabled in Production
GHSA-5hhf-xmfx-4vvr
pkg: com.oviva.telematik:epa4all-client
eco: maven
published: May 15, 2026
### Impact
An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing),
document content, and crede…
CVE-2026-45574
GitHub-GHSA
HIGH
FrankenPHP: Unsafe Unicode Handling in CGI Path Splitting Allows Execution of Non-PHP Files
GHSA-3g8v-8r37-cgjm
pkg: github.com/dunglas/frankenphp
eco: go
published: May 15, 2026
### Summary
The `splitPos()` function in [`cgi.go`](https://github.com/php/frankenphp/blob/main/cgi.go) misuses `golang.org/x/text/search` with `search.IgnoreCase` when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a…
CVE-2026-45062
NVD
HIGH
CVE-2026-35194
Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE exp…
CWE: CWE-94
GitHub-GHSA
HIGH
Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts
GHSA-h3ww-q6xx-w7x3
pkg: open-webui
eco: pip
published: May 14, 2026
## Summary
The LDAP and OAuth authentication flows use a TOCTOU (Time-of-Check-Time-of-Use) pattern for first-user admin role assignment. The regular signup handler (`signup_handler` in auths.py, line 663) was explicitly patched to prevent this race with the comment *"Insert with default role first…
CVE-2026-45675
GitHub-GHSA
HIGH
Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order
GHSA-cqp4-qqvg-3787
pkg: open-webui
eco: npm
published: May 14, 2026
### Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Banner component due to an improper sanitization order (specifically, DOMPurify is executed before the marked library).
This vulnerability allows a compromised or malicious administrator to plant a malicious payload in the …
CVE-2026-45665
GitHub-GHSA
HIGH
Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
GHSA-r472-mw7m-967f
pkg: open-webui
eco: pip
published: May 14, 2026
# Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
## Summary
Multiple endpoints accept a user-supplied `file_id` and attach the referenced file to a resource the caller controls (folder knowledge, knowledge-base contents) without verifying that …
CVE-2026-45402
GitHub-GHSA
HIGH
Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file
GHSA-r8wh-8m7r-fh33
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform.
### Details
All `files/` related endpoints lack permission checks.
#### Listing all files
For example, let's see how…
CVE-2026-45301
GitHub-GHSA
HIGH
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
GHSA-gf43-24g3-5hw2
pkg: apostrophe
eco: npm
published: May 14, 2026
## Summary
ApostropheCMS's password reset flow constructs the reset URL using `req.hostname`,
which is derived directly from the attacker-controlled HTTP `Host` header when
`apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows
a victim's email address can send a craf…
CVE-2026-45013
GitHub-GHSA
HIGH
go-billy has path traversal vulnerabilities
GHSA-qw64-3×98-g7q2
pkg: github.com/go-git/go-billy/v5, github.com/go-git/go-billy/v6
eco: go
published: May 14, 2026
### Impact
Multiple path traversal issues exist across different components of `go-billy`. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using `..`) to escape intended base directories.
While go-billy was not originally designed to provide a strong security …
CVE-2026-44973
GitHub-GHSA
HIGH
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization
GHSA-mgq6-4×29-88r3
pkg: github.com/portainer/portainer
eco: go
published: May 14, 2026
## Summary
Portainer proxies requests to Kubernetes clusters through a middleware layer (`kubeClientMiddleware`) that validates the requesting user's token before forwarding traffic to the cluster. When `security.RetrieveTokenData` returned an error, the middleware wrote an HTTP 403 response but wa…
CVE-2026-44882
GitHub-GHSA
HIGH
wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager
GHSA-9qpr-vc49-hqg2
pkg: wger
eco: pip
published: May 14, 2026
### Summary
A gym trainer can escalate their session to any higher-privileged account (gym manager, general manager) by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag `trainer.identity`
is set and this flag a…
CVE-2026-43978
NVD
HIGH
CVE-2026-42602
azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry…
CWE: CWE-208, CWE-287, CWE-290, CWE-294, CWE-347
NVD
HIGH
CVE-2026-44574
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic…
CWE: CWE-288
NVD
HIGH
CVE-2026-42945
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacemen…
CWE: CWE-122
NVD
HIGH
CVE-2026-44304
Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to …
CWE: CWE-90
NVD
HIGH
CVE-2026-8430
SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server. Attackers can exploit this vulnerability through specific nginx configuratio…
CWE: CWE-94
GitHub-GHSA
HIGH
protobuf.js: Code generation gadget after prototype pollution
GHSA-75px-5xx7-5xc7
pkg: protobufjs, protobufjs
eco: npm
published: May 12, 2026
## Summary
protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If `Object.prototype` had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type inform…
CVE-2026-44291
NVD
HIGH
CVE-2026-42315
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary dire…
CWE: CWE-22, CWE-36
GitHub-GHSA
HIGH
Open WebUI Arbitrary File Write, Delete via Path Traversal
GHSA-j3fw-wc48-29g3
pkg: open-webui
eco: pip
published: May 11, 2026
** CONFIDENTIAL **
Vulnerability Disclosure Analysis Documentation
———————————————–
Vulnerability Details
———————
1. Discoverer: Taylor Pennington of KoreLogic, Inc.
2. Date Submitted: June 11, 2024
3. Title: Open WebUI Arbitrary File Write, Delete via …
CVE-2026-44565
GitHub-GHSA
HIGH
Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion
GHSA-26g9-27vm-x3q8
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
Any authenticated user can permanently delete files owned by other users via `DELETE /api/v1/files/{id}` when the target file is referenced in any shared chat. The `has_access_to_file()` authorization gate unconditionally grants access through its shared-chat branch. It checks neither t…
CVE-2026-45671
NVD
HIGH
CVE-2026-34332
Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.
CWE: CWE-416
GitHub-GHSA
HIGH
uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution
GHSA-qqq4-5773-pmw5
pkg: gitlab.com/uniget-org/cli
eco: go
published: May 13, 2026
I discovered a command injection vulnerability in uniget that allows arbitrary command execution through the metadata loading and version check mechanism.
### Summary
A command injection vulnerability exists in uniget due to unsafe execution of the `check` field from metadata files using `/bin/bas…
CVE-2026-45152
GitHub-GHSA
HIGH
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
GHSA-hvx9-hwr7-wjj9
pkg: systeminformation
eco: npm
published: May 13, 2026
## Summary
On Linux, `systeminformation` is vulnerable to command injection in `networkInterfaces()` when an **active NetworkManager connection profile name** contains shell metacharacters.
This is not caused by a caller passing attacker-controlled arguments into `networkInterfaces()`. The vulnera…
CVE-2026-44724
NVD
HIGH
CVE-2026-35421
Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.
CWE: CWE-122
NVD
HIGH
CVE-2026-35420
Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CWE: CWE-122
NVD
HIGH
CVE-2026-35418
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CWE: CWE-367, CWE-416
NVD
HIGH
CVE-2026-35417
Access of resource using incompatible type ('type confusion') in Windows Win32K – ICOMP allows an authorized attacker to elevate privileges locally.
CWE: CWE-843
NVD
HIGH
CVE-2026-35415
Integer overflow or wraparound in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.
CWE: CWE-190
NVD
HIGH
CVE-2026-34351
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CWE: CWE-362
NVD
HIGH
CVE-2026-34344
Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CWE: CWE-843
NVD
HIGH
CVE-2026-34343
Heap-based buffer overflow in Windows Application Identity (AppID) Subsystem allows an authorized attacker to elevate privileges locally.
CWE: CWE-122
NVD
HIGH
CVE-2026-34338
Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-34337
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CWE: CWE-362, CWE-416
NVD
HIGH
CVE-2026-34336
Buffer over-read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
CWE: CWE-126
NVD
HIGH
CVE-2026-34334
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CWE: CWE-362
NVD
HIGH
CVE-2026-34333
Use after free in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally.
CWE: CWE-190, CWE-416
NVD
HIGH
CVE-2026-34330
Integer overflow or wraparound in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally.
CWE: CWE-190, CWE-416
NVD
HIGH
CVE-2026-33841
Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CWE: CWE-122
NVD
HIGH
CVE-2026-33840
Use after free in Windows Win32K – ICOMP allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-33838
Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
CWE: CWE-415
NVD
HIGH
CVE-2026-33837
Heap-based buffer overflow in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CWE: CWE-122
NVD
HIGH
CVE-2026-33835
Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-33834
Improper access control in Windows Event Logging Service allows an authorized attacker to elevate privileges locally.
CWE: CWE-284
NVD
HIGH
CVE-2026-20767
Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege.…
CWE: CWE-20
NVD
HIGH
CVE-2026-20714
Out-of-bounds write for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable escalation of privilege. This r…
CWE: CWE-787
NVD
HIGH
CVE-2026-31221
PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the securi…
CWE: CWE-502, CWE-502
GitHub-GHSA
HIGH
protobuf.js is Vulnerable to OS Command Injection in the CLI
GHSA-f84p-cvgm-xgjj
pkg: protobufjs-cli, protobufjs-cli
eco: npm
published: May 12, 2026
## Summary
`pbts` invoked JSDoc by building a shell command string from input file paths and executing it through `child_process.exec`. File paths containing shell metacharacters could therefore be interpreted by the shell instead of being passed to JSDoc as plain arguments.
## Impact
An attacker…
CVE-2026-42290
NVD
HIGH
CVE-2026-45338
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a Server-Side Request Forgery (SSRF) vulnerability exists in _process_picture_url() in backend/open_webui/utils/oauth.py (line ~1338). The function fetches arbitrary URLs from OAuth pic…
CWE: CWE-918
GitHub-GHSA
HIGH
Budibase: SSRF Bypass via HTTP Redirect in REST Datasource Integration
GHSA-fgqv-jh4g-pvg2
pkg: @budibase/server
eco: npm
published: May 15, 2026
### Summary
The REST datasource integration follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. The same vulnerability class was already patched i…
CVE-2026-45715
GitHub-GHSA
HIGH
Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation
GHSA-rpj4-7x2v-wjrf
pkg: @budibase/server
eco: npm
published: May 15, 2026
## Vulnerability Details
**CWE-918**: Server-Side Request Forgery (SSRF)
The `processUrlFile` function in `packages/server/src/automations/steps/ai/extract.ts` uses `fetch(fileUrl)` directly **without the IP blacklist validation** that is consistently applied to all other automation steps. This al…
CVE-2026-45548
NVD
HIGH
CVE-2026-45370
python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This vuln…
CWE: CWE-526
GitHub-GHSA
HIGH
python-utcp: Full Process Environment Exposed to CLI Subprocess – Secrets Leakage via Command Injection
GHSA-5v57-8rxj-3p2r
pkg: utcp-cli
eco: pip
published: May 14, 2026
## Summary
`_prepare_environment()` in `cli_communication_protocol.py` passes a full copy of `os.environ` to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in `_substitute_utcp_args()` tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-leve…
CVE-2026-45370
GitHub-GHSA
HIGH
Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)
GHSA-24c9-2m8q-qhmh
pkg: open-webui
eco: pip
published: May 14, 2026
## Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in `_process_picture_url()` in `backend/open_webui/utils/oauth.py` (line ~1338). The function fetches arbitrary URLs from OAuth `picture` claims without applying `validate_url()`, allowing an attacker to force the server to make H…
CVE-2026-45338
GitHub-GHSA
HIGH
Open WebUI has stored XSS via the HTML renedering view
GHSA-4vrc-m9ch-6m3r
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
Through the HTML rendering view, scripts can be injected and executed.
The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on …
CVE-2026-45303
NVD
HIGH
CVE-2026-42283
DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the sam…
CWE: CWE-200, CWE-306
NVD
HIGH
CVE-2026-44738
Grav is a file-based Web platform. Prior to 2.0.0-rc.2, the Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray() from within a page body, dumping the entire merged site configuration — including all plugin secrets (SMTP passwords, AWS keys, OAuth client secre…
CWE: CWE-200
GitHub-GHSA
HIGH
Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)
GHSA-xh5j-727m-w6gg
pkg: budibase
eco: npm
published: May 11, 2026
## 1. Summary
| Field | Value |
|——-|——-|
| **Title** | SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload |
| **Product** | Budibase (Self-Hosted) |
| **Version** | ≤ 3.34.11 (latest stable as of 2026-03-30) |
| **Component** | `packages/server/src/api/controllers/plugin/ur…
CVE-2026-45061
GitHub-GHSA
HIGH
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
GHSA-pr28-mf3q-qpg6
pkg: apostrophe
eco: npm
published: May 14, 2026
### Summary
ApostropheCMS contains an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible respons…
CVE-2026-45012
GitHub-GHSA
HIGH
Valtimo has sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer
GHSA-3jh5-rr2q-xfv7
pkg: com.ritense.valtimo:web, com.ritense.valtimo:web
eco: maven
published: May 11, 2026
### Summary
The `LoggingRestClientCustomizer` in the `web` module automatically intercepts all outgoing HTTP calls made via Spring's `RestClient` and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown `Http…
CVE-2026-44516
NVD
HIGH
CVE-2021-47942
Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, the…
CWE: CWE-22
NVD
HIGH
CVE-2026-46359
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break ou…
CWE: CWE-89
GitHub-GHSA
HIGH
Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator
GHSA-3363-2ph6-35wh
pkg: pipecat-ai
eco: pip
published: May 15, 2026
## Summary
A path traversal vulnerability exists in Pipecat's development runner (`src/pipecat/runner/run.py`). When the runner is started with the `–folder` flag, it exposes a `GET /files/{filename:path}` download endpoint. The `filename` path parameter is concatenated directly onto `args.folder`…
CVE-2026-44716
GitHub-GHSA
HIGH
nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT
GHSA-27w2-87xv-37c6
pkg: nimiq-keys
eco: rust
published: May 15, 2026
### Impact
A malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record containing a `TaggedSigned<ValidatorRecord, KeyPair>` with a signature field whose byte length is not exactly 64. When the victim node's DHT verifier calls `TaggedSigned::verify`, execution …
CVE-2026-40092
NVD
HIGH
CVE-2026-38728
An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components
CWE: CWE-400
GitHub-GHSA
HIGH
Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
GHSA-4g37-7p2c-38r9
pkg: open-webui
eco: pip
published: May 14, 2026
# IDOR: Retrieval API Bypasses Knowledge Base Access Controls
**Author:** Andrew Orr <aorr@tenable.com>
## Summary
`_validate_collection_access()` ([PR #22109](https://github.com/open-webui/open-webui/pull/22109)) checks the `user-memory-*` and `file-*` collection name prefixes but does not check…
CVE-2026-45398
GitHub-GHSA
HIGH
Svelte devalue: DoS via sparse array deserialization
GHSA-77vg-94rm-hx3p
pkg: devalue
eco: npm
published: May 14, 2026
`devalue.parse` could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption.
CVE-2026-42570
NVD
HIGH
CVE-2026-8521
Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical)
CWE: CWE-416
NVD
HIGH
CVE-2026-8510
Integer overflow in Skia in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
CWE: CWE-472
NVD
HIGH
CVE-2026-23998
Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled …
CWE: CWE-295
NVD
HIGH
CVE-2026-42594
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent requ…
CWE: CWE-362
GitHub-GHSA
HIGH
wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API
GHSA-cj9g-27ph-4cgv
pkg: wger
eco: pip
published: May 14, 2026
### Summary
Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own.
The RoutinePermission class grants read access to any authenticated user when a routine has is…
CVE-2026-43977
GitHub-GHSA
HIGH
FlowiseAI Exposes Basic Auth Credentials via API
GHSA-php6-83fg-gw3g
pkg: flowise
eco: npm
published: May 14, 2026
**Detection Method:** Kolega.dev Deep Code Scan
| Attribute | Value |
|—|—|
| Severity | Medium |
| CWE | CWE-522 (Insufficiently Protected Credentials) |
| Location | packages/server/src/enterprise/controllers/account.controller.ts:128-135 |
| Practical Exploitability | Medium |
| Developer Ap…
CVE-2026-46440
NVD
HIGH
CVE-2026-6479
Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.…
CWE: CWE-674
GitHub-GHSA
HIGH
Fleet has a Windows MDM management endpoint authentication bypass
GHSA-2rc4-7jc6-qffh
pkg: github.com/fleetdm/fleet/v4
eco: go
published: May 14, 2026
### Summary
A vulnerability in Fleet’s Windows MDM management endpoint could allow requests to be processed without proper client certificate validation. In certain circumstances, this could allow an attacker to impersonate an enrolled Windows device and retrieve sensitive configuration data.
##…
CVE-2026-23998
NVD
HIGH
CVE-2026-42561
Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual …
CWE: CWE-770
NVD
HIGH
CVE-2026-42304
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending …
CWE: CWE-400, CWE-407
NVD
HIGH
CVE-2026-42582
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length byt…
CWE: CWE-770, CWE-789
NVD
HIGH
CVE-2026-45109
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
CWE: CWE-288
NVD
HIGH
CVE-2026-44579
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurati…
CWE: CWE-770
NVD
HIGH
CVE-2026-44004
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust hos…
CWE: CWE-770
NVD
HIGH
CVE-2026-44575
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetchin…
CWE: CWE-288
NVD
HIGH
CVE-2026-44573
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<bui…
CWE: CWE-863
NVD
HIGH
CVE-2026-44432
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.dra…
CWE: CWE-409
NVD
HIGH
CVE-2026-42920
When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CWE: CWE-835
NVD
HIGH
CVE-2026-40629
When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CWE: CWE-770
NVD
HIGH
CVE-2026-40618
When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to…
CWE: CWE-131
GitHub-GHSA
HIGH
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover
GHSA-wmm3-h9qj-p5v6
pkg: sillytavern
eco: npm
published: May 12, 2026
### Summary
Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password.
### Details
SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permiss…
CVE-2026-44648
GitHub-GHSA
HIGH
esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
GHSA-rg65-45m7-hq57
pkg: github.com/esm-dev/esm.sh
eco: go
published: May 12, 2026
### Summary
A Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process.
### Details
…
CVE-2026-44594
NVD
HIGH
CVE-2026-44296
Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientH…
CWE: CWE-400, CWE-405
NVD
HIGH
CVE-2026-42544
Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path,…
CWE: CWE-20, CWE-248, CWE-400
NVD
HIGH
CVE-2026-42268
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @veri…
CWE: CWE-191, CWE-248
NVD
HIGH
CVE-2026-44240
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authent…
CWE: CWE-400, CWE-770
NVD
HIGH
CVE-2026-35424
Missing release of memory after effective lifetime in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network.
CWE: CWE-401
NVD
HIGH
CVE-2026-32161
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.
CWE: CWE-362, CWE-416
GitHub-GHSA
HIGH
Dalfox has an Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)
GHSA-2g4x-fq3j-cgq4
pkg: github.com/hahwul/dalfox/v2
eco: go
published: May 12, 2026
## Summary
`ParameterAnalysis` in `pkg/scanning/parameterAnalysis.go` runs two sequential worker stages that both write to the same `results` channel. The channel is correctly closed after the first stage completes (`close(results)` at line 438), but the second stage — which processes POST-body p…
CVE-2026-45090
GitHub-GHSA
HIGH
Dalfox Server Mode has an Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file`
GHSA-35wr-x7v6-9fv2
pkg: github.com/hahwul/dalfox/v2
eco: go
published: May 12, 2026
## Summary
When dalfox is run in REST API server mode, the `custom-payload-file` field in `model.Options` is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through `dalfox.Initialize` into the scan engine. The engine passes the value to `voltFile.R…
CVE-2026-45088
GitHub-GHSA
HIGH
protobuf.js: Process-wide denial of service through unsafe option paths
GHSA-jvwf-75h9-cwgg
pkg: protobufjs, protobufjs
eco: npm
published: May 12, 2026
## Summary
protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in funct…
CVE-2026-44290
GitHub-GHSA
HIGH
protobuf.js: Denial of service through unbounded protobuf recursion
GHSA-685m-2w69-288q
pkg: protobufjs, protobufjs
eco: npm
published: May 12, 2026
## Summary
protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected both skipping unknown group fields and generated decoding of nested message fields.
A crafted protobuf binary payload could cause the JavaScript call stack to be exhausted during decoding.
…
CVE-2026-44289
NVD
HIGH
CVE-2026-8159
multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service…
CWE: CWE-1333
GitHub-GHSA
HIGH
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
GHSA-pv5w-4p9q-p3v2
pkg: kysely
eco: npm
published: May 11, 2026
## Summary
Kysely 0.28.12 added a `sanitizeStringLiteral()` call inside `DefaultQueryCompiler.visitJSONPathLeg` (commit `0a602bf`, PR #1727) to fix CVE-2026-32763 (`GHSA-wmrf-hv6w-mr66`). The fix only doubles single quotes (`'` → `''`); it does **not** escape JSON-path metacharacters (`.`, `[`, `…
CVE-2026-44635
NVD
HIGH
CVE-2026-33359
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows.
CWE: CWE-862
GitHub-GHSA
HIGH
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes – Incomplete Fix Follow-Up
GHSA-26hh-7cqf-hhc6
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
It was found that the fix addressing [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) did not apply to `middleware.ts` with Turbopack. Refer to [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) for fur…
CVE-2026-45109
GitHub-GHSA
HIGH
Bird-lg-go has a Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding
GHSA-39qr-rc93-vhqm
pkg: github.com/xddxdd/bird-lg-go
eco: go
published: May 11, 2026
### Summary
The `apiHandler` (and similarly `webHandlerTelegramBot`) processes user-provided JSON payloads by directly using `json.NewDecoder(r.Body).Decode(&request)` without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e…
CVE-2026-45047
GitHub-GHSA
HIGH
@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function
GHSA-mhwj-73qx-jqxm
pkg: @theecryptochad/merge-guard
eco: npm
published: May 11, 2026
## Summary
`@theecryptochad/merge-guard` versions prior to 1.0.1 are vulnerable to Prototype Pollution via the `deepMerge()` function. An attacker who controls the source object can inject `__proto__` keys that mutate `Object.prototype`, affecting all objects in the Node.js runtime.
## Details
Th…
GitHub-GHSA
HIGH
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
GHSA-mg66-mrh9-m8jx
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections o…
CVE-2026-44579
GitHub-GHSA
HIGH
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
GHSA-267c-6grr-h53f
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted `.rsc` and segment-prefetch URLs can resolve to the …
CVE-2026-44575
GitHub-GHSA
HIGH
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
GHSA-mf9v-mfxr-j63j
pkg: urllib3
eco: pip
published: May 11, 2026
### Impact
urllib3's [streaming API](https://urllib3.readthedocs.io/en/2.7.0/advanced-usage.html#streaming-and-i-o) is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.
urllib3 can perform…
CVE-2026-44432
GitHub-GHSA
HIGH
PraisonAI's symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`
GHSA-9q28-ghcr-c4x3
pkg: PraisonAI
eco: pip
published: May 11, 2026
### Summary
The `_safe_extractall` helper that all `recipe pull`, `recipe publish`, and `recipe unpack` flows route through validates each archive member's `name` for absolute paths, `..` segments, and resolved-path escape — but does **not** validate `member.linkname`, does not reject symlink/hard…
CVE-2026-44340
GitHub-GHSA
HIGH
Improper Verification of Cryptographic Signature in com.oviva.telematik:epa4all-client
GHSA-gqx7-6552-67hf
pkg: com.oviva.telematik:epa4all-client
eco: maven
published: May 15, 2026
### Impact
An attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects u ri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challeng…
CVE-2026-45575
GitHub-GHSA
HIGH
goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request
GHSA-mxg3-432p-mr72
pkg: goshs.de/goshs/v2
eco: go
published: May 15, 2026
### Summary
The `–tunnel` / `-t` flag opens an outbound SSH connection to `localhost.run:22` with `HostKeyCallback: ssh.InsecureIgnoreHostKey()`. The Go documentation for that function states verbatim: *"It should not be used for production code."* With the callback disabled the client accepts any…
GitHub-GHSA
HIGH
DeepSeek TUI has SSRF IPV6 bypass
GHSA-88gh-2526-gfrr
pkg: deepseek-tui
eco: rust
published: May 14, 2026
### Summary
Although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in URL as `http://[::1]`, the SSRF defenses do not work.
### Details
https://github.com/Hmbown/DeepSeek-TUI/blob/15f62e3e93d842f30b428877819ebc1c8cb96814/crates/tui/src/…
CVE-2026-45373
GitHub-GHSA
HIGH
DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool
GHSA-96ff-gc8g-wpvg
pkg: deepseek-tui, deepseek-tui-cli, deepseek-tui
eco: npm
published: May 14, 2026
### Summary
The `fetch_url` tool validates the initial URL's resolved IP address against a restricted-IP blocklist (`is_restricted_ip()`) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (`reqwest`) is configured to a…
CVE-2026-45310
NVD
HIGH
CVE-2026-8759
A vulnerability was identified in xiandafu beetl up to 3.20.2. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special e…
CWE: CWE-20, CWE-917
GitHub-GHSA
HIGH
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
GHSA-p6v2-xcpg-h6xw
pkg: better-auth, better-auth
eco: npm
published: May 15, 2026
### Am I affected?
Users are affected if all of the following are true:
– Their app uses `better-auth` at a version `< 1.4.17`, or at a v1.5 prerelease tagged `<= 1.5.0-beta.8`.
– The apps authentication endpoints serve clients reachable over IPv6. Most managed hosts including Cloudflare, Vercel, …
CVE-2026-45364
GitHub-GHSA
HIGH
Open WebUI vulnerable to stored XSS via OAuth picture claim stored as SVG data URI in profile_image_url
GHSA-3wgj-c2hg-vm6q
pkg: open-webui
eco: pip
published: May 14, 2026
# Summary
When a user signs in via OAuth, Open WebUI fetches the `picture` claim URL, infers a MIME type from the URL extension via `mimetypes.guess_type`, and stores `data:<mime>;base64,…` as the user's profile image. The OAuth code path does not go through the `validate_profile_image_url` Pydan…
GitHub-GHSA
HIGH
Apostrophe has stored XSS via javascript: URL in Image Widget Link
GHSA-5f64-7vfc-rcx6
pkg: apostrophe
eco: npm
published: May 14, 2026
### Summary
A stored cross-site scripting vulnerability was identified in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload.
Because editors have permission to publish pages, the malicious widget can be published to the l…
CVE-2026-45011
NVD
HIGH
CVE-2026-44995
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawne…
CWE: CWE-829
NVD
HIGH
CVE-2026-31254
The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python eval() function as a Hydra configuration resolver under the name eval. This allows configuration file…
CWE: CWE-95
NVD
HIGH
CVE-2026-31253
The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use to…
CWE: CWE-94, CWE-502
NVD
HIGH
CVE-2026-31251
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the w…
CWE: CWE-20, CWE-94, CWE-915
NVD
HIGH
CVE-2026-31250
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the we…
CWE: CWE-502
NVD
HIGH
CVE-2026-31249
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() w…
CWE: CWE-502
GitHub-GHSA
HIGH
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
GHSA-6rmh-7xcm-cpxj
pkg: PraisonAI
eco: pip
published: May 11, 2026
### Summary
PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access `/agents` and trigger the configured `agents.yaml` workflow through `/chat` without providing a token.
### Details
The vulnerable server i…
CVE-2026-44338
GitHub-GHSA
HIGH
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
GHSA-p4fx-23fq-jfg6
pkg: open-webui
eco: npm
published: May 14, 2026
### Summary
The tool update endpoint (`POST /api/v1/tools/id/{id}/update`) is missing the `workspace.tools` permission check that is present on the tool create endpoint. This allows a user who has been explicitly **denied** tool management capabilities ( and who the administrator considers **untrus…
CVE-2026-45395
NVD
HIGH
CVE-2026-8597
Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle pa…
CWE: CWE-354
NVD
HIGH
CVE-2026-8596
Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially …
CWE: CWE-312
GitHub-GHSA
HIGH
Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption
GHSA-8jjp-r2w2-4v22
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
Any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/{task_id} methods. This allows a casual user to disrupt system-wide chat usage by continuously cancel…
CVE-2026-45399
GitHub-GHSA
HIGH
Open WebUI's chat completion API allows tool restrictions to be bypassed
GHSA-4pcg-253r-rf9w
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
Open WebUI v0.6.43 contains a vulnerability in its chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access.
### Details
In the [chat_completion](https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7…
CVE-2026-45350
GitHub-GHSA
HIGH
Open WebUI has Broken Access Control for Completions API
GHSA-gfm2-xm6c-37qc
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
Any user `X` can continue the conversation of any other user `Y`, as long as the Chat ID of `Y` is known. User `X` does not even need to be an admin to do so.
### Details
A user just needs to use the API endpoint: `/api/chat/completions` with their own API key (generated in OWUI) and t…
CVE-2026-45349
NVD
HIGH
CVE-2026-44637
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on every sixel character…
CWE: CWE-190, CWE-787, CWE-787
GitHub-GHSA
HIGH
Nautobot: GitRepository.current_head field should not be writable through REST API
GHSA-p3hx-pwf3-j8wr
pkg: nautobot, nautobot
eco: pip
published: May 13, 2026
### Impact
A user with access to add/change a GitRepository record could use the REST API to directly set the `current_head` field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the…
CVE-2026-44798
GitHub-GHSA
HIGH
LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
GHSA-3644-q5cj-c5c7
pkg: langsmith, langsmith, langchain-classic
eco: npm
published: May 13, 2026
## Description
The LangSmith SDK's prompt pull methods (`pull_prompt` / `pull_prompt_commit` in Python, `pullPrompt` / `pullPromptCommit` in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that af…
CVE-2026-45134
NVD
HIGH
CVE-2026-5371
The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and i…
CWE: CWE-862
NVD
HIGH
CVE-2026-45226
Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds poin…
CWE: CWE-863
GitHub-GHSA
HIGH
Ella Core Vulnerable to UE Downlink Redirection via Forged PDUSessionResourceSetupResponse
GHSA-qfxw-v8qx-vj3v
pkg: github.com/ellanetworks/core
eco: go
published: May 11, 2026
## Summary
A radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio.
## Impact
Down…
CVE-2026-44473
GitHub-GHSA
HIGH
Open WebUI's Insecure Message Access Breaks Authorization
GHSA-jxwr-g6r6-j3fx
pkg: open-webui
eco: pip
published: May 11, 2026
### Description
There's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability exists in the message update and delete endpoints, which implement channel-level authorization but co…
CVE-2026-44569
NVD
HIGH
CVE-2026-35416
Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-34347
Use after free in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-34345
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CWE: CWE-362, CWE-416
NVD
HIGH
CVE-2026-34342
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.
CWE: CWE-362
NVD
HIGH
CVE-2026-34341
Double free in Windows Link-Layer Discovery Protocol (LLDP) allows an authorized attacker to elevate privileges locally.
CWE: CWE-415
NVD
HIGH
CVE-2026-34340
Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CWE: CWE-416
NVD
HIGH
CVE-2026-34331
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally.
CWE: CWE-362, CWE-416
NVD
HIGH
CVE-2026-33839
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K – GRFX allows an authorized attacker to elevate privileges locally.
CWE: CWE-362
NVD
HIGH
CVE-2026-7818
Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
The session manager performed unsafe deserialization of session-file contents (using Python's standard object-serialization module) before performing any HMAC integrity check. Any file dropped into the sessions direc…
CWE: CWE-502
GitHub-GHSA
HIGH
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
GHSA-qccp-gfcp-xxvc
pkg: urllib3
eco: pip
published: May 11, 2026
### Impact
When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and `ProxyManager.request()`, sensitive headers — `Authorization`, `Cookie`, and `Proxy-Authorization` (defined in `Retry.DEFAULT_REMOVE_HEAD…
CVE-2026-44431
GitHub-GHSA
HIGH
Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image
GHSA-3856-3vxq-m6fc
pkg: open-webui
eco: pip
published: May 14, 2026
As part of our research on improving our [AI pentest](https://www.aikido.dev/attack/aipentest), we have uncovered the following issue in Open WebUI. We've manually verified and tided up the report, but you can also find the original agent finding at the bottom of this report.
### Summary
The chann…
CVE-2026-45314
GitHub-GHSA
HIGH
ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override
GHSA-5qrq-9645-g5g2
pkg: ethyca-fides
eco: pip
published: May 14, 2026
### Summary
`fides.js` is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted descriptions, the ove…
CVE-2026-44541
GitHub-GHSA
HIGH
Karakeep SDK has SSRF via metascraper-logo-favicon that bypasses validateUrl protections
GHSA-7rx4-c5vx-g8w3
pkg: @karakeep/sdk
eco: npm
published: May 14, 2026
## Summary
The `metascraper-logo-favicon` plugin makes HTTP requests to URLs extracted from attacker-controlled HTML without going through the application's `validateUrl()` SSRF protections. This allows any authenticated user to make the server fetch arbitrary internal URLs by bookmarking a page co…
GitHub-GHSA
HIGH
Portainer: JWT accepted in URL query leaks tokens to logs and referers
GHSA-jvp4-q659-95mj
pkg: github.com/portainer/portainer, github.com/portainer/portainer, github.com/portainer/portainer
eco: go
published: May 14, 2026
## Summary
Portainer's authentication middleware accepts JWT bearer tokens passed as the `?token=<JWT>` URL query parameter on any authenticated API endpoint, in addition to the standard `Authorization: Bearer` header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP `Refere…
CVE-2026-44883
GitHub-GHSA
HIGH
Portainer Has an Arbitrary File Read via Git Symlink Injection in Stack Auto-Update
GHSA-rpgq-m5fp-32wr
pkg: github.com/portainer/portainer, github.com/portainer/portainer, github.com/portainer/portainer
eco: go
published: May 14, 2026
## Summary
Portainer supports deploying stacks from Git repositories. When a Git-backed stack is created or updated, Portainer clones the repository using `go-git` v5, which translates Git blob entries with mode `0o120000` (symlink) into real OS symlinks on the host filesystem via `os.Symlink`. The …
CVE-2026-44881
GitHub-GHSA
HIGH
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
GHSA-wxrr-jp8m-qq7f
pkg: flowise
eco: npm
published: May 14, 2026
## Summary
**Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the Evaluator entity -> cross-workspace data takeover and IDOR.
**File:** `packages/server/src/Interface.Evaluation.ts`
**Root cause:** The Evaluator contro…
CVE-2026-46480
GitHub-GHSA
HIGH
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
GHSA-mq53-pc65-wjc4
pkg: flowise
eco: npm
published: May 14, 2026
## Summary
**Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the Evaluation entity -> cross-workspace data takeover and IDOR.
**File:** `packages/server/src/services/evaluations/index.ts`
**Root cause:** The Evaluatio…
CVE-2026-46479
GitHub-GHSA
HIGH
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
GHSA-7j65-65cr-6644
pkg: flowise
eco: npm
published: May 14, 2026
## Summary
**Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the DatasetRow entity -> cross-workspace data takeover and IDOR.
**File:** `packages/server/src/services/dataset/index.ts`
**Root cause:** The DatasetRow co…
CVE-2026-46478
GitHub-GHSA
HIGH
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
GHSA-5h9v-837x-m97r
pkg: flowise
eco: npm
published: May 14, 2026
## Summary
**Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the Dataset entity -> cross-workspace data takeover and IDOR.
**File:** `packages/server/src/services/dataset/index.ts`
**Root cause:** The Dataset controll…
CVE-2026-46477
GitHub-GHSA
HIGH
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
GHSA-728h-4mwj-f2p4
pkg: flowise
eco: npm
published: May 14, 2026
## Summary
**Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the CustomTemplate entity -> cross-workspace data takeover and IDOR.
**File:** `packages/server/src/services/marketplaces/index.ts`
**Root cause:** The Cust…
CVE-2026-46476
GitHub-GHSA
HIGH
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
GHSA-78pr-c5x5-jggc
pkg: flowise
eco: npm
published: May 14, 2026
## Summary
**Type:** Mass assignment via `Object.assign(entity, body)` -> client-controlled `workspaceId` (and on create, `id`) overwritten on the Assistant entity -> cross-workspace data takeover and IDOR.
**File:** `packages/server/src/services/assistants/index.ts`
**Root cause:** The Assistant c…
CVE-2026-46475
GitHub-GHSA
HIGH
FlowiseAI: Vector Store No Permission Checks
GHSA-hmg2-jjjx-jcp2
pkg: flowise
eco: npm
published: May 14, 2026
### FINDING 4: OpenAI Assistants Vector Store – No Auth on CRUD Operations
**Severity**: HIGH (CVSS ~8.1)
**Type**: CWE-306 (Missing Authentication for Critical Function)
**File**: `packages/server/src/routes/openai-assistants-vector-store/index.ts`
**Description**: ALL CRUD endpoints for OpenAI As…
CVE-2026-46444
GitHub-GHSA
HIGH
Synapse CPU starvation (Denial of Service)
GHSA-8q93-326v-3m7g
pkg: matrix-synapse
eco: pip
published: May 14, 2026
### Impact
Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.
Homeservers that trust all their local users are not at risk.
### Patches
Update to Synapse 1.152.1 or later.
### Workarounds
If …
CVE-2026-45078
GitHub-GHSA
HIGH
n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
GHSA-6h4j-wcr9-2vg7
pkg: n8n, n8n, n8n
eco: npm
published: May 14, 2026
## Impact
The OAuth1 and OAuth2 credential reconnect endpoints authorized access using `credential:read` rather than `credential:update`. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credent…
CVE-2026-45732
GitHub-GHSA
HIGH
n8n Has a Source Control Pull SQL Injection
GHSA-mhrx-qhrj-673w
pkg: n8n, n8n, n8n
eco: npm
published: May 14, 2026
## Impact
An attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection …
CVE-2026-44792
GitHub-GHSA
HIGH
FlowiseAI Vulnerable to Credential Data Leak
GHSA-7g73-99r4-m4mj
pkg: flowise
eco: npm
published: May 14, 2026
**Severity**: HIGH (CVSS ~7.5)
**Type**: CWE-200 (Exposure of Sensitive Information)
**File**: `packages/server/src/services/credentials/index.ts:62-71`
**Description**: When credentials are fetched with a `credentialName` filter parameter, the `encryptedData` field is NOT stripped from the respons…
CVE-2026-46443
GitHub-GHSA
HIGH
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
GHSA-hp26-q66v-q2w7
pkg: flowise
eco: npm
published: May 14, 2026
### Summary
A Mass Assignment vulnerability exists in the assistant update endpoint of FlowiseAI.
The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource.
Due to missing server-side validat…
CVE-2026-46441
GitHub-GHSA
HIGH
Flowise has an MCP Security Bypass that Enables RCE
GHSA-m99r-2hxc-cp3q
pkg: flowise, flowise-components
eco: npm
published: May 14, 2026
## Summary
There are three bypass methods for the security limitations of the Flowise MCP feature, and attackers can execute arbitrary commands by combining these three methods
## Details
### 【Vulnerability one】The Docker build subcommand not being on the blocklist leads to remote code execu…
GitHub-GHSA
HIGH
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
GHSA-5wxp-qjgq-fx6m
pkg: flowise
eco: npm
published: May 14, 2026
### Summary
A Mass Assignment vulnerability exists in the chatflow update endpoint of FlowiseAI.
The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object.
Due to missing server-side vali…
CVE-2026-42863
GitHub-GHSA
HIGH
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
GHSA-x5v6-pj28-cwwm
pkg: flowise
eco: npm
published: May 14, 2026
### Summary
A Mass Assignment vulnerability exists in the tool update endpoint of FlowiseAI.
The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource.
Due to missing server-side validation and aut…
CVE-2026-42862
GitHub-GHSA
HIGH
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
GHSA-6fw7-3q8r-m5vj
pkg: flowise
eco: npm
published: May 14, 2026
### Summary
A Mass Assignment vulnerability exists in the variable update endpoint of FlowiseAI.
The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource.
Due to missing server-side validation…
CVE-2026-42861
GitHub-GHSA
HIGH
Fleet server may terminate unexpectedly when handling certain gRPC requests
GHSA-x67p-9m2r-fxqv
pkg: github.com/fleetdm/fleet/v4
eco: go
published: May 14, 2026
### Summary
Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to terminate while processing an authenticated request from an enrol…
CVE-2026-26062
GitHub-GHSA
HIGH
Fleet Windows MDM Azure AD JWT Authentication Bypass
GHSA-ffg9-j72f-j6xm
pkg: github.com/fleetdm/fleet/v4
eco: go
published: May 14, 2026
### Summary
A vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not enforce the `aud` (audience) or `iss` (issuer) claims, any Micros…
CVE-2026-24899
GitHub-GHSA
HIGH
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
GHSA-gmmv-4cc5-wr9r
pkg: github.com/siyuan-note/siyuan/kernel
eco: go
published: May 13, 2026
### Summary
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
`POST /api/graph/getGraph`, `POST /api/graph/getLocalGraph`, `POST /api/sync/setSyncInterval`, `POST /api/storage/updateRecentDocViewTime`, `POST /api/storage/updateRecentDocCloseTime`, `POST /api/storage/updat…
CVE-2026-45371
GitHub-GHSA
HIGH
Anchor: `InterfaceAccount` allows account substitution between unexpected types
GHSA-429q-fhh4-r6hj
pkg: anchor-lang
eco: rust
published: May 13, 2026
### Impact
Any uses of `InterfaceAccount` allows another unexpected account type to be passed, after https://github.com/solana-foundation/anchor/pull/3837 disabled discriminator checking for this type.
The bug was originally reported and fixed in https://github.com/solana-foundation/anchor/pull/413…
GitHub-GHSA
HIGH
claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh
GHSA-g3xq-3gmv-qq8g
pkg: claude-code-cache-fix
eco: npm
published: May 13, 2026
## Summary
`tools/quota-statusline.sh` (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A `'''` byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in t…
CVE-2026-45136
GitHub-GHSA
HIGH
UltraJSON has a Memory Leak in ujson.dump() on Write Failure
GHSA-c38f-wx89-p2xg
pkg: ujson
eco: pip
published: May 12, 2026
### Summary
When `ujson.dump()` writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.
Code that uses `ujson.dumps()` rather than `ujs…
CVE-2026-44660
GitHub-GHSA
HIGH
protobuf.js: Code injection through bytes field defaults in generated toObject code
GHSA-66ff-xgx4-vchm
pkg: protobufjs, protobufjs
eco: npm
published: May 12, 2026
## Summary
protobufjs generated JavaScript for `toObject` conversion could include an unsafe expression derived from a schema-controlled `bytes` field default value. A crafted descriptor with a non-string default value for a `bytes` field could cause attacker-controlled code to be emitted into the …
CVE-2026-44293
GitHub-GHSA
HIGH
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
GHSA-9ccr-r5hg-74gf
pkg: @github/copilot
eco: npm
published: May 11, 2026
## Summary
A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory…
CVE-2026-45033
GitHub-GHSA
HIGH
python-liquid: Absolute paths escape filesystem loader search path
GHSA-8p4x-wr7x-3788
pkg: python-liquid
eco: pip
published: May 11, 2026
### Impact
The built-in `FileSystemLoader` and `CachingFileSystemLoader` do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the `{% include %}` and `{% render %}` tags. Ta…
CVE-2026-45017
GitHub-GHSA
HIGH
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
GHSA-389r-gv7p-r3rp
pkg: github.com/go-git/go-git/v6, github.com/go-git/go-git/v5
eco: go
published: May 11, 2026
### Impact
`go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.
Additi…
CVE-2026-45022
GitHub-GHSA
HIGH
Dozzle's Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpointsbypasses authentication
GHSA-j643-x8pv-8m67
pkg: github.com/amir20/dozzle
eco: go
published: May 11, 2026
## Summary
The WebSocket upgrader for the `/exec` and `/attach` endpoints uses `CheckOrigin: func(r *http.Request) bool { return true }`, accepting upgrade requests from any origin. Combined with the JWT cookie using `SameSite: Lax`, this enables Cross-Site WebSocket Hijacking (CSWSH) — **even wh…
CVE-2026-44985
NVD
MEDIUM
CVE-2026-1322
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to …
CWE: CWE-840
NVD
MEDIUM
CVE-2026-44305
Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the …
CWE: CWE-295
NVD
MEDIUM
CVE-2026-33603
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and client…
CWE: CWE-99
NVD
MEDIUM
CVE-2026-43875
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/MobileManager/oauth2.php completes an OAuth login by sending an HTTP 302 Location: oauth2Success.php?user=<email>&pass=<HASH> where <HASH> is the victim's stored password hash (md5(hash("whirlpool", sha1(passw…
CWE: CWE-598
NVD
MEDIUM
CVE-2026-42312
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("g…
CWE: CWE-295, CWE-306, CWE-863
NVD
MEDIUM
CVE-2026-32170
Double free in Windows Rich Text Edit Control allows an authorized attacker to elevate privileges locally.
CWE: CWE-415
NVD
MEDIUM
CVE-2026-21530
Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.
CWE: CWE-415
NVD
MEDIUM
CVE-2026-20905
Improper input validation for some Intel(R) QAT software drivers for Windows before version 2.6 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result m…
CWE: CWE-20
NVD
MEDIUM
CVE-2026-20782
Buffer overflow for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potent…
CWE: CWE-120
NVD
MEDIUM
CVE-2026-20717
Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result …
CWE: CWE-20
NVD
MEDIUM
CVE-2026-39052
Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner. The method ScriptRunner.run(String expression, String type, Map<String, Object> context) evaluates attacker-controlled script expressions through the underlying script engine without sandboxing or allowlist restrictions.
CWE: CWE-94
GitHub-GHSA
MEDIUM
Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)
GHSA-m69w-p7m4-585j
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
GET `/api/v1/memories/ef` is accessible without authentication and executes `request.app.state.EMBEDDING_FUNCTION(…)`. This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used.
Code reference: `backend/open…
CVE-2026-45667
GitHub-GHSA
MEDIUM
Open WebUI has an Indirect Object Reference (IDOR) in user notes
GHSA-x3qm-p8hr-3c3h
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
The API /api/v1/notes/{note_id} endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data.
### Details
– if …
CVE-2026-45666
GitHub-GHSA
MEDIUM
Open WebUI Exposes System Prompt to Regular User [Non-Admin]
GHSA-jh9g-8jqw-m2qx
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
_A regular user [non-admin] can view the system prompt of the model which is set by an admin._
### Details
_When a regular user [non-admin] logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt o…
CVE-2026-45351
GitHub-GHSA
MEDIUM
Open WebUI missing authorization check at the model update function – models from other users can be updated
GHSA-gm54-m39w-grjp
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
A user can modify another user's model even if its visibility is set to `Private`.
The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here.…
CVE-2026-45345
GitHub-GHSA
MEDIUM
Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints
GHSA-57q6-fvp4-pqmm
pkg: open-webu
eco: pip
published: May 14, 2026
### Summary
Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from `/api/v1/messages`, requests using the `Authorization: Bearer sk-…` header are correctly blocked with 403. However, the same key sent via the `x-api-key` header bypasses …
CVE-2026-45339
GitHub-GHSA
MEDIUM
pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad
GHSA-w727-595x-pc3r
pkg: pyload-ng
eco: pip
published: May 14, 2026
## Summary
The fix for CVE-2026-33509 prevents setting `storage_folder` inside `PKGDIR` or `userdir`, but does NOT protect the Flask session directory (`/tmp/pyLoad/flask`). An authenticated attacker can set `storage_folder` to the session directory and download session files of other users via `/fi…
CVE-2026-45306
GitHub-GHSA
MEDIUM
Home Assistant MCP Server: YAML config backups written under www/ are served unauthenticated at /local/
GHSA-g39v-cvjh-8fpf
pkg: ha-mcp
eco: pip
published: May 14, 2026
### Summary
When `ENABLE_YAML_CONFIG_EDITING=true`, every `ha_config_set_yaml` call backs up the pre-edit file to `<config>/www/yaml_backups/`, which Home Assistant serves at `/local/` with **no authentication**. Anyone who can reach the HA web interface can download the most recent pre-edit `confi…
NVD
MEDIUM
CVE-2026-44514
Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the u…
CWE: CWE-1385
GitHub-GHSA
MEDIUM
@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
GHSA-hcwq-x9fw-8cfq
pkg: @apostrophecms/cli
eco: npm
published: May 14, 2026
Summary
The @apostrophecms/cli package contains a command injection vulnerability in the apos create command.
User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping.
This allows execution of arbitrary commands on the host syste…
CVE-2026-42853
NVD
MEDIUM
CVE-2026-44000
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sand…
CWE: CWE-693
NVD
MEDIUM
CVE-2026-42946
A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an …
CWE: CWE-789, CWE-823
NVD
MEDIUM
CVE-2026-40460
When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluate…
CWE: CWE-290
GitHub-GHSA
MEDIUM
wger has an Uncontrolled Resource Consumption issue
GHSA-v25j-wqcw-fvhj
pkg: wger
eco: pip
published: May 13, 2026
### Summary
Any authenticated user can create a routine spanning an arbitrarily long date range (e.g. 100 years) and then trigger the `date_sequence` computation via any of the routine detail endpoints. The server iterates once per day in an unbounded `while` loop with no maximum duration validatio…
GitHub-GHSA
MEDIUM
Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)
GHSA-qrpw-gjvh-x5gm
pkg: nautobot, nautobot
eco: pip
published: May 13, 2026
### Impact
Nautobot UI object-bulk-rename endpoints (for example, `/dcim/interfaces/rename/`) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the `find` field in combination with the `use_regex` flag.
### Patches
A general-purpose timeout has b…
CVE-2026-44796
GitHub-GHSA
MEDIUM
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
GHSA-m3xc-h892-ggx6
pkg: github.com/go-git/go-billy/v5, github.com/go-git/go-billy/v6
eco: go
published: May 13, 2026
### Impact
Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption.
These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, o…
CVE-2026-44740
NVD
MEDIUM
CVE-2026-8199
An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM.
This issue impacts MongoDB Server v7.0 versions prior to 7.0.3…
CWE: CWE-1325
NVD
MEDIUM
CVE-2026-35422
Authentication bypass using an alternate path or channel in Windows TCP/IP allows an authorized attacker to bypass a security feature over a network.
CWE: CWE-288
NVD
MEDIUM
CVE-2026-34350
Null pointer dereference in Windows Storport Miniport Driver allows an unauthorized attacker to deny service over a network.
CWE: CWE-476
GitHub-GHSA
MEDIUM
OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS
GHSA-c73c-x77g-854r
pkg: @gitlawb/openclaude
eco: npm
published: May 12, 2026
# OAuth State Validation Bypass via `error` Parameter Causes Local Server DoS in MCP Auth Callback
—
## Description
The OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a `state` parameter against an …
CVE-2026-42073
NVD
MEDIUM
CVE-2026-42314
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ….// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolve…
CWE: CWE-22
NVD
MEDIUM
CVE-2026-7820
Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.
pgAdmin enforces MAX_LOGIN_ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init_app() and is reachable on every server, nev…
CWE: CWE-307
GitHub-GHSA
MEDIUM
Streamlink has an arbitrary local file read via file:// URI in HLS and DASH
GHSA-hgqw-6m45-hw5f
pkg: streamlink
eco: pip
published: May 11, 2026
## Summary
Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote `.m3u8` HLS playlist or `.mpd` DASH manifest can list `file:///path/to/file` as a segment, and streamlink will read that local file and write its contents to the output strea…
CVE-2026-44353
GitHub-GHSA
MEDIUM
Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission
GHSA-jgj3-r8hr-9pjw
pkg: open-webui
eco: pip
published: May 11, 2026
## Vulnerability Description
In standard channels (i.e., channels whose `channel.type` is neither `group` nor `dm`), the endpoint
`POST /api/v1/channels/{channel_id}/messages/{message_id}/update` can be accessed with **read permission only**.
When `access_control` is set to `None`, the authorizat…
CVE-2026-44571
NVD
MEDIUM
CVE-2026-5361
The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The san…
CWE: CWE-79
NVD
MEDIUM
CVE-2026-6962
The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitizati…
CWE: CWE-79
GitHub-GHSA
MEDIUM
dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters
GHSA-xpww-f6pm-cfhq
pkg: dbt-mcp
eco: pip
published: May 14, 2026
*Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation.**
## Summary
`_run_dbt_command()` in `src/dbt_mcp/dbt_cli/tools.py` constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization…
CVE-2026-44968
NVD
MEDIUM
CVE-2026-33380
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vulnerable.
CWE: CWE-552
GitHub-GHSA
MEDIUM
Keylime has a hardcoded attestation challenge nonce that allows replay attacks
GHSA-q8w6-w55c-ccv5
pkg: keylime
eco: pip
published: May 11, 2026
## CVE-2026-6420: Hardcoded attestation challenge nonce allows replay attacks
### Impact
The `CertificationParameters.generate_challenge()` method in the push attestation protocol uses a hardcoded challenge nonce instead of generating a cryptographically random value. This removes the nonce-based …
CVE-2026-6420
GitHub-GHSA
MEDIUM
PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries
GHSA-3643-7v76-5cj2
pkg: PraisonAI
eco: pip
published: May 11, 2026
### Summary
PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated `name` and `collection` arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection.
### Details
This i…
CVE-2026-44337
GitHub-GHSA
MEDIUM
pyzipper has an encryption bypass for small files encrypted using it
GHSA-crqm-m339-7m2p
pkg: pyzipper
eco: pip
published: May 14, 2026
### Impact
A Python operator precedence bug in pyzipper/zipfile_aes.py caused the AE-2 format to never be automatically selected during encryption, regardless of file size or compression type. As a result, all encrypted entries are written in AE-1 format unless AE-2 is explicitly forced by the calle…
CVE-2026-44722
GitHub-GHSA
MEDIUM
Mistune TOC Anchor Injection XSS
GHSA-6269-cqxg-mhhv
pkg: mistune
eco: pip
published: May 14, 2026
## Summary
`render_toc_ul()` builds a `<ul>` table-of-contents tree from a list of `(level, id, text)` tuples. Both the `id` value (used as `href="#<id>"`) and the `text` value (used as the visible link label) are inserted into `<a>` tags via a plain Python format string — with no HTML escaping ap…
CVE-2026-44898
NVD
MEDIUM
CVE-2026-44580
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped …
CWE: CWE-79
GitHub-GHSA
MEDIUM
Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect
GHSA-r95x-qfjj-fjj2
pkg: authlib, authlib
eco: pip
published: May 13, 2026
### Summary
An unauthenticated open redirect in Authlib's `OpenIDImplicitGrant` and `OpenIDHybridGrant` authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the `openid` scope.
…
CVE-2026-44681
NVD
MEDIUM
CVE-2026-44245
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component us…
CWE: CWE-79
NVD
MEDIUM
CVE-2026-20771
Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result m…
CWE: CWE-476
NVD
MEDIUM
CVE-2026-7464
The WP Google Maps Integration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject a…
CWE: CWE-79
GitHub-GHSA
MEDIUM
Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
GHSA-gx5p-jg67-6x7h
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
Applications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to brea…
CVE-2026-44580
GitHub-GHSA
MEDIUM
Ella Core has a UE Security Capability bypass on NGAP PathSwitchRequest
GHSA-pwfh-mqp3-pqwj
pkg: github.com/ellanetworks/core
eco: go
published: May 11, 2026
## Summary
Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest.
…
CVE-2026-44475
NVD
MEDIUM
CVE-2026-42597
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/… from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load …
CWE: CWE-73, CWE-918
NVD
MEDIUM
CVE-2026-44577
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cau…
CWE: CWE-770
NVD
MEDIUM
CVE-2026-6253
curl might erroneously pass on credentials for a first proxy to a second
proxy.
This can happen when the following conditions are true:
1. curl is setup to use specific different proxies for different URL schemes
2. the first proxy needs credentials
3. the second proxy uses no credentials
4. while…
CWE: CWE-522
NVD
MEDIUM
CVE-2026-4873
A vulnerability exists where a connection requiring TLS incorrectly reuses an
existing unencrypted connection from the same connection pool. If an initial
transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request
to that same host bypasses the TLS requirement and instead transmi…
CWE: CWE-295, CWE-319
NVD
MEDIUM
CVE-2026-42545
Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malforme…
CWE: CWE-248, CWE-755
GitHub-GHSA
MEDIUM
Next.js has a Denial of Service in the Image Optimization API
GHSA-h64f-5h5j-jqjh
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that ma…
CVE-2026-44577
NVD
MEDIUM
CVE-2026-44312
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFY_NONE, meanin…
CWE: CWE-295, CWE-829
NVD
MEDIUM
CVE-2026-44002
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code …
CWE: CWE-209
NVD
MEDIUM
CVE-2026-42926
When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer. Note: Software versions which have reached End of Technical Support (EoTS) are not…
CWE: CWE-172
NVD
MEDIUM
CVE-2026-44347
Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user into logging into the attacker's account, possibly convincing them to perform sensitive actions on the …
CWE: CWE-352
NVD
MEDIUM
CVE-2026-44695
Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a logged-in…
CWE: CWE-352
NVD
MEDIUM
CVE-2026-31252
CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restricti…
CWE: CWE-94, CWE-915
GitHub-GHSA
MEDIUM
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`
GHSA-mq5j-pw29-jcv3
pkg: apm-cli
eco: pip
published: May 15, 2026
### Summary
Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by `apm install <bundle>` on supported Python 3.10 and 3.11 runtimes. When `apm install` is given a local `.tar.gz` that is not recognized as a plugin-format bundle, APM probes …
CVE-2026-46383
NVD
MEDIUM
CVE-2026-46383
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install <bundle> on supported Python 3.10 and 3.11 runtimes. When apm install is g…
CWE: CWE-22, CWE-73
GitHub-GHSA
MEDIUM
Portainer has a path traversal in backup archive extraction that allows arbitrary file write
GHSA-m8fg-67j7-cx4v
pkg: github.com/portainer/portainer
eco: go
published: May 14, 2026
### Summary
Portainer's backup restore feature accepts a `.tar.gz` archive and extracts it to a target directory on the server. The extraction function (`ExtractTarGz` in `api/archive/targz.go`) constructed output paths using `filepath.Clean(filepath.Join(outputDirPath, header.Name))`. This combinat…
CVE-2026-44885
NVD
MEDIUM
CVE-2026-35419
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
CWE: CWE-125
NVD
MEDIUM
CVE-2026-34339
Null pointer dereference in Windows LDAP – Lightweight Directory Access Protocol allows an authorized attacker to deny service locally.
CWE: CWE-476
NVD
MEDIUM
CVE-2026-20914
Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 2.6.0 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result …
CWE: CWE-476
NVD
MEDIUM
CVE-2026-20881
Divide by zero for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potenti…
CWE: CWE-369
GitHub-GHSA
MEDIUM
Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content
GHSA-f3jg-756w-gm35
pkg: github.com/safedep/gryph
eco: go
published: May 11, 2026
Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive `file-write` content remains in the stored `payload` as `ContentPreview`, …
CVE-2026-45046
NVD
MEDIUM
CVE-2026-23695
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function() and rendered via Vue's v-html directive withou…
CWE: CWE-79
NVD
MEDIUM
CVE-2026-44429
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / (file internal/api/handlers/v0/ui_index.html) is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published ser…
CWE: CWE-79, CWE-116
GitHub-GHSA
MEDIUM
Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation
GHSA-rjmp-vjf2-qf4g
pkg: open-webui
eco: pip
published: May 14, 2026
# Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation
## Summary
The `POST /api/v1/evaluations/feedback` endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via `FeedbackForm`, which uses `model_config = ConfigDict(extra='allow')`. Due to an ins…
CVE-2026-45396
GitHub-GHSA
MEDIUM
Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]
GHSA-v6qf-75pr-p96m
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
An internal-only bypass_filter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypass_filter=true and bypass model access control checks to invoke admin-restricted model…
CVE-2026-45365
GitHub-GHSA
MEDIUM
Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)
GHSA-hcwp-82g6-8wxc
pkg: open-webui
eco: pip
published: May 14, 2026
## Related advisory
This advisory tracks a regression of the original Excel-preview XSS that was
publicly disclosed and patched under [GHSA-jwf8-pv5p-vhmc](https://github.com/open-webui/open-webui/security/advisories/GHSA-jwf8-pv5p-vhmc)
(patched in v0.8.0). The same root cause — `XLSX.utils.sh…
CVE-2026-45318
GitHub-GHSA
MEDIUM
Open WebUI has Stored Cross-Site Scripting In Profile Picture
GHSA-6gh2-q7cp-9qf6
pkg: open-webui
eco: pip
published: May 14, 2026
## Summary
The `profile_image_url` field on the user profile update form accepted arbitrary `data:` URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:
1. **`data:text/html;base64,…` in a new browser tab** (raresvis, 2025-04-1…
CVE-2026-45299
NVD
MEDIUM
CVE-2026-43644
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Content-Type-Options headers. Attackers can craft cross-origin HTM…
CWE: CWE-79
NVD
MEDIUM
CVE-2026-3829
The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wple_basic_get_requests' function in all versions up to, and including, 7.8.5.10. This mak…
CWE: CWE-862
NVD
MEDIUM
CVE-2026-45228
Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the PO…
CWE: CWE-79
NVD
MEDIUM
CVE-2026-44576
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can…
CWE: CWE-436
GitHub-GHSA
MEDIUM
Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
GHSA-wpxj-44w3-2j6x
pkg: nautobot, nautobot
eco: pip
published: May 13, 2026
### Impact
In the case of inter-object references via `GenericForeignKey` (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a `GenericForeignKey`, Nautobot's REST …
CVE-2026-44794
NVD
MEDIUM
CVE-2026-43879
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts (e.g. http://127.0.0.1:8080/…, http://169.254.169.254/latest/…, RFC1918 addresses). Whe…
CWE: CWE-918
GitHub-GHSA
MEDIUM
Next.js vulnerable to cache poisoning in React Server Component responses
GHSA-wfc6-r584-vfw7
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later vi…
CVE-2026-44576
NVD
MEDIUM
CVE-2026-8723
### Summary
`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
### Details
In t…
CWE: CWE-476
GitHub-GHSA
MEDIUM
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE
GHSA-wxw3-q3m9-c3jr
pkg: better-auth
eco: npm
published: May 15, 2026
### Am I affected?
Users are affected if all of the following are true:
– The application uses `better-auth` at a version below `1.6.2` (or `@better-auth/sso` paired with such a version).
– `betterAuth({ account: { storeStateStrategy } })` is set to `"cookie"`. The default `"database"` is not affe…
GitHub-GHSA
MEDIUM
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
GHSA-65pg-qhhw-mxwg
pkg: open-webui
eco: pip
published: May 14, 2026
**Vulnerability Type:** Information Disclosure / Missing Authentication
**Severity:** Medium
**Component:** `backend/open_webui/routers/retrieval.py` — `get_status()` (`GET /`)
**Affected Endpoint:** `GET /api/v1/retrieval/`
**Affected Version:** Open WebUI `main` branch — confirmed unpa…
CVE-2026-45397
NVD
MEDIUM
CVE-2026-8535
Out of bounds read in Media in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted JPEG file. (Chromium security severity: High)
CWE: CWE-125
NVD
MEDIUM
CVE-2026-8516
Insufficient validation of untrusted input in DataTransfer in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: C…
CWE: CWE-20
NVD
MEDIUM
CVE-2025-64526
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth…
CWE: CWE-307
GitHub-GHSA
MEDIUM
OpenTelemetry Java SDK has Unbounded Memory Allocation in W3C Baggage Propagation
GHSA-rcgg-9c38-7xpx
pkg: io.opentelemetry:opentelemetry-api, io.opentelemetry:opentelemetry-extension-trace-propagators
eco: maven
published: May 14, 2026
## Overview
A vulnerability affects the baggage propagation implementation in
`opentelemetry-api` and `opentelemetry-extension-trace-propagators`. Parsing oversized baggage
causes unbounded memory allocation and CPU consumption. Because baggage is automatically
re-injected into every outgoing reque…
CVE-2026-45292
NVD
MEDIUM
CVE-2026-42593
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression…
CWE: CWE-22, CWE-73
NVD
MEDIUM
CVE-2026-42592
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it n…
CWE: CWE-367, CWE-918
GitHub-GHSA
MEDIUM
Fleet has a rate limiting bypass via untrusted client IP headers
GHSA-j8h8-75h3-jg53
pkg: github.com/fleetdm/fleet/v4
eco: go
published: May 14, 2026
### Impact
Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authenticated and unauthenticated clients to spoof their apparent IP address and bypass per-IP rate limiting controls.
Fleet determines a client’s public IP address usin…
CVE-2026-24000
NVD
MEDIUM
CVE-2026-44003
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE…
CWE: CWE-693
NVD
MEDIUM
CVE-2026-44431
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(…, assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
CWE: CWE-200
NVD
MEDIUM
CVE-2026-7009
When curl is told to use the Certificate Status Request TLS extension, often
referred to as *OCSP stapling*, to verify that the server certificate is
valid, it fails to detect OCSP problems and instead wrongly consider the
response as fine.
CWE: CWE-295
NVD
MEDIUM
CVE-2026-44341
GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access to …
CWE: CWE-284, CWE-639
NVD
MEDIUM
CVE-2026-42177
linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a |…
CWE: CWE-284, CWE-436
GitHub-GHSA
MEDIUM
protobuf.js: Denial of service from crafted field names in generated code
GHSA-2pr8-phx7-x9h3
pkg: protobufjs, protobufjs
eco: npm
published: May 12, 2026
## Summary
protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, de…
CVE-2026-44294
GitHub-GHSA
MEDIUM
protobuf.js: Prototype injection in generated message constructors
GHSA-fx83-v9x8-x52w
pkg: protobufjs, protobufjs
eco: npm
published: May 12, 2026
## Summary
protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the `__proto__` key. If an application constructed a message from an attacker-controlled plain object, an own enumerable `__proto__` property could alter the prototy…
CVE-2026-44292
GitHub-GHSA
MEDIUM
protobufjs has overlong UTF-8 decoding
GHSA-q6x5-8v7m-xcrf
pkg: protobufjs, protobufjs, @protobufjs/utf8
eco: npm
published: May 12, 2026
## Summary
protobufjs includes a minimal UTF-8 decoder used in non-Node and fallback decoding paths. The affected decoder accepted overlong UTF-8 byte sequences and decoded them to their canonical characters instead of replacing them.
The issue concerns overlong encodings and code points outside t…
CVE-2026-44288
NVD
MEDIUM
CVE-2026-6402
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for non-trustwort…
CWE: CWE-749
NVD
MEDIUM
CVE-2026-44226
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an …
CWE: CWE-209
GitHub-GHSA
MEDIUM
local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)
GHSA-fj2m-qvh9-jq4q
pkg: local-deep-research
eco: pip
published: May 11, 2026
## Summary
`PDFService._markdown_to_html()` constructs an HTML document by interpolating user-controlled values — specifically `title` (sourced from `research.title` or `research.query`) and `metadata` key-value pairs — directly into an f-string without any HTML escaping. An authenticated attac…
CVE-2026-43979
GitHub-GHSA
MEDIUM
GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content
GHSA-m5p4-gvpx-4mvr
pkg: guarddog
eco: pip
published: May 11, 2026
# Summary
GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.
# Descri…
CVE-2026-44972
NVD
MEDIUM
CVE-2026-42780
A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CWE: CWE-22
NVD
MEDIUM
CVE-2026-42876
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate w…
CWE: CWE-285
NVD
MEDIUM
CVE-2026-8367
aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
CWE: CWE-295
NVD
MEDIUM
CVE-2026-42934
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives are configured, unauthenticated attackers can send requests that with conditions beyond the attackers…
CWE: CWE-125
NVD
MEDIUM
CVE-2026-40701
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with a resolver. With this configuration, an unauthenticated …
CWE: CWE-416
NVD
MEDIUM
CVE-2026-44661
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / l…
CWE: CWE-918
GitHub-GHSA
MEDIUM
@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
GHSA-r8j5-8747-88cm
pkg: @utcp/http
eco: npm
published: May 14, 2026
## Summary
The `@utcp/http` package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. `registerManual()` validates the discovery URL against an HTTPS / loopback allowlist, but `callTool()` reuses the re…
CVE-2026-45366
GitHub-GHSA
MEDIUM
Mistune Image Directive CSS Injection Vulnerability
GHSA-ccfx-mfmx-2fx9
pkg: mistune
eco: pip
published: May 14, 2026
## Summary
The Image directive plugin validates the `:width:` and `:height:` options with a regex compiled as `_num_re = re.compile(r"^\d+(?:\.\d*)?")`. This pattern is applied via `re.match()` (which anchors only at the **start** of the string, not the end). Any value that begins with one or more d…
CVE-2026-44899
NVD
MEDIUM
CVE-2026-44581
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived f…
CWE: CWE-79
GitHub-GHSA
MEDIUM
Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
GHSA-ffhc-5mcf-pf4q
pkg: next, next
eco: npm
published: May 11, 2026
### Impact
App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to p…
CVE-2026-44581
GitHub-GHSA
MEDIUM
Weblate: Stored HTML injection in editor search preview
GHSA-6wxc-8mgq-w26m
pkg: weblate
eco: pip
published: May 15, 2026
### Impact
Weblate's live search preview renders unit `source` and `context` as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search.
### Patches
* https://github.com/WeblateO…
CVE-2026-45106
GitHub-GHSA
MEDIUM
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation
GHSA-j6w6-986j-2m2m
pkg: open-webui
eco: pip
published: May 14, 2026
## Summary
An application-wide Cross-Site Request Forgery (CSRF) vulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulner…
CVE-2026-45317
NVD
MEDIUM
CVE-2026-45736
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. This vulnerability is fixed in 8.20.1.
CWE: CWE-908
NVD
MEDIUM
CVE-2026-32209
Improper access control in Windows Filtering Platform (WFP) allows an authorized attacker to bypass a security feature locally.
CWE: CWE-284
GitHub-GHSA
MEDIUM
Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)
GHSA-h2cw-7qw9-56xr
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
When setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.
However users may consider their system prompt confidential, so we consider this a security issue.
Compare https://genai.owasp…
CVE-2026-45387
GitHub-GHSA
MEDIUM
Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint
GHSA-5gc6-xhv4-2wg6
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
`Pin/Unpin` is a write operation (modifies the message's `is_pinned `, `pinned_by`, `pinned_at` fields), but in standard channels it only checks `read` permission, allowing users with read-only access to pin/unpin any message.
### Details
https://github.com/open-webui/open-webui/blob/9b…
CVE-2026-45386
GitHub-GHSA
MEDIUM
Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint
GHSA-wwhq-cx22-f7vv
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
An IDOR vulnerability exists in the Channels feature of `Open WebUI`, allowing any channel member to modify messages sent by other members (including administrators) within the same channel. This vulnerability affects the latest version (`v0.8.12`) of `Open WebUI`.
### Details
In the `u…
CVE-2026-45385
GitHub-GHSA
MEDIUM
Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function
GHSA-f776-fp4w-266c
pkg: open-webui
eco: pip
published: May 14, 2026
### Summary
Blind server side request forgery (SSRF) via the PDF generate function.
The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on…
CVE-2026-45347
NVD
MEDIUM
CVE-2026-8576
Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
CWE: CWE-942
NVD
MEDIUM
CVE-2026-8537
Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-942
NVD
MEDIUM
CVE-2026-8528
Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page. (Chromium security severity: High)
CWE: CWE-20, CWE-20
GitHub-GHSA
MEDIUM
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
GHSA-fmh9-gpqh-g53g
pkg: github.com/siyuan-note/siyuan/kernel
eco: go
published: May 13, 2026
### Summary
The advisory `GHSA-c77m-r996-jr3q` patched `getBookmark` so that, when invoked by a publish-mode `RoleReader`, results are filtered through `FilterBlocksByPublishAccess` to remove entries from password-protected / publish-ignored notebooks. Four sibling search handlers in the same file …
CVE-2026-45148
GitHub-GHSA
MEDIUM
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
GHSA-6r88-8v7q-q4p2
pkg: github.com/siyuan-note/siyuan/kernel
eco: go
published: May 13, 2026
### Summary
`POST /api/tag/getTag` is registered with `model.CheckAuth` only, omitting both `model.CheckAdminRole` and `model.CheckReadonly`, despite the handler performing a configuration write that is normally guarded by both. Any authenticated user — including publish-service `RoleReader` acco…
CVE-2026-45147
NVD
MEDIUM
CVE-2026-42541
Kubewarden is a policy engine for Kubernetes. Prior to , An attacker with privileged AdmissionPolicy or AdmissionPolicyGroup create permissions (which isn't the default) can craft a policy that makes use of the can_i host callback. The callback issues a SubjectAccessReview (SAR) requests to enumerat…
CWE: CWE-862
NVD
MEDIUM
CVE-2026-42565
@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round…
CWE: CWE-601
GitHub-GHSA
MEDIUM
oxidize-pdf: NaN/inf bypass in colour content-stream emission causes PDF rejection (DoS)
GHSA-88q9-cmp2-c2vq
pkg: oxidize-pdf, OxidizePdf.NET, oxidize-pdf
eco: pip
published: May 11, 2026
### Impact
`oxidize-pdf` defines `Color` as a `pub enum` with public tuple-struct variants `Rgb(f64, f64, f64)`, `Gray(f64)`, and `Cmyk(f64, f64, f64, f64)`. The constructors `Color::rgb`, `Color::gray`, and `Color::cmyk` clamp incoming
components to `[0.0, 1.0]`, but because the variants are `…
GitHub-GHSA
MEDIUM
arnika is affected by medium-severity issues in UDP rotation, PQC handling, and KMS TLS
GHSA-rc6v-5rmx-w5mv
pkg: github.com/arnika-project/arnika
eco: go
published: May 15, 2026
### Summary
Three medium-severity issues in arnika affecting the UDP key-rotation protocol, PQC key file handling, and KMS TLS client. All require specific preconditions to exploit and do not allow direct code execution or immediate key extraction. A self-contained PoC is attached.
### Details
1) A…
GitHub-GHSA
MEDIUM
rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution
GHSA-vfvv-c25p-m7mm
pkg: rkyv
eco: rust
published: May 15, 2026
`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe. Both functions iterate over their elements and call `drop_in_place` on each, updating `self.len` only *after* the loop. If an element's `Drop` implementation panics during the loop, `self.len` is left at its original value.
A…
GitHub-GHSA
MEDIUM
slack-go `SecretsVerifier` accepts empty signing secret without precondition
GHSA-gxhx-2686-5h9g
pkg: github.com/slack-go/slack
eco: go
published: May 14, 2026
“`go
func NewSecretsVerifier(header http.Header, secret string) (SecretsVerifier, error) {
hash := hmac.New(sha256.New, []byte(secret)) // raw secret, no precondition
}
“`
GitHub-GHSA
MEDIUM
Svelte: SSR XSS via Insecure Promise Serialization in hydratable
GHSA-f3cj-j4f6-wq85
pkg: svelte
eco: npm
published: May 14, 2026
Contents of `hydratable` promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true:
– you are using `hydratable` (an experimental feature at the time of this report)
– you are passing attacker-controlled input such that a synchr…
GitHub-GHSA
MEDIUM
electerm's encrypt method not safe enough
GHSA-g29v-q6h7-76wh
pkg: electerm
eco: npm
published: May 14, 2026
### Impact
_Insecure sync encryption: deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to al…
CVE-2026-45787
GitHub-GHSA
MEDIUM
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State
GHSA-rcqx-6q8c-2c42
pkg: svelte
eco: npm
published: May 14, 2026
Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks.
You are vulnerable if all of the following is true:
– you are using attribute spreading on a form element
– you are using attribute spreading or allow a dynamic value for the `na…
CVE-2026-42573
GitHub-GHSA
MEDIUM
Svelte: ReDoS in `<svelte:element>` Tag Validation
GHSA-9rmh-mm8f-r9h6
pkg: svelte
eco: npm
published: May 14, 2026
An internal regex in the Svelte runtime can take exponential time to test in `<svelte:element this={tag}></svelte:element>`. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing th…
CVE-2026-42567
GitHub-GHSA
MEDIUM
Open WebUI Has Stored Cross-Site Scripting in SVG Renderer
GHSA-r29h-37fj-x2w6
pkg: open-webui
eco: npm
published: May 14, 2026
### Summary
There is a Cross-Site Scripting vulnerability in Open WebUI SVG renderer implementation.
### Details
It is possible permanently save any HTML/JavaScript code in the application, which can be then executed in the context of the application domain. This behaviour can be used to extract …
CVE-2026-45346
GitHub-GHSA
MEDIUM
Svelte SSR vulnerable to cross-site scripting via spread attributes
GHSA-pr6f-5x2q-rwfp
pkg: svelte
eco: npm
published: May 14, 2026
When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. N…
CVE-2026-42599
GitHub-GHSA
MEDIUM
Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin
GHSA-3vcp-chfh-f6r2
pkg: github.com/kumahq/kuma, github.com/kumahq/kuma, github.com/kumahq/kuma
eco: go
published: May 14, 2026
## Summary
Default `kuma-cp` config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. `CorsAllowedDomains: [".*"]` reflects any `Origin`, and `LocalhostIsAdmin: true` promotes requests from `127.0.0.1` to `me…
CVE-2026-45021
GitHub-GHSA
MEDIUM
TanStack Start – Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function
GHSA-9m65-766c-r333
pkg: @tanstack/start-server-core
eco: npm
published: May 14, 2026
### Summary
A type-confusion bug in seroval ≤ 1.5.2 ([upstream advisory](https://github.com/lxsmnsyc/seroval/security/advisories)) allowed a crafted JSON body sent to one TanStack Start server function to trigger invocation of a different client-referenced server function as a side effect of deser…
GitHub-GHSA
MEDIUM
Portainer missing authorization on custom template file endpoint, which exposes template content
GHSA-cqpq-2fgr-8mvc
pkg: github.com/portainer/portainer, github.com/portainer/portainer
eco: go
published: May 14, 2026
## Summary
A missing authorization vulnerability in the Custom Template file endpoint (`GET /api/custom_templates/{id}/file`) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template …
CVE-2026-44884
GitHub-GHSA
MEDIUM
Synapse pagination Denial of Service
GHSA-6qf2-7×63-mm6v
pkg: matrix-synapse
eco: pip
published: May 14, 2026
### Impact
In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients.
Clients could therefore fail to display room history.
### Patches
Update to Synapse 1.152.1 or later.
### Workarounds
There are no k…
CVE-2026-45076
GitHub-GHSA
MEDIUM
Fleet: IP spoofing allows bypassing API rate limiting
GHSA-mxmp-wr3w-rvqx
pkg: github.com/fleetdm/fleet/v4
eco: go
published: May 14, 2026
### Summary
A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet.
### Impact
Fleet extracted client I…
CVE-2026-46356
GitHub-GHSA
MEDIUM
Fleet vulnerable to OS command injection in software packages
GHSA-9vcr-g537-3w5v
pkg: github.com/fleetdm/fleet/v4
eco: go
published: May 14, 2026
### Summary
A vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered.
### Impact
When a software package (.pkg, .deb, .rpm, .exe, or .ms…
CVE-2026-26191
GitHub-GHSA
MEDIUM
Strapi Upload Plugin MIME Validation Bypass via Content API
GHSA-pcw7-5633-82vv
pkg: @strapi/upload
eco: npm
published: May 14, 2026
### Summary of CVE-2026-22707 Vulnerability Details
– CVE: CVE-2026-22707
– CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` (5.3 — Medium)
– Affected Versions: `@strapi/upload` <=5.33.2
– How to Patch: Immediately update your Strapi to >=5.33.3
### Description…
CVE-2026-22707
GitHub-GHSA
MEDIUM
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
GHSA-7mqx-wwh4-f9fw
pkg: @strapi/plugin-users-permissions
eco: npm
published: May 13, 2026
### Summary of CVE-2025-64526 Vulnerability Details
– CVE: CVE-2025-64526
– CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` (6.9 — Medium)
– Affected Versions: `@strapi/plugin-users-permissions` <=5.44.0
– How to Patch: Immediately update your Strapi to >=5.45.…
CVE-2025-64526
GitHub-GHSA
MEDIUM
Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false
GHSA-96qj-4jj5-wcjc
pkg: github.com/traefik/traefik/v3, github.com/traefik/traefik/v3, github.com/traefik/traefik/v2
eco: go
published: May 13, 2026
## Summary
There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with `HTTPRoute` creation permissions to expose the REST provider handler, bypassing the `providers.rest.insecure=false` setting. The Gateway provider accepts any `TraefikService` b…
CVE-2026-44774
GitHub-GHSA
MEDIUM
OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover
GHSA-223g-f5mq-gw33
pkg: openlearnx
eco: npm
published: May 13, 2026
### Overview
A critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. The issue has been fixed.
**Advisory**: https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-223g-f5mq-gw33
CVE-2026-44720
GitHub-GHSA
MEDIUM
SillyTavern has a SSRF vulnerability in the CORS proxy middleware
GHSA-ccfq-2454-f5xw
pkg: sillytavern
eco: npm
published: May 12, 2026
## Resolution
SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance…
CVE-2026-44652
GitHub-GHSA
MEDIUM
SillyTavern has a reflected XSS vulnerability in the CORS proxy middleware
GHSA-xc4x-2452-5gc9
pkg: sillytavern
eco: npm
published: May 12, 2026
## Resolution
Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body.
## Overview
– Vulnerability Type: XSS
– Affected Location: `src/middleware/corsProxy.js:40`
– Trigger Scenario: reflected XSS in CORS proxy error response
## Root Cause
When `fetch(url…
CVE-2026-44651
GitHub-GHSA
MEDIUM
Mermaid: Improper sanitization of configuration leads to CSS injection
GHSA-87f9-hvmw-gh4p
pkg: mermaid, mermaid
eco: npm
published: May 11, 2026
### Impact
Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options.
Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI…
CVE-2026-41159
GitHub-GHSA
MEDIUM
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
GHSA-6m6c-36f7-fhxh
pkg: mermaid, mermaid
eco: npm
published: May 11, 2026
### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates.
Example:
“`
gantt
excludes monday,tuesday,wednesday,thursday,friday…
CVE-2026-41150
GitHub-GHSA
MEDIUM
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
GHSA-ghcm-xqfw-q4vr
pkg: mermaid, mermaid
eco: npm
published: May 11, 2026
### Impact
Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS.
#### Proof-of-concept
“`
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important…
CVE-2026-41149
GitHub-GHSA
MEDIUM
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
GHSA-xcj9-5m2h-648r
pkg: mermaid, mermaid
eco: npm
published: May 11, 2026
### Details
The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex:
“`jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CL…
CVE-2026-41148
GitHub-GHSA
MEDIUM
Steamworks game clients/servers using P2P authentication vulnerable to denial of service
GHSA-g588-cjg3-6g78
pkg: steamworks
eco: rust
published: May 11, 2026
Processing the raw `ValidateAuthTicketResponse_t` callback data panics when the `m_eAuthSessionResponse` field is `k_EAuthSessionResponseAuthTicketNetworkIdentityFailure`. This can lead to denial of service in game clients and servers using the `begin_authentication_session` API to authenticate play…