- CVE-2026-45321 - Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
- CVE-2026-43913 - Vaultwarden: Unconfirmed Owner Can Purge Entire Organization Vault
- CVE-2026-43899 - DeepChat: Incomplete Fix for CVE-2025-55733 leads to Remote Code Execution via Markdown Links bypassing `isValidExternalUrl`
- CVE-2026-43900 - DeepChat: Persistent DOM XSS via HTML Entity Encoding in `` SVG Rendering (Bypass of `svgSanitizer.ts`)
- CVE-2026-43912 - Vaultwarden: Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization
- CVE-2026-34963 - barebox EFI PE Loader Memory Safety Vulnerabilities
- CVE-2026-41489 - Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks
- CVE-2026-7790 - Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS
- CVE-2026-45223 - Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection
- CVE-2026-42864 - FireFighter: Unauthenticated SSRF in Raid jira_bot endpoint allows IAM credential theft
- CVE-2026-42859 - Neat VNC: Buffer overflow due to oversized RSA public keys
- CVE-2026-42860 - Open edx Enterprise Service: SSRF via SAML metadata URL in sync_provider_data endpoint
- CVE-2026-42858 - Open edX Platform: Server-Side Request Forgery (SSRF) in SAML Provider Data Sync Endpoint
- CVE-2026-42856 - Network-AI: Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls
- CVE-2026-42315 - pyLoad: Path Traversal via Package Folder Name in set_package_data
- CVE-2026-41431 - Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
- CVE-2026-42313 - pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy
- CVE-2026-38568 - HireFlow Improper Authorization Vulnerability
- CVE-2026-44413 - JetBrains TeamCity Authentication Bypass Vulnerability
- CVE-2026-42843 - grav-plugin-api: Grav API Privilege Escalation to Super Admin
- CVE-2026-42603 - OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target
- CVE-2026-33362 - Meari SDK hardcoded cryptographic keys
- CVE-2026-43640 - Bitwarden Server < 2026.4.1 Authentication Bypass via SCIM API Key
- CVE-2026-43639 - Bitwarden Server < 2026.4.0 Missing Authorization via Provider Clients
- CVE-2026-45006 - OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway Tool Denylist Bypass
- CVE-2026-45004 - OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
- CVE-2026-42607 - Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature
- CVE-2026-4802 - Cockpit: cockpit: arbitrary command execution via crafted links in system logs ui
- CVE-2025-10470 - Denial-of-Service via Magic Link Authentication in WSO2 Identity Server Allows Service Unavailability
- CVE-2026-41951 - GROWI EJS Template Injection
- CVE-2026-40636 - Dell ECS Hard-Coded Credentials Disclosure
- CVE-2026-32658 - "Dell Automation Platform Elevation of Privileges Missing Authorization Vulnerability"
- CVE-2021-47949 - CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack
- CVE-2021-47938 - ImpressCMS 1.4.2 Remote Code Execution via Autotasks
- CVE-2021-47939 - Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation
- CVE-2021-47940 - WordPress Download From Files 1.48 Arbitrary File Upload
- CVE-2021-47941 - WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss_params
- CVE-2021-47943 - TextPattern CMS 4.8.7 Remote Code Execution via File Upload
- CVE-2021-47944 - memono Notepad 4.2 Denial of Service via Buffer Overflow
- CVE-2021-47945 - Argus Surveillance DVR 4.0 Unquoted Service Path Privilege Escalation
- CVE-2021-47936 - OpenCATS 0.9.4 Remote Code Execution via Resume Upload
- CVE-2021-47937 - e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme Upload
- CVE-2021-47930 - Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated
- CVE-2021-47933 - WordPress MStore API 2.0.6 Arbitrary File Upload
- CVE-2021-47932 - WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated
- CVE-2021-47935 - Sentry 8.2.0 Remote Code Execution via Pickle Deserialization
- CVE-2021-47923 - OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie
- CVE-2021-47928 - Opencart TMD Vendor System 3.x Blind SQL Injection via product route
- CVE-2026-6722 - Use-After-Free in SOAP using Apache map
- CVE-2026-8208 - Gibbon Local File Inclusion Remote Command Execution
- CVE-2026-6665 - PgBouncer buffer overflow in SCRAM
- CVE-2026-41705 - Spring AI MilvusVectorStore Filter Expression Injection
- CVE-2026-42455 - LinkWarden: Stored XSS via Client-Side Archive Upload (Unsanitized HTML served from same origin)
- CVE-2026-44313 - LinkWarden: Server-Side Request Forgery (SSRF) in Link Creation via fetchTitleAndHeaders Function
- CVE-2026-42454 - Termix: OS Command Injection in Docker Container Management Endpoints
- CVE-2026-42556 - Postiz stored XSS in public preview page
- CVE-2026-42352 - pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
- CVE-2026-42354 - Sentry: Improper authentication on SAML SSO process allows user identity linking
- CVE-2026-42452 - Termix: Pending-TOTP temporary token can regenerate backup codes and neutralize TOTP
- CVE-2026-42453 - Termix: Command injection in extractArchive/compressFiles via double-quote escaping bypass
- CVE-2026-42298 - Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev
- CVE-2026-42302 - FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox
- CVE-2026-44400 - MailEnable Enterprise Premium < 10.55 Authorization Bypass via WebAdmin
- CVE-2026-7807 - SmarterTools SmarterMail < Build 9560 Server Local File Inclusion via the /api/v1/report/summary/{type} API
- CVE-2026-8178 - Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver
- CVE-2026-42072 - Nornicdb: Improper Network Binding in NornicDB Bolt Server allows unauthorized remote access
- CVE-2026-44499 - ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
- CVE-2026-41070 - openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
- CVE-2026-29972 - NanoMODBUS Modbus TCP Server Stack Buffer Overflow Vulnerability
- CVE-2026-42793 - Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe
- CVE-2026-43967 - Quadratic fragment-name uniqueness check causes denial of service in absinthe
- CVE-2026-44497 - ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
- CVE-2026-44498 - ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops
- CVE-2026-41588 - RELATE: Timing Attack Vulnerability in course/auth.py — check_sign_in_key()
- CVE-2026-41583 - ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type Handling
- CVE-2026-41584 - ZEBRA: rk Identity Point Panic in Transaction Verification
- CVE-2026-41524 - Ajax30/BraveCMS-2.0: Stored XSS in Page / Article Content
- CVE-2026-41574 - Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass
- CVE-2026-37431 - Beauty Parlour Management System SQL Injection
- CVE-2025-67486 - Dolibarr has an Authenticated Remote Code Execution via eval() injection in user extrafields
- CVE-2026-44334 - PraisonAI: Unauthenticated RCE via `tool_override.py`
- CVE-2026-41423 - Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
- CVE-2026-41491 - Dapr: Service Invocation path traversal ACL bypass
- CVE-2026-41496 - PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)
- CVE-2026-41497 - Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
- CVE-2026-8077 - Weak credentials vulnerability in the CashDro 3 web administration panel
- CVE-2025-66467 - Apache CloudStack: MinIO policy remains intact on bucket deletion
- CVE-2022-50994 - DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi
- CVE-2026-44126 - Insecure deserialization
- CVE-2026-44125 - Missing Authorization in GINAv2
- CVE-2026-44129 - Server-side template injection
- CVE-2026-44128 - Unauthenticated Remote Code Execution
- CVE-2026-44127 - Local File Inclusion (LFI) and Arbitrary File Deletion
- CVE-2026-8076 - Weak credentials vulnerability in the CashDro 3 web administration panel
- CVE-2026-8153 - Command injection in Dashboard Server interface
- CVE-2026-5127 - User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection
- CVE-2026-6213 - Remote Spark SparkView RCE
- CVE-2026-8069 - PredatorSense V3: Local Privilege Escalation (LPE) vulnerability
- CVE-2026-8137 - Totolink X5000R formDdns sub_458E40 buffer overflow
- CVE-2026-8138 - Tenda CX12L SetPptpServerCfg” formSetPPTPServer stack-based overflow
Franck Ridel
