19,785 CVEs published in 2026. 0 flagged on the CISA Known Exploited Vulnerabilities catalog. Every guide includes runnable Linux, Windows PowerShell, and Bash remediation commands.
19,785 fix guides from 2026CVE-2026-28687: ImageMagick has a Heap Use-After-Free in ImageMagick MSL decoder in ImageMagick. Patch commands and verification.
CVE-2026-28688 is a imagemagick has a heap use-after-free in the msl encoder in ImageMagick. CVSS 4 Medium. Patch commands, mitigations, and
CVE-2026-28689: ImageMagick has a Path Policy TOCTOU symlink race bypass in ImageMagick. Patch commands and verification.
CVE-2026-2869 is a out-of-bounds read in janet-lang janet. This page lists the verified fix and inline mitigations.
CVE-2026-28690: ImageMagick has a stack write buffer overflow in MNG encoder in ImageMagick. Patch commands and verification.
CVE-2026-28692 is a cwe-125: out-of-bounds read in ImageMagick. CVSS 4.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-28709 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28711 is a uncontrolled search path element in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitiga
CVE-2026-28712 is a uncontrolled search path element in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitiga
CVE-2026-28714 is a weak credential storage in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28715 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28716 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28717 is a cwe-276 in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28718 is a cwe-779 in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28719 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28720 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28723 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28724 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28725 is a incorrect permission assignment in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigat
CVE-2026-28726 is a incorrect authorization in Acronis Acronis Cyber Protect 17. This page lists the verified fix and inline mitigations.
CVE-2026-28728 is a cwe-427 in Acronis True Image, fixed by the same patch as CVE-2026-27774.
CVE-2026-28732 is an access control bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-28733 is an use-after-free in OpenHarmony. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-28735 is an access control bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-28736: CWE-639: Authorization Bypass Through User-Controlled Key in Focalboard. Patch commands and verification.
CVE-2026-28741 is a cross-site request forgery in Mattermost. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-28755 is an access control bypass in NGINX Open Source. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-28758 is an information disclosure in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-28759 is an access control bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-28767 is a gardyn cloud api missing authentication for critical function in Gardyn Cloud API, fixed by the same patch as CVE-2026-2
CVE-2026-28769 is a path traversal in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management int
CVE-2026-28770 is a XML injection in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web management inte
CVE-2026-28771 is a cross-site scripting in International Datacasting Corporation (IDC) SFX Series SuperFlex Satellite Receiver Web Manageme
CVE-2026-28772 is a cross-site scripting in International Datacasting Corporation (IDC) SFX Series SuperFlex SatelliteReceiver Web Managemen
CVE-2026-2878 is a cwe-331 insufficient entropy in Progress Software Telerik UI for ASP.NET AJAX. This page lists the verified fix and inlin
CVE-2026-28782 is a authorization bypass through user-controlled key in craftcms cms. This page lists the verified fix and inline mitigation
CVE-2026-28786 is a path traversal in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-2879: CWE-639 Authorization Bypass Through User-Controlled Key in GetGenie – AI Content Writer with Keyword Research & SEO Tracking
CVE-2026-28800 is a path traversal in NatroTeam NatroMacro. This page lists the verified fix and inline mitigations.
CVE-2026-28801 is a code injection in NatroTeam NatroMacro. This page lists the verified fix and inline mitigations.
CVE-2026-28803: Open Forms possible to view submission details of other people than intended in open-forms. Patch commands and verification.
CVE-2026-28804 is a inefficient algorithmic complexity in py-pdf pypdf. This page lists the verified fix and inline mitigations.
CVE-2026-28809 is a XML external entity (XXE) in esaml. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-28810 is a predictable dns transaction ids enable cache poisoning in built-in resolver in Erlang OTP, fixed by the same patch as CV
CVE-2026-28819 is a out-of-bounds write in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28830 concurrent execution using shared resource with improper synchronization ('race in macOS. Runnable upgrade commands and verif
CVE-2026-2887 is a uncontrolled recursion in aardappel lobster. This page lists the verified fix and inline mitigations.
CVE-2026-2888: CWE-639 Authorization Bypass Through User-Controlled Key in Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Ca
CVE-2026-2889 is a use-after-free in n/a CCExtractor. This page lists the verified fix and inline mitigations.
CVE-2026-28897 is a stack-based buffer overflow in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-28901 improper restriction of operations within the bounds of a memory buffer in Safari. Runnable upgrade commands and verification
CVE-2026-28902 improper restriction of operations within the bounds of a memory buffer in Safari. Runnable upgrade commands and verification
CVE-2026-28903 improper restriction of operations within the bounds of a memory buffer in Safari. Runnable upgrade commands and verification
CVE-2026-28909 - Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials
CVE-2026-28914 is a protection mechanism failure in macOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28917 is a improper input validation in Safari. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28918 is a out-of-bounds read in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28920 exposure of sensitive information to an unauthorized actor in iOS and iPadOS. Runnable upgrade commands and verification step
CVE-2026-28922 is a improper access control in macOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-2893 is a SQL injection in carlosfazenda Fast Page & Post Duplicator. This page lists the verified fix and inline mitigations.
CVE-2026-2894 is a information exposure in n/a funadmin. This page lists the verified fix and inline mitigations.
CVE-2026-28942 is a use after free in Safari. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28946 is a use after free in Safari. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-2895 is a weak password recovery in n/a funadmin. This page lists the verified fix and inline mitigations.
CVE-2026-28950 - Notifications marked for deletion could be unexpectedly retained on the device in iOS and iPadOS. Runnable patch commands,
CVE-2026-28956 is a out-of-bounds read in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28958 exposure of sensitive information to an unauthorized actor in Safari. Runnable upgrade commands and verification steps for sy
CVE-2026-2896 is a improper authorization in n/a funadmin. This page lists the verified fix and inline mitigations.
CVE-2026-28961 is a insufficiently protected credentials in macOS. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-28963 exposure of private personal information to an unauthorized actor in iOS and iPadOS. Runnable upgrade commands and verificati
CVE-2026-28967 is a uncontrolled resource consumption in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the f
CVE-2026-2897 is a cross-site scripting in n/a funadmin. This page lists the verified fix and inline mitigations.
CVE-2026-28971 improper restriction of rendered ui layers or frames in Safari. Runnable upgrade commands and verification steps for sysadmin
CVE-2026-28972 is a out-of-bounds write in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28977 improper restriction of operations within the bounds of a memory buffer in iOS and iPadOS. Runnable upgrade commands and veri
CVE-2026-2898 is a unsafe deserialization in n/a funadmin. This page lists the verified fix and inline mitigations.
CVE-2026-28985 is a null pointer dereference in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed
CVE-2026-28988 is a improper access control in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-2899 is a missing authorization in techjewel Fluent Forms Pro Add On Pack. This page lists the verified fix and inline mitigations.
CVE-2026-28992 concurrent execution using shared resource with improper synchronization ('race in iOS and iPadOS. Runnable upgrade commands
CVE-2026-28993 is a improper access control in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28994 is a use after free in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-28996 concurrent execution using shared resource with improper synchronization ('race in iOS and iPadOS. Runnable upgrade commands
CVE-2026-2902 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WP Meteor Website Speed Optim
CVE-2026-29022 is a heap buffer overflow in mackron dr_libs dr_wav.h. This page lists the verified fix and inline mitigations.
CVE-2026-29023 is a keygraph shannon hard-coded router api key in Keygraphhq Shannon. CVSS 6.9 Medium. Patch commands, mitigations, and veri
CVE-2026-2903 is a null pointer dereference in skvadrik re2c. This page lists the verified fix and inline mitigations.
CVE-2026-29038 is a cross-site scripting in dgtlmoon changedetection.io. This page lists the verified fix and inline mitigations.
CVE-2026-29043 is a heap buffer overflow in hdf5. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-29044 is an access control bypass in everest-core. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-29048 is a cross-site scripting in humhub humhub. This page lists the verified fix and inline mitigations.
CVE-2026-29049 is a denial of service via resource consumption in chainguard-dev melange. This page lists the verified fix and inline mitiga
CVE-2026-29050 - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in melange. Runnable patch commands,
CVE-2026-29051 - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in melange. Runnable patch commands,
CVE-2026-29052 is a cross-site scripting in humhub calendar. This page lists the verified fix and inline mitigations.
CVE-2026-29055 is an information disclosure in recipes. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-29057 is a next.js: http request smuggling in rewrites in Vercel next.js. CVSS 6.3 Medium. Patch commands, mitigations, and verific
CVE-2026-29059 is a path traversal in windmill-labs windmill. This page lists the verified fix and inline mitigations.
CVE-2026-29060 is a improper access control in Forceu Gokapi. This page lists the verified fix and inline mitigations.
CVE-2026-29061 is a improper access control in Forceu Gokapi. This page lists the verified fix and inline mitigations.
CVE-2026-29066: Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI in cli. Patch commands and verification.
CVE-2026-29069 is a authorization bypass through user-controlled key in craftcms cms. This page lists the verified fix and inline mitigation
CVE-2026-29070 is a vulnerability in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-29073 is a missing authorization in siyuan-note siyuan. This page lists the verified fix and inline mitigations.
CVE-2026-29076 is a cwe-674: uncontrolled recursion in Yhirose cpp-httplib. CVSS 5.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-29081 is a SQL injection in frappe frappe. This page lists the verified fix and inline mitigations.
CVE-2026-29084 is a CSRF in Forceu Gokapi. This page lists the verified fix and inline mitigations.
CVE-2026-29085 is a improper neutralization of special elements in output used by a downstream component ('injection') in honojs hono. This
CVE-2026-29086 is a inappropriate comment style in honojs hono. This page lists the verified fix and inline mitigations.
CVE-2026-29092: a vulnerability in Kiteworks Email Protection Gateway. Patched version and vendor advisory inside.
CVE-2026-29098 is a cwe-23: relative path traversal in SuiteCRM. CVSS 4.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-29101: SuiteCRM Vulnerable to Directory Traversal to DoS in Modules in SuiteCRM. Patch commands and verification.
CVE-2026-29105: SuiteCRM has Unauthenticated Open Redirect in Leads WebToLead Capture in SuiteCRM. Patch commands and verification.
CVE-2026-29106 is a suitecrm has blind xss in return_id parameter in SuiteCRM. CVSS 5.9 Medium. Patch commands, mitigations, and verificatio
CVE-2026-29107 is a suitecrm vulnerable to authenticated ssrf via pdf export in SuiteCRM. CVSS 5 Medium. Patch commands, mitigations, and ve
CVE-2026-29108: Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User in SuiteCRM-Core. Patch commands and verification.
CVE-2026-29111 is a vulnerability in systemd. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-2912 is a SQL injection in code-projects Online Reviewer System. This page lists the verified fix and inline mitigations.
CVE-2026-29131: PGP Decryption Recipient LDAP Injection in Secure Email Gateway. Patch commands and verification.
CVE-2026-29132 is a eswmail-verify bypass in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-29133 is a uid regex bypass in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-29134 is a gina domain switch in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-29135 is a webmail password tag sanitization bypass in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-29136 is a ca notification html injection in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-29137 is a long subject untagging in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-29138 is a pgp decryption sender ldap injection in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-29142 is a plaintext secure-mail.html in Seppmail Secure Email Gateway, fixed by the same patch as CVE-2026-29131.
CVE-2026-2915 is a cwe-276 incorrect default permissions in HP Inc HP System Event Utility. This page lists the verified fix and inline miti
CVE-2026-2917: CWE-639 Authorization Bypass Through User-Controlled Key in Happy Addons for Elementor. Patch commands and verification.
CVE-2026-29176: Craft Commerce has Stored XSS in Inventory Location Name in commerce. Patch commands and verification.
CVE-2026-2918: CWE-639 Authorization Bypass Through User-Controlled Key in Happy Addons for Elementor. Patch commands and verification.
CVE-2026-29180 is a vulnerability in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-2919 is a security vulnerability in Mozilla Focus for iOS. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-29190 is a karapace: path traversal in backup reader in Aiven-open karapace. CVSS 4.1 Medium. Patch commands, mitigations, and veri
CVE-2026-29195: Netmaker: Privilege Escalation from Admin to Super-Admin via User Update in netmaker. Patch commands and verification.
CVE-2026-29197 - CWE-284 Improper Access Control - Generic in Rocket.Chat. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-29202 is a code injection in cPanel. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-29203 is a unix symbolic link (symlink) following in cPanel. Patched version, runnable upgrade commands, and how to verify the fix
CVE-2026-2924: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gutenverse – Ultimate WordPress FSE B
CVE-2026-2930 is a stack buffer overflow in Tenda A18. This page lists the verified fix and inline mitigations.
CVE-2026-2932 is a cross-site scripting in YiFang CMS. This page lists the verified fix and inline mitigations.
CVE-2026-2933 is a cross-site scripting in YiFang CMS. This page lists the verified fix and inline mitigations.
CVE-2026-2934 is a cross-site scripting in YiFang CMS. This page lists the verified fix and inline mitigations.
CVE-2026-2938 is a improper access controls in SourceCodester Student Result Management System. This page lists the verified fix and inline
CVE-2026-2939 is a cross-site scripting in itsourcecode Student Management System. This page lists the verified fix and inline mitigations.
CVE-2026-2940 is a out-of-bounds write in Zaher1307 tiny_web_server. This page lists the verified fix and inline mitigations.
CVE-2026-2943 is a cross-site scripting in SapneshNaik Student Management System. This page lists the verified fix and inline mitigations.
CVE-2026-2944 is a OS command injection in Tosei Online Store Management System ネット店舗管理システム. This page lists the verified fix and inline mit
CVE-2026-2945 is a SSRF in n/a JeecgBoot. This page lists the verified fix and inline mitigations.
CVE-2026-2946 is a cross-site scripting in rymcu forest. This page lists the verified fix and inline mitigations.
CVE-2026-2947 is a cross-site scripting in rymcu forest. This page lists the verified fix and inline mitigations.
CVE-2026-2948 server-side request forgery (ssrf) in Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem. Runnable upgrade commands
CVE-2026-2949: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Xpro Addons, 140+ Widgets for Element
CVE-2026-2950: lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` in lodash. Patch commands and verifi
CVE-2026-2951 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gutentor – Gutenberg Blocks –
CVE-2026-29510: Hereta ETH-IMC408M Stored XSS via Device Name in Hereta ETH-IMC408M. Patch commands and verification.
CVE-2026-29513: Hereta ETH-IMC408M Stored XSS via Device Location in Hereta ETH-IMC408M. Patch commands and verification.
CVE-2026-29516: Buffalo TeraStation TS5400R Excessive File Permissions Information Disclosure in TeraStation NAS TS5400R. Patch commands and
CVE-2026-2952 is a OS command injection in n/a Vaelsys. This page lists the verified fix and inline mitigations.
CVE-2026-29520: Hereta ETH-IMC408M Reflected XSS via ping_ipaddr Parameter in Hereta ETH-IMC408M. Patch commands and verification.
CVE-2026-29521: Hereta ETH-IMC408M CSRF via Configuration Setup in Hereta ETH-IMC408M. Patch commands and verification.
CVE-2026-2953 is a path traversal in Dromara UJCMS. This page lists the verified fix and inline mitigations.
CVE-2026-2954 is a injection in Dromara UJCMS. This page lists the verified fix and inline mitigations.
CVE-2026-2955: a cross-site scripting (XSS) in AI Chatbot & Workflow Automation by AIWU. Patched version and vendor advisory inside.
CVE-2026-2956 is a command injection in qinming99 dst-admin. This page lists the verified fix and inline mitigations.
CVE-2026-2957 is a denial of service in qinming99 dst-admin. This page lists the verified fix and inline mitigations.
CVE-2026-29598 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-29606 is a missing authentication in OpenClaw OpenClaw. This page lists the verified fix and inline mitigations.
CVE-2026-29608 is a cwe-88 argument injection or modification in OpenClaw. CVSS 5.4 Medium. Patch commands, mitigations, and verification.
CVE-2026-29612 is a resource exhaustion in OpenClaw OpenClaw. This page lists the verified fix and inline mitigations.
CVE-2026-29628 is a stack buffer overflow in Denial. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-2963 is a SQL injection in Jinher OA C6. This page lists the verified fix and inline mitigations.
CVE-2026-29644 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-29647 is an improper privilege management in In OpenXiangShan. This page lists verified fix commands and short-term mitigations you
CVE-2026-2965 is a cross-site scripting in n/a 07FLYCMS. This page lists the verified fix and inline mitigations.
CVE-2026-2966 is a insufficiently random values in Cesanta Mongoose. This page lists the verified fix and inline mitigations.
CVE-2026-2967 is a improper verification of source of a communication channel in Cesanta Mongoose. This page lists the verified fix and inli
CVE-2026-2968 is a improper verification of cryptographic signature in Cesanta Mongoose. This page lists the verified fix and inline mitigat
CVE-2026-2969 is a improper neutralization of special elements used in a template engine in datapizza-labs datapizza-ai. This page lists the
CVE-2026-2971 is a cross-site scripting in a466350665 Smart-SSO. This page lists the verified fix and inline mitigations.
CVE-2026-2972 is a cross-site scripting in a466350665 Smart-SSO. This page lists the verified fix and inline mitigations.
CVE-2026-2973 is a vulnerability in GitLab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-2975 is a information exposure in n/a FastApiAdmin. This page lists the verified fix and inline mitigations.
CVE-2026-2976 is a information exposure in n/a FastApiAdmin. This page lists the verified fix and inline mitigations.
CVE-2026-2977 is a unrestricted file upload in n/a FastApiAdmin. This page lists the verified fix and inline mitigations.
CVE-2026-29772 is an OS command injection in astro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-29773 is a cwe-863: incorrect authorization in kubewarden-controller. CVSS 4.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-29774: FreeRDP has a heap-buffer-overflow in avc420_yuv_to_rgb via OOB regionRects in FreeRDP. Patch commands and verification.
CVE-2026-29775: FreeRDP has a heap-buffer-overflow in bitmap_cache_put via OOB cacheId in FreeRDP. Patch commands and verification.
CVE-2026-29777: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in traefik. Patch
CVE-2026-2978 is a unrestricted file upload in n/a FastApiAdmin. This page lists the verified fix and inline mitigations.
CVE-2026-29780: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in eml_parser. Patch commands and ver
CVE-2026-29787 is a information exposure in doobidoo mcp-memory-service. This page lists the verified fix and inline mitigations.
CVE-2026-2979 is a unrestricted file upload in n/a FastApiAdmin. This page lists the verified fix and inline mitigations.
CVE-2026-29791 is a improper input validation in agentgateway agentgateway. This page lists the verified fix and inline mitigations.
CVE-2026-29794 is a vulnerability in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-29795 is a resource exhaustion in stellar rs-stellar-xdr. This page lists the verified fix and inline mitigations.
CVE-2026-2983 is a improper access controls in SourceCodester Student Result Management System. This page lists the verified fix and inline
CVE-2026-2984 is a denial of service in SourceCodester Student Result Management System. This page lists the verified fix and inline mitigat
CVE-2026-2985 is a SSRF in Tiandy Video Surveillance System 视频监控平台. This page lists the verified fix and inline mitigations.
CVE-2026-2986 is a cross-site scripting in Contextual Related Posts. This page lists verified fix commands and short-term mitigations you ca
CVE-2026-2987: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Simple Ajax Chat – Add a Fast,
CVE-2026-2988: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PowerPress Podcasting plugin by Blubr
CVE-2026-2997 is a cwe-639 authorization bypass through user-controlled key in WisdomGarden Tronclass. This page lists the verified fix and
CVE-2026-29971 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3004 is a cross-site scripting (XSS) in Snow Monkey Blocks. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-30048 is a n/a in the vendor n/a. CVSS 5.4 Medium. Patch commands, mitigations, and verification.
CVE-2026-3005 is a cross-site scripting in List category posts. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-3007 - Stored Cross-Site Scripting (XSS) Vulnerability in Koollab Learning Management System. Runnable patch commands, mitigation,
CVE-2026-3008 - Vulnerability in Notepad++. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-30139 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-30224 is a session fixation in OliveTin OliveTin. This page lists the verified fix and inline mitigations.
CVE-2026-30225 is a unintended proxy or intermediary ('confused deputy') in OliveTin OliveTin. This page lists the verified fix and inline m
CVE-2026-30226: devalue has prototype pollution in devalue.parse and devalue.unflatten in devalue. Patch commands and verification.
CVE-2026-30227 is a improper neutralization of crlf sequences ('crlf injection') in jstedfast MimeKit. This page lists the verified fix and
CVE-2026-30228 is a incorrect authorization in parse-community parse-server. This page lists the verified fix and inline mitigations.
CVE-2026-3023: CWE-943: Improper Neutralization of Special Elements in Data Query Logic in Wakyma application web. Patch commands and verifi
CVE-2026-30231 is a authorization bypass through user-controlled key in FlintSH Flare. This page lists the verified fix and inline mitigatio
CVE-2026-30233 is a information exposure in OliveTin OliveTin. This page lists the verified fix and inline mitigations.
CVE-2026-30234: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in openproject. Patch commands and ve
CVE-2026-30235: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openproject. Patch commands
CVE-2026-30236 is a cwe-863: incorrect authorization in Opf openproject. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-30238 is a cross-site scripting in Intermesh groupoffice. This page lists the verified fix and inline mitigations.
CVE-2026-30239 is a cwe-863: incorrect authorization in Opf openproject. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-3024: Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma application web in Wakyma application web. Patch commands and v
CVE-2026-30246 is a interpretation conflict in fiber. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-30247 is a SSRF in Tencent WeKnora. This page lists the verified fix and inline mitigations.
CVE-2026-3025 is a unrestricted file upload in ShuoRen Smart Heating Integrated Management Platform. This page lists the verified fix and in
CVE-2026-30251 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-30252 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3026 is a SSRF in erzhongxmu JEEWMS. This page lists the verified fix and inline mitigations.
CVE-2026-3027 is a cross-site scripting in erzhongxmu JEEWMS. This page lists the verified fix and inline mitigations.
CVE-2026-3028 is a cross-site scripting in erzhongxmu JEEWMS. This page lists the verified fix and inline mitigations.
CVE-2026-30280 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3034 is a cross-site scripting in sagarpatel124 OoohBoi Steroids for Elementor. This page lists the verified fix and inline mitigat
CVE-2026-30346 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-30368 - CWE-863 Incorrect Authorization in Lightspeed Classroom. Runnable patch commands, mitigation, and verification on this page
CVE-2026-3040 is a OS command injection in DrayTek Vigor 300B. This page lists the verified fix and inline mitigations.
CVE-2026-3041 is a cross-site scripting in xingfuggz BaykeShop. This page lists the verified fix and inline mitigations.
CVE-2026-3042 is a SQL injection in itsourcecode Event Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3043 is a cross-site scripting in itsourcecode Event Management System. This page lists the verified fix and inline mitigations.
CVE-2026-30452 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3046 is a SQL injection in itsourcecode E-Logbook with Health Monitoring System for COVID-19. This page lists the verified fix and
CVE-2026-30462 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3048 is a deserialization of untrusted data in Nexus Repository. Patched version, runnable upgrade commands, and how to verify the
CVE-2026-30480 is a control of filename for include/require statement in PHP. This page lists verified fix commands and short-term mitigatio
CVE-2026-3049 is a open redirect in horilla-opensource horilla. This page lists the verified fix and inline mitigations.
CVE-2026-3050 is a cross-site scripting in horilla-opensource horilla. This page lists the verified fix and inline mitigations.
CVE-2026-3051 is a path traversal in DataLinkDC dinky. This page lists the verified fix and inline mitigations.
CVE-2026-3052 is a SSRF in DataLinkDC dinky. This page lists the verified fix and inline mitigations.
CVE-2026-30520 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-30521 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-30522 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-30523 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-30526 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3053 is a missing authentication in DataLinkDC dinky. This page lists the verified fix and inline mitigations.
CVE-2026-3054 is a cross-site scripting in Alinto SOGo. This page lists the verified fix and inline mitigations.
CVE-2026-3056 is a missing authorization in seraphinitesoft Seraphinite Accelerator. This page lists the verified fix and inline mitigations
CVE-2026-3057 is a SQL injection in a54552239 pearProjectApi. This page lists the verified fix and inline mitigations.
CVE-2026-3058 is a information exposure in seraphinitesoft Seraphinite Accelerator. This page lists the verified fix and inline mitigations.
CVE-2026-30603 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-30613 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3064 is a command injection in n/a HummerRisk. This page lists the verified fix and inline mitigations.
CVE-2026-3065 is a command injection in n/a HummerRisk. This page lists the verified fix and inline mitigations.
CVE-2026-3066 is a command injection in n/a HummerRisk. This page lists the verified fix and inline mitigations.
CVE-2026-3067 is a path traversal in n/a HummerRisk. This page lists the verified fix and inline mitigations.
CVE-2026-3068 is a SQL injection in itsourcecode Document Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3069 is a SQL injection in itsourcecode Document Management System. This page lists the verified fix and inline mitigations.
CVE-2026-30695 is a n/a in the vendor n/a. CVSS 6.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-3070 is a cross-site scripting in SourceCodester Modern Image Gallery App. This page lists the verified fix and inline mitigations.
CVE-2026-3072 is a missing authorization in dglingren Media Library Assistant. This page lists the verified fix and inline mitigations.
CVE-2026-3073: an insecure direct object reference (IDOR) in GitLab. Patched version and vendor advisory inside.
CVE-2026-3074: an insecure direct object reference (IDOR) in GitLab. Patched version and vendor advisory inside.
CVE-2026-3075 is a exposure of sensitive system information to an unauthorized control sphere in Jeff Starr Simple Ajax Chat. This page list
CVE-2026-30777 is a authentication bypass using an alternate path or channel in EC-CUBE CO., LTD. EC-CUBE 4.1 series. This page lists the ve
CVE-2026-3079 is a SQL injection in LearnDash LMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-30816: bundle sibling of CVE-2026-30814. Same patched build closes both.
CVE-2026-30817: bundle sibling of CVE-2026-30814. Same patched build closes both.
CVE-2026-30829 is a information exposure in bluewave-labs Checkmate. This page lists the verified fix and inline mitigations.
CVE-2026-30833 is a improper neutralization of special elements in data query logic in RocketChat Rocket.Chat. This page lists the verified
CVE-2026-30835 is a information disclosure via error message in parse-community parse-server. This page lists the verified fix and inline mi
CVE-2026-30838 is a cross-site scripting in thephpleague commonmark. This page lists the verified fix and inline mitigations.
CVE-2026-30839 is a SSRF in ellite Wallos. This page lists the verified fix and inline mitigations.
CVE-2026-30841 is a cross-site scripting in ellite Wallos. This page lists the verified fix and inline mitigations.
CVE-2026-30842 is a missing authorization in ellite Wallos. This page lists the verified fix and inline mitigations.
CVE-2026-30845 is a information exposure in Wekan Wekan. This page lists the verified fix and inline mitigations.
CVE-2026-30848 is a path traversal in parse-community parse-server. This page lists the verified fix and inline mitigations.
CVE-2026-30850 is a missing authorization in parse-community parse-server. This page lists the verified fix and inline mitigations.
CVE-2026-30852 is a information exposure in caddyserver caddy. This page lists the verified fix and inline mitigations.
CVE-2026-30853: calibre has a Path Traversal Leading to Arbitrary File Write in calibre. Patch commands and verification.
CVE-2026-30854 is a incorrect authorization in parse-community parse-server. This page lists the verified fix and inline mitigations.
CVE-2026-30856 is a use of incorrectly-resolved name or reference in Tencent WeKnora. This page lists the verified fix and inline mitigation
CVE-2026-30857 is a authorization bypass through user-controlled key in Tencent WeKnora. This page lists the verified fix and inline mitigat
CVE-2026-30858 is a SSRF in Tencent WeKnora. This page lists the verified fix and inline mitigations.
CVE-2026-30859 is a improper access control in Tencent WeKnora. This page lists the verified fix and inline mitigations.
CVE-2026-30867: CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing in CocoaMQTT. Patch commands and verificati
CVE-2026-30868 is a cross-site request forgery (csrf) in opnsense/core in Opnsense core. CVSS 6.3 Medium. Patch commands, mitigations, and v
CVE-2026-3087 - CWE-22 in CPython. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-30870: Some sync filters in PowerSync Service ignored using `config.edition: 3` in powersync-service. Patch commands and verificati
CVE-2026-30876: Chamilo LMS: User enumeration vulnerability via response in chamilo-lms. Patch commands and verification.
CVE-2026-30878 is a basercms: mail form acceptance bypass via public api in Baserproject basercms, fixed by the same patch as CVE-2026-21861
CVE-2026-30879 is a basercms: cross-site scripting vulnerability in blog post in Baserproject basercms, fixed by the same patch as CVE-2026-
CVE-2026-30882: Chamilo LMS: Reflected XSS in the session category listing page in chamilo-lms. Patch commands and verification.
CVE-2026-30883: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in ImageMagick. Patch commands and verifica
CVE-2026-30885: WWBN AVideo - Unauthenticated IDOR - Playlist Information Disclosure in AVideo. Patch commands and verification.
CVE-2026-30886 is a vulnerability in new-api. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-30889 is a vulnerability in discourse. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3089: Actual Sync Server 26.2.1 - Authenticated Path Traversal in Actual Sync Server. Patch commands and verification.
CVE-2026-30891 is an information disclosure in discourse. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-30897 is a execute unauthorized code or commands in Fortinet FortiWeb. CVSS 5.9 Medium. Patch commands, mitigations, and verificati
CVE-2026-3091 is a uncontrolled search path element in Synology Synology Presto Client. This page lists the verified fix and inline mitigati
CVE-2026-30913: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nicknames. Patch commands an
CVE-2026-30914: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in sftpgo. Patch commands and verific
CVE-2026-30915: SFTPGo improperly sanitizes placeholders in group home directories/key prefixes in sftpgo. Patch commands and verification.
CVE-2026-30927 is a cwe-639: authorization bypass through user-controlled key in admidio. CVSS 5.3 Medium. Patch commands, mitigations, and
CVE-2026-30931: ImageMagick has a heap-based buffer overflow in UHDR encoder in ImageMagick. Patch commands and verification.
CVE-2026-30935: ImageMagick has a heap Buffer Over-Read in BilateralBlurImage in ImageMagick. Patch commands and verification.
CVE-2026-30936: ImageMagick has a heap Buffer Overflow in WaveletDenoiseImage in ImageMagick. Patch commands and verification.
CVE-2026-30937 is a cwe-122: heap-based buffer overflow in ImageMagick. CVSS 6.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-30938 is a cwe-693: protection mechanism failure in Parse-community parse-server. CVSS 6.9 Medium. Patch commands, mitigations, and
CVE-2026-30943 is a gokapi has privilege escalation in file replace in Forceu Gokapi. CVSS 4.1 Medium. Patch commands, mitigations, and veri
CVE-2026-30954: LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy() in LinkAce. Patch commands and verification.
CVE-2026-30955 is a gokapi vulnerable to dos in e2e metadata parser in Forceu Gokapi. CVSS 6.5 Medium. Patch commands, mitigations, and veri
CVE-2026-30959: OneUptime has WhatsApp Resend Verification Authorization Bypass in oneuptime. Patch commands and verification.
CVE-2026-30961: Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload in Gokapi. Patch commands and verification.
CVE-2026-30964 is a cwe-346: origin validation error in Web-auth webauthn-framework. CVSS 5.4 Medium. Patch commands, mitigations, and verif
CVE-2026-30972: Parse Server has a rate limit bypass via batch request endpoint in parse-server. Patch commands and verification.
CVE-2026-30973: Zip Slip arbitrary file write in @appium/support ZIP extraction in support. Patch commands and verification.
CVE-2026-30974: Copyparty volflag `nohtml` did not block javascript in svg files in copyparty. Patch commands and verification.
CVE-2026-3098 is a vulnerability in Smart Slider 3. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-30980: iccDEV has a stack overflow in CIccBasicStructFactory::CreateStruct() in iccDEV. Patch commands and verification.
CVE-2026-30981: iccDEV has a heap-buffer-overflow read in CIccXmlArrayType<> in iccDEV. Patch commands and verification.
CVE-2026-30982: iccDEV has a heap out-of-bounds read in CIccPcsXform::pushXYZConvert() in iccDEV. Patch commands and verification.
CVE-2026-30984: iccDEV has a heap out-of-bounds read in CIccCalculatorFunc::ApplySequence() in iccDEV. Patch commands and verification.
CVE-2026-30986: iccDEV has a heap-based buffer overflow write in CIccCLUT::Interp3d() in iccDEV. Patch commands and verification.
CVE-2026-3099: Libsoup: libsoup: authentication bypass via digest authentication replay attack in Red Hat Enterprise Linux 10. Patch command
CVE-2026-3101 is a OS command injection in Intelbras TIP 635G. This page lists the verified fix and inline mitigations.
CVE-2026-31013 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31014 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3102 is a OS command injection in n/a exiftool. This page lists the verified fix and inline mitigations.
CVE-2026-3103 is a incorrect authorization in Checkmk GmbH Checkmk. This page lists the verified fix and inline mitigations.
CVE-2026-31050 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31052 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31053 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31058 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31060 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31061 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31062 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31063 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31065 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31066 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31067 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3111 is a multiple vulnerabilities on the educativa campus in Educativa Campus. CVSS 6.9 Medium. Patch commands, mitigations, and v
CVE-2026-3112 is a path traversal in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3113 is an arbitrary file read in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-3114 is a vulnerability in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3115 is an access control bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-31150 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31153 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31159 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3116 is a vulnerability in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-31160 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31162 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31163 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31164 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31165 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31166 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31167 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31168 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31169 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3117 is a missing authorization in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-31171 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31172 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31173 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31174 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31176 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31179 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3118 is a SQL injection in Red Hat Red Hat Developer Hub 1.8. This page lists the verified fix and inline mitigations.
CVE-2026-3119 is a vulnerability in BIND 9. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-31192 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31205 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3121 is a vulnerability in Red Hat build of Keycloak 26.4. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-31246 improper neutralization of special elements used in an os command ('os command i in the affected product. Runnable upgrade co
CVE-2026-31252 improper control of generation of code ('code injection') in the affected product. Runnable upgrade commands and verification
CVE-2026-31255 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-31262 is an information disclosure in Cross Site. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-31280 is a buffer copy without checking size of in An. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-3131 is a information exposure in Devolutions Server. This page lists the verified fix and inline mitigations.
CVE-2026-31313 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3133 is a SQL injection in itsourcecode Document Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3134 is a SQL injection in itsourcecode News Portal Project. This page lists the verified fix and inline mitigations.
CVE-2026-3135 is a SQL injection in itsourcecode News Portal Project. This page lists the verified fix and inline mitigations.
CVE-2026-31350 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31351 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31352 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31353 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-31354 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3137 is a stack buffer overflow in CodeAstro Food Ordering System. This page lists the verified fix and inline mitigations.
CVE-2026-31370 - Information Leak Vulnerability in Honor E. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3138: a vulnerability in Product Filter for WooCommerce by WBW. Patched version and vendor advisory inside.
CVE-2026-31381 is a vulnerability in Gainsight Assist. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-31382 is a vulnerability in Gainsight Assist. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-3139: Authorization Bypass Through User-Controlled Key in User Profile Builder – Beautiful User Registration Forms, User Profiles &
CVE-2026-3140 - CWE-352 Cross-Site Request Forgery (CSRF) in Ultimate Dashboard – Custom WordPress Dashboard. Runnable patch commands, mitig
CVE-2026-3142: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Pinterest Site Verification plugin us
CVE-2026-3143 - CWE-862 Missing Authorization in Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid. Runnable patch c
CVE-2026-3145 is a buffer overflow in n/a libvips. This page lists the verified fix and inline mitigations.
CVE-2026-3146 is a null pointer dereference in n/a libvips. This page lists the verified fix and inline mitigations.
CVE-2026-3147 is a heap buffer overflow in n/a libvips. This page lists the verified fix and inline mitigations.
CVE-2026-3148 is a SQL injection in SourceCodester Simple and Nice Shopping Cart Script. This page lists the verified fix and inline mitigat
CVE-2026-3149 is a SQL injection in itsourcecode College Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3150 is a SQL injection in itsourcecode College Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3151 is a SQL injection in itsourcecode College Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3152 is a SQL injection in itsourcecode College Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3153 is a SQL injection in itsourcecode Document Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3160 is a vulnerability in GitLab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3163 is a SSRF in SourceCodester Website Link Extractor. This page lists the verified fix and inline mitigations.
CVE-2026-3164 is a SQL injection in itsourcecode News Portal Project. This page lists the verified fix and inline mitigations.
CVE-2026-3170 is a cross-site scripting in SourceCodester Patients Waiting Area Queue Management System. This page lists the verified fix an
CVE-2026-3171 is a cross-site scripting in SourceCodester Patients Waiting Area Queue Management System. This page lists the verified fix an
CVE-2026-3177: Insufficient Verification of Data Authenticity in Charitable – Donation Plugin for WordPress – Fundraising with Recurring Don
CVE-2026-31789 is a heap buffer overflow in hexadecimal conversion in OpenSSL, fixed by the same patch as CVE-2026-28386.
CVE-2026-31793: iccDEV has a SEGV in CIccCalculatorFunc::ApplySequence() in iccDEV. Patch commands and verification.
CVE-2026-31794: iccDEV has a SEGV in CIccCLUT::Interp3d() in iccDEV. Patch commands and verification.
CVE-2026-31797: iccDEV has a heap out-of-bounds read in CTiffImg::ReadLine() in iccDEV. Patch commands and verification.
CVE-2026-31798: JumpServer Improper Certificate Validation in Custom SMS API Client in jumpserver. Patch commands and verification.
CVE-2026-31799 is a SQL injection in Tautulli. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-31804 is a vulnerability in Tautulli. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-31805 is an access control bypass in discourse. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-31807: SiYuan has a SVG Sanitizer Bypass via `<animate>` Element, Unauthenticated XSS in siyuan. Patch commands and verification.
CVE-2026-31808: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in file-type. Patch commands and verification.
CVE-2026-31809: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan. Patch commands and v
CVE-2026-31813: Supabase Auth has insecure Apple and Azure authentication with ID tokens in auth. Patch commands and verification.
CVE-2026-31815 is a cwe-284: improper access control in Django-commons django-unicorn. CVSS 5.3 Medium. Patch commands, mitigations, and ver
CVE-2026-31819 is a sylius has an open redirect via referer header in Sylius. CVSS 6.9 Medium. Patch commands, mitigations, and verification
CVE-2026-31821 is a sylius is missing authorization in api v2 add item endpoint in Sylius. CVSS 6.9 Medium. Patch commands, mitigations, and
CVE-2026-31822 is a sylius has a xss vulnerability in checkout login form in Sylius. CVSS 5.3 Medium. Patch commands, mitigations, and verif
CVE-2026-31823 is a sylius has authenticated stored xss in Sylius. CVSS 4.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-31825 is a sylius has a dql injection via api order filters in Sylius. CVSS 5.3 Medium. Patch commands, mitigations, and verificati
CVE-2026-31826: pypdf: manipulated stream length values can exhaust RAM in pypdf. Patch commands and verification.
CVE-2026-31828: CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') in parse-server. Patch commands
CVE-2026-31832: Umbraco Backoffice API Allows Unauthorized Modification of Domain Data in Umbraco-CMS. Patch commands and verification.
CVE-2026-31833: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Umbraco-CMS. Patch commands
CVE-2026-31835 insufficient verification of data authenticity in vaultwarden. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-31838 is a cwe-863: incorrect authorization in istio. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-31841: Raw exposure of database statements in Hyperterse MCP search tool in hyperterse. Patch commands and verification.
CVE-2026-3185 is a authorization bypass in feiyuchuixue sz-boot-parent. This page lists the verified fix and inline mitigations.
CVE-2026-31850 is a path traversal in Nebula 300+. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-31853: ImageMagick has a heap buffer over-write on 32-bit systems in SFW decoder in ImageMagick. Patch commands and verification.
CVE-2026-31859: Craft has Reflective XSS via incomplete return URL sanitization in cms. Patch commands and verification.
CVE-2026-3186 is a use of default password in feiyuchuixue sz-boot-parent. This page lists the verified fix and inline mitigations.
CVE-2026-31860: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in unhead. Patch commands and v
CVE-2026-31864: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine in jumpserver. Patch commands and verificati
CVE-2026-31865 is a elysia cookie value prototype pollution in Elysiajs elysia. CVSS 6.5 Medium. Patch commands, mitigations, and verificati
CVE-2026-31867: Craft Commerce has a Potential IDOR in Commerce carts in commerce. Patch commands and verification.
CVE-2026-31868: Parse Server has Stored XSS via file upload of HTML-renderable file types in parse-server. Patch commands and verification.
CVE-2026-31869 is an information disclosure in discourse. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-3187 is a unrestricted file upload in feiyuchuixue sz-boot-parent. This page lists the verified fix and inline mitigations.
CVE-2026-31876: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in notesnook. Patch commands an
CVE-2026-31878 is a frappe: possible ssrf by any authenticated user in frappe. CVSS 5 Medium. Patch commands, mitigations, and verification.
CVE-2026-31879: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in frappe. Patch commands and v
CVE-2026-3188 is a path traversal in feiyuchuixue sz-boot-parent. This page lists the verified fix and inline mitigations.
CVE-2026-31883 is a cwe-191: integer underflow (wrap or wraparound) in FreeRDP. CVSS 6.5 Medium. Patch commands, mitigations, and verificati
CVE-2026-31884: FreeRDP has a division-by-zero in ADPCM decoders when `nBlockAlign` is 0 in FreeRDP. Patch commands and verification.
CVE-2026-31885 is a cwe-125: out-of-bounds read in FreeRDP. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-31888 is a cwe-204: observable response discrepancy in Shopware core. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-31890: Inspektor Gadget: Tracing Denial of Service via Event Flooding in inspektor-gadget. Patch commands and verification.
CVE-2026-31893 is a unix symbolic link (symlink) following in Tunnelblick. Patched version, runnable upgrade commands, and how to verify the
CVE-2026-31894: WeGIA affected by arbitrary file read via symlink in backup restore in WeGIA. Patch commands and verification.
CVE-2026-3190 is a vulnerability in Red Hat build of Keycloak 26.4. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-31901: Parse Server has user enumeration via email verification endpoint in parse-server. Patch commands and verification.
CVE-2026-3191: Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update in Minify HTML. Patch commands and verification.
CVE-2026-31914 is a vulnerability in WP Courses LMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-31915: WordPress Flatsome theme <= 3.19.6 - Broken Access Control in Flatsome. Patch commands and verification.
CVE-2026-31916 is a missing authorization in Iulia Cazan Latest Post Shortcode. CVSS 5.3 Medium. Patch commands, mitigations, and verificati
CVE-2026-31918: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in immonex Kickstart. Patch commands an
CVE-2026-31919: Missing Authorization in Advanced Coupons for WooCommerce Coupons. Patch commands and verification.
CVE-2026-3192 is a authentication bypass in Chia Blockchain. This page lists the verified fix and inline mitigations.
CVE-2026-31924 is a cleartext transmission of sensitive information in Apache APISIX. This page lists verified fix commands and short-term m
CVE-2026-31926 is a path traversal in eParking.fi. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-31927 is a cwe-23 in Anviz CX7 Firmware. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-31949: LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos in LibreChat. Patch commands and verificatio
CVE-2026-31950 is an access control bypass in LibreChat. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-31951 is an information disclosure in LibreChat. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-31953 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xibo-cms. Runnable patch co
CVE-2026-31955 - CWE-918: Server-Side Request Forgery (SSRF) in xibo-cms. Runnable patch commands, mitigation, and verification on this page
CVE-2026-31956 - CWE-639: Authorization Bypass Through User-Controlled Key in xibo-cms. Runnable patch commands, mitigation, and verificatio
CVE-2026-31959: SSRF in Quill via unvalidated URL from Apple notarization log retrieval in quill. Patch commands and verification.
CVE-2026-31960: DoS in Quill via unbounded read of HTTP response body during notarization in quill. Patch commands and verification.
CVE-2026-31961: CWE-770: Allocation of Resources Without Limits or Throttling in quill. Patch commands and verification.
CVE-2026-31964 is a htslib cram decoder has a null pointer dereference in Samtools htslib. CVSS 6.9 Medium. Patch commands, mitigations, and
CVE-2026-31965: HTSlib CRAM reader has out-of-bounds reads due to improper validation of input in htslib. Patch commands and verification.
CVE-2026-31966: HTSlib CRAM reader has out-of-bounds read due to improper validation of input in htslib. Patch commands and verification.
CVE-2026-31967: HTSlib CRAM reader has out-of-bounds read due to improper validation of input in htslib. Patch commands and verification.
CVE-2026-31972: samtools mpileup has use-after-free leading to an invalid read in samtools. Patch commands and verification.
CVE-2026-31973 is a null pointer dereference in samtools cram-size in samtools. CVSS 6.9 Medium. Patch commands, mitigations, and verificati
CVE-2026-31988: yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser in yauzl. Patch commands and verification.
CVE-2026-31989 is a cwe-918 server-side request forgery (ssrf) in OpenClaw. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-31990: OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination in OpenClaw. Patch commands and verification.
CVE-2026-31993: OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains in OpenClaw. Patch commands and verification.
CVE-2026-31994: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) in OpenClaw. Patch comma
CVE-2026-31995: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) in OpenClaw. Patch comma
CVE-2026-31997 is a cwe-367: time-of-check time-of-use (toctou) race condition in OpenClaw. CVSS 4.4 Medium. Patch commands, mitigations, an
CVE-2026-31999: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) in OpenClaw. Patch comma
CVE-2026-3200 is a SQL injection in z-9527 admin. This page lists the verified fix and inline mitigations.
CVE-2026-32000: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) in OpenClaw. Patch comma
CVE-2026-32001 is a cwe-863: incorrect authorization in OpenClaw. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32002: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in OpenClaw. Patch commands and verification.
CVE-2026-3201 is a improperly controlled sequential memory allocation in Wireshark Foundation Wireshark. This page lists the verified fix an
CVE-2026-32010: OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter in OpenClaw. Patch commands and verification.
CVE-2026-32017 is a cwe-184: incomplete list of disallowed inputs in OpenClaw. CVSS 6 Medium. Patch commands, mitigations, and verification.
CVE-2026-3202 is a null pointer dereference in Wireshark Foundation Wireshark. This page lists the verified fix and inline mitigations.
CVE-2026-32020: CWE-59: Improper Link Resolution Before File Access ('Link Following') in OpenClaw. Patch commands and verification.
CVE-2026-32021 is a cwe-863: incorrect authorization in OpenClaw. CVSS 6.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32022: OpenClaw < 2026.2.21 - Arbitrary File Read via grep -e Flag Policy Bypass in OpenClaw. Patch commands and verification.
CVE-2026-32023 is a cwe-863: incorrect authorization in OpenClaw. CVSS 6 Medium. Patch commands, mitigations, and verification.
CVE-2026-32024: OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling in OpenClaw. Patch commands and verification.
CVE-2026-32028 is a cwe-863: incorrect authorization in OpenClaw. CVSS 6.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32029: OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing in OpenClaw. Patch commands and verification.
CVE-2026-3203 is a buffer over-read in Wireshark Foundation Wireshark. This page lists the verified fix and inline mitigations.
CVE-2026-32031: CWE-288: Authentication Bypass Using an Alternate Path or Channel in OpenClaw. Patch commands and verification.
CVE-2026-32033: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OpenClaw. Patch commands and verifi
CVE-2026-32034: OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP in OpenClaw. Patch commands and verification.
CVE-2026-32035 is a cwe-863: incorrect authorization in OpenClaw. CVSS 5.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-32039 is a cwe-639 authorization bypass through user-controlled key in OpenClaw. CVSS 6 Medium. Patch commands, mitigations, and ve
CVE-2026-32043 is a vulnerability in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32044 is a vulnerability in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32046 is an insecure default configuration in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-32050 is an access control bypass in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-32052 is an OS command injection in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-32053 is a code injection in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32054 is a vulnerability in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32057 is a vulnerability in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32061: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in openclaw. Patch commands and verification.
CVE-2026-32063: Improper Neutralization of Special Elements used in a Command ('Command Injection') in openclaw. Patch commands and verifica
CVE-2026-32065 is an interpretation conflict in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-32072 is an authentication bypass in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-32079 is an information disclosure in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-3208 missing authorization in Mercado Pago payments for WooCommerce. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-32081 is an information disclosure in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-32084 is an information disclosure in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-32085 is an information disclosure in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-32088 is a race condition in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3209 is a improper access controls in fosrl Pangolin. This page lists the verified fix and inline mitigations.
CVE-2026-32094: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in shescape. Patch commands and verification.
CVE-2026-32095: Plunk has Stored Cross-Site Scripting (XSS) via SVG File Upload in plunk. Patch commands and verification.
CVE-2026-32098: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in parse-server. Patch commands and verification.
CVE-2026-32099: Discourse prevents hidden profile data leak via user onebox in discourse. Patch commands and verification.
CVE-2026-32100: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in platform-security. Patch commands and verification.
CVE-2026-32103: CWE-639: Authorization Bypass Through User-Controlled Key in studiocms. Patch commands and verification.
CVE-2026-32104: CWE-639: Authorization Bypass Through User-Controlled Key in studiocms. Patch commands and verification.
CVE-2026-32106 is a cwe-269: improper privilege management in Withstudiocms studiocms. CVSS 4.7 Medium. Patch commands, mitigations, and ver
CVE-2026-32111: ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle in ha-mcp. Patch commands and verification.
CVE-2026-32112: ha-mcp has XSS via Unescaped HTML in OAuth Consent Form in ha-mcp. Patch commands and verification.
CVE-2026-32113 is a discourse: open redirect via `sso_destination_url` cookie in `enter` in discourse, fixed by the same patch as CVE-2026-2
CVE-2026-32114 is a vulnerability in discourse. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32118: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openemr. Patch commands and
CVE-2026-32119: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openemr. Patch commands and
CVE-2026-32120 is a vulnerability in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32122: OpenEMR: Missing Authorization on Claim File Tracker UI and AJAX Endpoint (V2) in openemr. Patch commands and verification.
CVE-2026-32124: OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS) in openemr. Patch commands and verification.
CVE-2026-32125: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openemr. Patch commands and
CVE-2026-32128: FastGPT Python Sandbox Bypass of File-Write Restriction in FastGPT. Patch commands and verification.
CVE-2026-32134 is a denial of service in nanomq. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32139: Dataease: Unfiltered active SVG content leads to Stored XSS in dataease. Patch commands and verification.
CVE-2026-32142: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in commercial. Patch commands and verification.
CVE-2026-32143 is a discourse: admin-only report can be exported by moderators in discourse, fixed by the same patch as CVE-2026-27481.
CVE-2026-32147 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OTP. Runnable patch commands, miti
CVE-2026-32151 is an information disclosure in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-32167 is a SQL injection in Microsoft SQL Server 2016 Service Pack 3 (GDR). This page lists verified fix commands and short-term mi
CVE-2026-32170 is a vulnerability in Windows 10 Version 1607. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-32175 is a path traversal in .NET 10.0. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32176 is a SQL injection in Microsoft SQL Server 2016 Service Pack 3 (GDR). This page lists verified fix commands and short-term mi
CVE-2026-32181 is an improper privilege management in Microsoft Windows. This page lists verified fix commands and short-term mitigations yo
CVE-2026-32185 is a vulnerability in Microsoft Teams for Android. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-3219 is an unrestricted file upload in pip. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-32196 is a cross-site scripting in Windows Admin Center. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-32209: an access control bypass in Windows 10 Version 1607. Patched version and vendor advisory inside.
CVE-2026-3221 is a cwe-312 cleartext storage of sensitive information in Devolutions Server. This page lists the verified fix and inline mit
CVE-2026-32212 is a cwe-59: improper link resolution before file in Microsoft Windows. This page lists verified fix commands and short-term
CVE-2026-32214 is a cwe-284: improper access control in Microsoft Windows. This page lists verified fix commands and short-term mitigations
CVE-2026-32215 is a cwe-532: insertion of sensitive information into in Microsoft Windows. This page lists verified fix commands and short-t
CVE-2026-32216 is a cwe-476: null pointer dereference in Windows 11 version 26H1. This page lists verified fix commands and short-term mitig
CVE-2026-32217 is a cwe-532: insertion of sensitive information into in Microsoft Windows. This page lists verified fix commands and short-t
CVE-2026-32218 is a cwe-532: insertion of sensitive information into in Microsoft Windows. This page lists verified fix commands and short-t
CVE-2026-32220 is a cwe-284: improper access control in Microsoft Windows. This page lists verified fix commands and short-term mitigations
CVE-2026-32223 is a heap buffer overflow in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-32226 is a race condition in Microsoft .NET Framework 3.5. This page lists verified fix commands and short-term mitigations you can
CVE-2026-32229 is a cwe-290 in Jetbrains Hub. CVSS 6.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-32230 is a cwe-862: missing authorization in Louislam uptime-kuma. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32234: Parse Server has a SQL injection via query field name when using PostgreSQL in parse-server. Patch commands and verification
CVE-2026-32235: @backstage/plugin-auth-backend: OAuth redirect URI allowlist bypass in plugin-auth-backend. Patch commands and verification.
CVE-2026-32237: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in plugin-scaffolder-backend. Patch commands and verific
CVE-2026-32239 is a cap'n proto has an integer overflow in kj-http in capnproto. CVSS 6.3 Medium. Patch commands, mitigations, and verificat
CVE-2026-32240 is a cap'n proto: integer overflow in kj-http chunk size in capnproto. CVSS 6.3 Medium. Patch commands, mitigations, and veri
CVE-2026-32243 is a discourse: stored xss in discourse-ai shared conversations onebox in discourse, fixed by the same patch as CVE-2026-2748
CVE-2026-32244 is a vulnerability in discourse. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32245: Tinyauth's OIDC authorization codes are not bound to client on token exchange in tinyauth. Patch commands and verification.
CVE-2026-32249: NFA regex engine NULL pointer dereference affects Vim < 9.2.0137 in vim. Patch commands and verification.
CVE-2026-3225: a vulnerability in LearnPress – WordPress LMS Plugin for Cr. Patched version and vendor advisory inside.
CVE-2026-32259: ImageMagick has a possible stack buffer overflow in sixel encoder in ImageMagick. Patch commands and verification.
CVE-2026-3226: CWE-862 Missing Authorization in LearnPress – WordPress LMS Plugin for Create and Sell Online Courses. Patch commands and ver
CVE-2026-32262: Craft CMS has a Path Traversal Vulnerability in AssetsController in cms. Patch commands and verification.
CVE-2026-32265: Amazon S3 for Craft CMS has an Information Disclosure in aws-s3. Patch commands and verification.
CVE-2026-32269: CWE-683: Function Call With Incorrect Order of Arguments in parse-server. Patch commands and verification.
CVE-2026-32273 is a discourse: xss on category description update via api in discourse, fixed by the same patch as CVE-2026-27481.
CVE-2026-32279 is a vulnerability in connect-cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3228: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in NextScripts: Social Networks A
CVE-2026-32282: TOCTOU permits root escape on Linux via Root.Chmod in os in internal/syscall/unix in internal/syscall/unix. Patch commands a
CVE-2026-32288: Unbounded allocation for old GNU sparse in archive/tar in archive/tar. Patch commands and verification.
CVE-2026-32289: JsBraceDepth Context Tracking Bugs (XSS) in html/template in html/template. Patch commands and verification.
CVE-2026-32294 is a jetkvm insufficient firmware verification in JetKVM. CVSS 4.7 Medium. Patch commands, mitigations, and verification.
CVE-2026-32310 is a path traversal in cryptomator. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32312 is a missing authorization in glpi. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32320 is a cwe-125: out-of-bounds read in Ellanetworks core. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-32322: soroban-sdk: `Fr` scalar field equality comparison bypasses modular reduction in rs-soroban-sdk. Patch commands and verifica
CVE-2026-32326 is an authentication bypass in home 5G HR01. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-32328 is a cross-site request forgery (csrf) in Shufflehound Lemmony. CVSS 5.4 Medium. Patch commands, mitigations, and verificatio
CVE-2026-32329 is a missing authorization in Ays Pro Advanced Related Posts. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32330 is a cross-site request forgery (csrf) in Photo Gallery by 10Web. CVSS 4.3 Medium. Patch commands, mitigations, and verificat
CVE-2026-32331: WordPress Textmetrics plugin <= 3.6.4 - Broken Access Control in Textmetrics. Patch commands and verification.
CVE-2026-32332: WordPress Easy Form plugin <= 2.7.9 - Broken Access Control in Easy Form. Patch commands and verification.
CVE-2026-32334: WordPress JobScout theme <= 1.1.7 - Broken Access Control in JobScout. Patch commands and verification.
CVE-2026-32335: WordPress The Conference theme <= 1.2.5 - Broken Access Control in The Conference. Patch commands and verification.
CVE-2026-32336: WordPress Rara Business theme <= 1.3.0 - Broken Access Control in Rara Business. Patch commands and verification.
CVE-2026-32337 is a missing authorization in Raratheme Preschool and Kindergarten. CVSS 5.3 Medium. Patch commands, mitigations, and verific
CVE-2026-32338 is a missing authorization in Raratheme Construction Landing Page. CVSS 5.3 Medium. Patch commands, mitigations, and verifica
CVE-2026-32339: WordPress Bakes And Cakes theme <= 1.2.9 - Broken Access Control in Bakes And Cakes. Patch commands and verification.
CVE-2026-3234: Improper Neutralization of CRLF Sequences ('CRLF Injection') in Red Hat Enterprise Linux 10. Patch commands and verification.
CVE-2026-32340 is a missing authorization in Raratheme Business One Page. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32341: WordPress Benevolent theme <= 1.3.9 - Broken Access Control in Benevolent. Patch commands and verification.
CVE-2026-32342 is a cross-site request forgery (csrf) in Ays Pro Quiz Maker. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32343 is a cross-site request forgery (csrf) in Magazine3 Easy Table of Contents. CVSS 4.3 Medium. Patch commands, mitigations, and
CVE-2026-32344 is a cross-site request forgery (csrf) in Desertthemes Corpiva. CVSS 4.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-32345 is a missing authorization in Raratheme Perfect Portfolio. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32346: WordPress Travel Agency theme <= 1.5.5 - Broken Access Control in Travel Agency. Patch commands and verification.
CVE-2026-32347 is a missing authorization in Raratheme Restaurant and Cafe. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32348: WordPress MAS Videos plugin <= 1.3.2 - Broken Access Control in MAS Videos. Patch commands and verification.
CVE-2026-32349 is a server-side request forgery (ssrf) in Andy Fragen Embed PDF Viewer. CVSS 4.9 Medium. Patch commands, mitigations, and ve
CVE-2026-32350: WordPress Chocolate House theme <= 1.1.5 - Broken Access Control in Chocolate House. Patch commands and verification.
CVE-2026-32351: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PowerPress Podcasting. Patch command
CVE-2026-32352: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Elementor Website Builder. Patch com
CVE-2026-32353 is a server-side request forgery (ssrf) in Mailerpress Team MailerPress. CVSS 6.4 Medium. Patch commands, mitigations, and ve
CVE-2026-32354: WordPress WpEvently plugin < 5.1.9 - Sensitive Data Exposure in WpEvently. Patch commands and verification.
CVE-2026-32356: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Robo Gallery. Patch commands and ver
CVE-2026-32357: Server-Side Request Forgery (SSRF) in Simple Blog Card. Patch commands and verification.
CVE-2026-32359: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Icon List Block. Patch commands and
CVE-2026-32360: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Rich Shows for Google Reviews. Patch
CVE-2026-32361: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Editorial Calendar. Patch commands a
CVE-2026-32362: Missing Authorization in WP Sessions Time Monitoring Full Automatic. Patch commands and verification.
CVE-2026-32363: WordPress WPLifeCycle plugin <= 3.3.1 - Broken Access Control in WPLifeCycle. Patch commands and verification.
CVE-2026-32370: WordPress Influencer theme <= 1.1.7 - Broken Access Control in Influencer. Patch commands and verification.
CVE-2026-32371: WordPress Elegant Pink theme <= 1.3.3 - Broken Access Control in Elegant Pink. Patch commands and verification.
CVE-2026-32372: Exposure of Sensitive System Information to an Unauthorized Control Sphere in ShopBuilder – Elementor WooCommerce Builder Ad
CVE-2026-32373 is a missing authorization in Cozy Vision SMS Alert Order Notifications. CVSS 5.4 Medium. Patch commands, mitigations, and ve
CVE-2026-32374: WordPress The Minimal theme <= 1.2.9 - Broken Access Control in The Minimal. Patch commands and verification.
CVE-2026-32375: WordPress Travel Diaries theme <= 1.2.4 - Broken Access Control in Travel Diaries. Patch commands and verification.
CVE-2026-32376: WordPress Kalon theme <= 1.2.9 - Broken Access Control in Kalon. Patch commands and verification.
CVE-2026-32377: WordPress Pranayama Yoga theme <= 1.2.2 - Broken Access Control in Pranayama Yoga. Patch commands and verification.
CVE-2026-32378 is a missing authorization in Raratheme Book Landing Page. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32379: WordPress Rara Academic theme <= 1.2.2 - Broken Access Control in Rara Academic. Patch commands and verification.
CVE-2026-32380: WordPress Numinous theme <= 1.3.0 - Broken Access Control in Numinous. Patch commands and verification.
CVE-2026-32381: WordPress App Landing Page theme <= 1.2.2 - Broken Access Control in App Landing Page. Patch commands and verification.
CVE-2026-32382: WordPress Digital Download theme <= 1.1.4 - Broken Access Control in Digital Download. Patch commands and verification.
CVE-2026-32383: WordPress Ridhi theme <= 1.1.2 - Broken Access Control in Ridhi. Patch commands and verification.
CVE-2026-32385 is a missing authorization in Metagauss RegistrationMagic. CVSS 5.4 Medium. Patch commands, mitigations, and verification.
CVE-2026-32386: WordPress Envo Extra plugin <= 1.9.13 - Broken Access Control in Envo Extra. Patch commands and verification.
CVE-2026-32387 is a missing authorization in Noor Alam Checkout for PayPal. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32388 is a wordpress glb theme <= 1.2.2 - broken access control in Linethemes GLB. CVSS 5.4 Medium. Patch commands, mitigations, an
CVE-2026-3239: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Strong Testimonials. Patch commands a
CVE-2026-32390: WordPress Nanosoft theme < 1.3.2 - Broken Access Control in Nanosoft. Patch commands and verification.
CVE-2026-32391: WordPress SmartFix theme < 1.2.4 - Broken Access Control in SmartFix. Patch commands and verification.
CVE-2026-32394 is a missing authorization in PublishPress Capabilities. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32395 is a missing authorization in Xpro Addons For Beaver Builder – Lite. CVSS 5.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-32396: WordPress Team plugin <= 5.0.13 - Broken Access Control in Team. Patch commands and verification.
CVE-2026-32397: WordPress Filter & Grids plugin <= 3.5.1 - Broken Access Control in Filter & Grids. Patch commands and verification.
CVE-2026-32398: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in TeraWallet – For WooCommerce.
CVE-2026-3240 is a cross-site scripting in Concrete CMS Concrete CMS. This page lists the verified fix and inline mitigations.
CVE-2026-32402 is a missing authorization in Ays Pro Image Slider by Ays. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32403: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Toocheke Companion. Patch commands a
CVE-2026-32404 is a missing authorization in Studio99 WP Monitor. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32405: WordPress WoodMart theme <= 8.3.9 - Sensitive Data Exposure in WoodMart. Patch commands and verification.
CVE-2026-32406 is a missing authorization in Wpclever WPC Product Bundles for WooCommerce. CVSS 4.3 Medium. Patch commands, mitigations, and
CVE-2026-32407 is a missing authorization in Wpclever WPC Smart Wishlist for WooCommerce. CVSS 4.3 Medium. Patch commands, mitigations, and
CVE-2026-32408: WordPress Brizy plugin <= 2.7.23 - Broken Access Control in Brizy. Patch commands and verification.
CVE-2026-32409: WordPress Forminator plugin <= 1.50.2 - Broken Access Control in Forminator. Patch commands and verification.
CVE-2026-3241 is a cross-site scripting in Concrete CMS Concrete CMS. This page lists the verified fix and inline mitigations.
CVE-2026-32410: Missing Authorization in WBW Currency Switcher for WooCommerce. Patch commands and verification.
CVE-2026-32411: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Embed Calendly. Patch commands and v
CVE-2026-32412: Server-Side Request Forgery (SSRF) in Gift Up Gift Cards for WordPress and WooCommerce. Patch commands and verification.
CVE-2026-32413 is a missing authorization in Maciej Bis Permalink Manager Lite. CVSS 5.3 Medium. Patch commands, mitigations, and verificati
CVE-2026-32415: WordPress Squeeze plugin <= 1.7.7 - Directory Traversal in Squeeze. Patch commands and verification.
CVE-2026-32416: WordPress PDF Poster plugin <= 2.4.0 - Broken Access Control in PDF Poster. Patch commands and verification.
CVE-2026-32417: WordPress Pochipp plugin < 1.18.9 - Broken Access Control in Pochipp. Patch commands and verification.
CVE-2026-32419: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in List category posts. Patch commands
CVE-2026-3242 is a cross-site scripting in Concrete CMS Concrete CMS. This page lists the verified fix and inline mitigations.
CVE-2026-32420 is a cross-site request forgery (csrf) in Ruben Garcia GamiPress. CVSS 5.4 Medium. Patch commands, mitigations, and verificat
CVE-2026-32421: WordPress Post Timeline plugin <= 2.4.1 - Broken Access Control in Post Timeline. Patch commands and verification.
CVE-2026-32423 is a missing authorization in Bowo Admin and Site Enhancements (ASE). CVSS 5.4 Medium. Patch commands, mitigations, and verif
CVE-2026-32424: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Sprout Clients. Patch commands and v
CVE-2026-32425 is a missing authorization in Linknacional Payment Gateway Pix For GiveWP. CVSS 5.3 Medium. Patch commands, mitigations, and
CVE-2026-32427 is a missing authorization in Vowelweb VW Education Lite. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32428: WordPress Popup Like box plugin <= 3.7.7 - Broken Access Control in Popup Like box. Patch commands and verification.
CVE-2026-32429: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Magical Addons For Elementor. Patch
CVE-2026-32430: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PowerPack Addons for Elementor. Patc
CVE-2026-32431: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Astra Bulk Edit. Patch commands and
CVE-2026-32432 is a missing authorization in Codepeople WP Time Slots Booking Form. CVSS 5.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-32434: WordPress VW Fitness theme <= 4.3.4 - Broken Access Control in VW Fitness. Patch commands and verification.
CVE-2026-32435: WordPress VW Pet Shop theme <= 1.4.7 - Broken Access Control in VW Pet Shop. Patch commands and verification.
CVE-2026-32436: WordPress VW Photography theme <= 1.3.8 - Broken Access Control in VW Photography. Patch commands and verification.
CVE-2026-32437: WordPress VW Portfolio theme <= 1.3.3 - Broken Access Control in VW Portfolio. Patch commands and verification.
CVE-2026-32438 is a missing authorization in Vowelweb VW School Education. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32439: WordPress BigHearts theme <= 3.1.14 - Broken Access Control in BigHearts. Patch commands and verification.
CVE-2026-3244 is a cross-site scripting in Concrete CMS Concrete CMS. This page lists the verified fix and inline mitigations.
CVE-2026-32440: WordPress WP Food plugin < 2.7.1 - Broken Access Control in WP Food. Patch commands and verification.
CVE-2026-32442 is a wordpress e2pdf plugin <= 1.28.15 - broken access control in e2pdf. CVSS 5 Medium. Patch commands, mitigations, and veri
CVE-2026-32443: Cross-Site Request Forgery (CSRF) in Product Feed PRO for WooCommerce. Patch commands and verification.
CVE-2026-32446 is a missing authorization in Syed Balkhi Contact Form by WPForms. CVSS 4.3 Medium. Patch commands, mitigations, and verifica
CVE-2026-32447: WordPress Atarim plugin <= 4.3.2 - Broken Access Control in Atarim. Patch commands and verification.
CVE-2026-32448: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Podlove Podcast Publisher. Patch com
CVE-2026-32449: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Themify Event Post. Patch commands a
CVE-2026-32450: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Active Products Tables for WooCommer
CVE-2026-32451: WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control in Fusion Builder. Patch commands and verification.
CVE-2026-32452: WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control in Fusion Builder. Patch commands and verification.
CVE-2026-32453: WordPress Avada Core plugin < 5.15.0 - Broken Access Control in Avada Core. Patch commands and verification.
CVE-2026-32454: WordPress Avada Core plugin < 5.15.0 - Cross Site Scripting (XSS) in Avada Core. Patch commands and verification.
CVE-2026-32455: WordPress MDTF plugin <= 1.3.5 - Cross Site Scripting (XSS) in MDTF. Patch commands and verification.
CVE-2026-32456 is a cross-site request forgery (csrf) in Janis Elsts Admin Menu Editor. CVSS 4.3 Medium. Patch commands, mitigations, and ve
CVE-2026-32457: Missing Authorization in Advanced Product Fields (Product Addons) for WooCommerce. Patch commands and verification.
CVE-2026-32460: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ultimate Addons for Contact Form 7.
CVE-2026-32461 is a missing authorization in Really Simple Plugins Really Simple SSL. CVSS 4.3 Medium. Patch commands, mitigations, and veri
CVE-2026-32462: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Master Addons for Elementor. Patch c
CVE-2026-32483 is a vulnerability in Contact Form Email. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-32486: WordPress Travel Booking theme <= 1.3.9 - Broken Access Control in Travel Booking. Patch commands and verification.
CVE-2026-32487 is a missing authorization in Raratheme Lawyer Landing Page. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32489 is a vulnerability in B Blocks. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32490 is a vulnerability in WP TripAdvisor Review Slider. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-32491 is a vulnerability in WP Review Slider. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-32492 is an authentication bypass in My Tickets. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-32496: a path traversal in Spam Protect for Contact Form 7. Patched version and vendor advisory inside.
CVE-2026-32497 is a vulnerability in User Verification. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-32506 is an unsafe deserialization in Archicon. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-32507 is an unsafe deserialization in Leroux. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-32508 is an unsafe deserialization in Halstein. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-32509 is an unsafe deserialization in Gracey. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-32510 is an unsafe deserialization in Kamperen. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-32511 is an unsafe deserialization in Stål. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32514 is a vulnerability in Petitioner. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32521 is a vulnerability in WP Custom Admin Interface. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-32527: a vulnerability in WP Insightly for Contact Form 7. Patched version and vendor advisory inside.
CVE-2026-32533 is a vulnerability in LatePoint. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32535 is a vulnerability in JS Help Desk. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32541 is a vulnerability in Premmerce Redirect Manager. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-32543 is a missing authorization in Cyberchimps Responsive Blocks. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3255 is a cwe-340 generation of predictable numbers or identifiers in TOKUHIROM HTTP::Session2. This page lists the verified fix an
CVE-2026-32562 is a vulnerability in PPWP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32565 is a missing authorization in Ajay Contextual Related Posts. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32567 is a path traversal in YML for Yandex Market. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-32583 is a cwe-862 missing authorization in Webnus Inc. Modern Events Calendar. CVSS 5.3 Medium. Patch commands, mitigations, and v
CVE-2026-32586 is a missing authorization in Pluggabl Booster for WooCommerce. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-32587: WordPress WP EasyPay plugin <= 4.2.11 - Broken Access Control in WP EasyPay. Patch commands and verification.
CVE-2026-32588: bundle sibling of CVE-2026-27314. Same patched build closes both.
CVE-2026-32591 is a server-side request forgery (ssrf) in Red Hat Quay 3.16, fixed by the same patch as CVE-2026-2377.
CVE-2026-32594: Parse Server GraphQL WebSocket endpoint bypasses security middleware in parse-server. Patch commands and verification.
CVE-2026-32595 is a vulnerability in traefik. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32598 is a oneuptime: password reset token logged at info level in oneuptime. CVSS 6.9 Medium. Patch commands, mitigations, and ver
CVE-2026-3260: an OS command injection in Red Hat build of Apache Camel for Spring. Patched version and vendor advisory inside.
CVE-2026-32602: Homarr has a Race Condition in Invite Token Registration (TOCTOU) in homarr. Patch commands and verification.
CVE-2026-3261 is a SQL injection in itsourcecode School Management System. This page lists the verified fix and inline mitigations.
CVE-2026-32612: Statamic: privilege escalation via stored cross-site scripting in cms. Patch commands and verification.
CVE-2026-32615 is a cwe-285: improper authorization in discourse, fixed by the same patch as CVE-2026-27481.
CVE-2026-32618: bundle sibling of CVE-2026-27481. Same patched build closes both.
CVE-2026-32619 is a cwe-285: improper authorization in discourse, fixed by the same patch as CVE-2026-27481.
CVE-2026-3262 is a execution after redirect in go2ismail Asp.Net-Core-Inventory-Order-Management-System. This page lists the verified fix an
CVE-2026-32620 is a discourse: missing post-level authorization allows whisper metadata disclosure in discourse, fixed by the same patch as
CVE-2026-32624 is a heap buffer overflow in xrdp. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-32629: phpMyFAQ: Stored XSS via Unsanitized Email Field in Admin FAQ Editor in phpMyFAQ. Patch commands and verification.
CVE-2026-3263 is a improper authorization in go2ismail Asp.Net-Core-Inventory-Order-Management-System. This page lists the verified fix and
CVE-2026-32630: file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry in file-type. Patch commands and verification
CVE-2026-32632: Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding in glances. Patch commands and verification.
CVE-2026-32636 is a cwe-787: out-of-bounds write in ImageMagick. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3264 is a execution after redirect in go2ismail Free-CRM. This page lists the verified fix and inline mitigations.
CVE-2026-32648 is a missing authorization in Anviz CX2 Lite Firmware. This page lists verified fix commands and short-term mitigations you c
CVE-2026-3265 is a improper authorization in go2ismail Free-CRM. This page lists the verified fix and inline mitigations.
CVE-2026-32655 - CWE-272: Least Privilege Violation in Alienware Command Center (AWCC). Runnable patch commands, mitigation, and verificatio
CVE-2026-32662 is a gardyn cloud api active debug code in Gardyn Cloud API, fixed by the same patch as CVE-2026-25197.
CVE-2026-32673 is a path traversal in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3268 is a improper access controls in psi-probe PSI Probe. This page lists the verified fix and inline mitigations.
CVE-2026-32683 cleartext transmission of sensitive information in Ezviz App. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-32686 is a uncontrolled resource consumption in decimal. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-3269 is a denial of service in psi-probe PSI Probe. This page lists the verified fix and inline mitigations.
CVE-2026-32691: Timing ownership claim attack on new external back-end secrets in Juju. Patch commands and verification.
CVE-2026-32694: Insecure Direct Object Reference attack via predictable secret ID in Juju in Juju. Patch commands and verification.
CVE-2026-32695 is a vulnerability in traefik. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32697: CWE-639: Authorization Bypass Through User-Controlled Key in SuiteCRM-Core. Patch commands and verification.
CVE-2026-32699 external control of assumed-immutable web parameter in facturascripts. Runnable upgrade commands and verification steps for s
CVE-2026-3270 is a SSRF in psi-probe PSI Probe. This page lists the verified fix and inline mitigations.
CVE-2026-32700: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in devise. Patch comman
CVE-2026-32702 is a cleanuparr has username enumeration via timing attack in Cleanuparr. CVSS 6.9 Medium. Patch commands, mitigations, and v
CVE-2026-32704 is a cwe-285: improper authorization in Siyuan-note siyuan. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-32705: PX4 autopilot BST Device Name Length Can Overflow Driver Buffer in PX4-Autopilot. Patch commands and verification.
CVE-2026-32707 is a cwe-121: stack-based buffer overflow in PX4-Autopilot. CVSS 5.2 Medium. Patch commands, mitigations, and verification.
CVE-2026-32709: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in PX4-Autopilot. Patch commands and
CVE-2026-32712: Open Source Point of Sale has Stored XSS in Customer Name (Sales) in opensourcepos. Patch commands and verification.
CVE-2026-32713 is a cwe-670: always-incorrect control flow implementation in PX4-Autopilot. CVSS 4.3 Medium. Patch commands, mitigations, an
CVE-2026-32719: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anything-llm. Patch commands and v
CVE-2026-32723: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in SandboxJS. Patch com
CVE-2026-32724 is a cwe-416: use after free in PX4-Autopilot. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32736: Hytale Modding Wiki has Insecure Direct Object Reference / GDPR PII Exposure in wiki. Patch commands and verification.
CVE-2026-32738 is an out-of-bounds read in libheif. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32739 is a denial of service in libheif. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32742: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes in parse-server. Patch commands and
CVE-2026-32743 is a cwe-121: stack-based buffer overflow in PX4-Autopilot. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-32745 is a cwe-614 in Jetbrains Datalore. CVSS 6.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32747: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in siyuan. Patch commands and verific
CVE-2026-32750: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in siyuan. Patch commands and verific
CVE-2026-32751: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan. Patch commands and v
CVE-2026-32755: Admidio is Missing CSRF Protection on Role Membership Date Changes in admidio. Patch commands and verification.
CVE-2026-32757: Admidio: HTMLPurifier Bypass in eCard Message Allows HTML Email Injection in admidio. Patch commands and verification.
CVE-2026-32758 is a cwe-863: incorrect authorization in filebrowser. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-32759: File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely in filebrowser. Patch commands and verification.
CVE-2026-32761 is a cwe-284: improper access control in filebrowser. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-32762 is a rack: forwarded header semicolon injection enables host and scheme spoofing in rack, fixed by the same patch as CVE-2026
CVE-2026-3277 is a cwe-312 cleartext storage of sensitive information in Devolutions PowerShell Universal. This page lists the verified fix
CVE-2026-32770 is a cwe-248: uncaught exception in Parse-community parse-server. CVSS 5.9 Medium. Patch commands, mitigations, and verificat
CVE-2026-32774: Vulnogram - Stored Cross-Site Scripting via Comment Hypertext in Vulnogram. Patch commands and verification.
CVE-2026-32776 is a cwe-476 null pointer dereference in Libexpat Project libexpat. CVSS 4 Medium. Patch commands, mitigations, and verificat
CVE-2026-32777: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') in libexpat. Patch commands and verification.
CVE-2026-32792 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3281 is a heap buffer overflow in n/a libvips. This page lists the verified fix and inline mitigations.
CVE-2026-32810 is an arbitrary file read in halloy. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32812 is a vulnerability in admidio. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32814 is an information disclosure in libheif. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-32815 is a cwe-287: improper authentication in Siyuan-note siyuan. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-32816 is a cwe-352: cross-site request forgery (csrf) in admidio. CVSS 5.7 Medium. Patch commands, mitigations, and verification.
CVE-2026-32818: Admidio is Missing Authorization on Forum Topic and Post Deletion in admidio. Patch commands and verification.
CVE-2026-3282 is a out-of-bounds read in n/a libvips. This page lists the verified fix and inline mitigations.
CVE-2026-32828 is a vulnerability in kargo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3283 is a out-of-bounds read in n/a libvips. This page lists the verified fix and inline mitigations.
CVE-2026-32836: CWE-789 Memory allocation with excessive size value in dr_libs dr_flac.h. Patch commands and verification.
CVE-2026-32837: mackron / miniaudio Out-of-Bounds Read in BEXT Coding History Parsing in miniaudio. Patch commands and verification.
CVE-2026-32839: Edimax GS-5008PL <= 1.00.54 CSRF via Management CGI Endpoints in Edimax GS-5008PL. Patch commands and verification.
CVE-2026-3284 is a integer overflow in n/a libvips. This page lists the verified fix and inline mitigations.
CVE-2026-32840: Edimax GS-5008PL <= 1.00.54 Stored XSS via Device Name in Edimax GS-5008PL. Patch commands and verification.
CVE-2026-32843: Linkit ONE Location Aware Sensor System (LASS) Reflected XSS via PM25.php in Location Aware Sensor System (LASS). Patch comm
CVE-2026-32844 is a vulnerability in php_api_doc. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32845 is a vulnerability in cgltf. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32848 is a vulnerability in src. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32849 is a vulnerability in src. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3285 is a out-of-bounds read in berry-lang berry. This page lists the verified fix and inline mitigations.
CVE-2026-32850 is a vulnerability in MailEnable. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32851 is a vulnerability in MailEnable. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32852 is a vulnerability in MailEnable. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32853 is a path traversal in LibVNCServer. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32854 is a vulnerability in LibVNCServer. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32859 is a vulnerability in DeerFlow. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3286 is a SSRF in itwanger paicoding. This page lists the verified fix and inline mitigations.
CVE-2026-32866: OPEXUS eComplaint and eCase stored XSS via profile first and last name in eCASE. Patch commands and verification.
CVE-2026-32867 is a opexus ecomplaint unauthenticated file upload in Opexus eComplaint. CVSS 5.4 Medium. Patch commands, mitigations, and ve
CVE-2026-32868: OPEXUS eComplaint and eCASE XSS via my information in eComplaint. Patch commands and verification.
CVE-2026-32869: OPEXUS eComplaint and eCASE XSS via Name of Organization field in eComplaint. Patch commands and verification.
CVE-2026-3287 is a SQL injection in youlaitech youlai-mall. This page lists the verified fix and inline mitigations.
CVE-2026-32870 - CWE-91: XML Injection (aka Blind XPath Injection) in kirby. Runnable patch commands, mitigation, and verification on this p
CVE-2026-32878: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in parse-server. Patch c
CVE-2026-32879 is an authentication bypass in new-api. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-32880 is a vulnerability in CRM. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32881 is a vulnerability in ewe. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32883 is an authentication bypass in botan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32884 is a code injection in botan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32885 - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ddev. Runnable patch commands, mi
CVE-2026-32889 is a denial of service in tinytag. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3289 is a path traversal in Sanluan PublicCMS. This page lists the verified fix and inline mitigations.
CVE-2026-32893 is a cross-site scripting in chamilo-lms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-32895 is an access control bypass in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-32896 is an authentication bypass in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-32897 is a vulnerability in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32898 is a vulnerability in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32899 is an access control bypass in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-3291 improper export of android application components in Samsung Print Service Plugin. Runnable upgrade commands and verification
CVE-2026-32919 is an access control bypass in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-3292 is a SQL injection in n/a jizhiCMS. This page lists the verified fix and inline mitigations.
CVE-2026-32921 is a time-of-check time-of-use (toctou) race condition in OpenClaw, fixed by the same patch as CVE-2026-32916.
CVE-2026-32923 is an access control bypass in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-32924 is an access control bypass in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-3293 is a regex denial of service in snowflakedb snowflake-jdbc. This page lists the verified fix and inline mitigations.
CVE-2026-32932 is a cwe-601: url redirection to untrusted site in chamilo-lms. This page lists verified fix commands and short-term mitigati
CVE-2026-32941 is an OS command injection in sliver. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32946 is an authentication bypass in harden-runner. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-32947 is an authentication bypass in harden-runner. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-32948 is an OS command injection in sbt. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32951 is a discourse: authorization bypass in oneboxer via user-controlled category id in discourse, fixed by the same patch as CVE
CVE-2026-32952 - CWE-190: Integer Overflow or Wraparound in go-ntlmssp. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-32953 is a vulnerability in tkeyclient. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32957 is a missing authentication in AMC Manager. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-32958 is an use of hard-coded cryptographic key in AMC Manager. This page lists verified fix commands and short-term mitigations yo
CVE-2026-32959 is an use of a broken or risky in AMC Manager. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-32960 is a sensitive information in resource not removed in AMC Manager. This page lists verified fix commands and short-term mitig
CVE-2026-32961 is a heap buffer overflow in AMC Manager. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-32962 is a missing authentication in AMC Manager. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-32963 is a cross-site scripting in AMC Manager. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-32964 is a neutralization of crlf sequences in AMC Manager. This page lists verified fix commands and short-term mitigations you ca
CVE-2026-32975 is a vulnerability in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32977: bundle sibling of CVE-2026-32916. Same patched build closes both.
CVE-2026-32983 is a vulnerability in wazuh-manager. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32984 is a path traversal in Wazuh. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32986 is a vulnerability in Textpattern CMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-32988: bundle sibling of CVE-2026-32916. Same patched build closes both.
CVE-2026-3299 is a cross-site scripting in WP YouTube Lyte. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-32990 is an improper input validation in Apache Tomcat. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-32994 is an access control bypass in Rocket.Chat. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33003 is a security vulnerability in Jenkins Project Jenkins LoadNinja Plugin. CVSS 4.3 Medium. Patch commands, mitigations, and ve
CVE-2026-33004 is a security vulnerability in Jenkins Project Jenkins LoadNinja Plugin. CVSS 4.3 Medium. Patch commands, mitigations, and ve
CVE-2026-33005 is a handling of insufficient privileges in Apache OpenMeetings. This page lists verified fix commands and short-term mitigat
CVE-2026-33006 is a observable timing discrepancy in Apache HTTP Server. Patched version, runnable upgrade commands, and how to verify the f
CVE-2026-33007 is a null pointer dereference in Apache HTTP Server. Patched version, runnable upgrade commands, and how to verify the fix la
CVE-2026-33014 is an access control bypass in everest-core. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-33015 is an access control bypass in everest-core. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-3302 is a cross-site scripting in SourceCodester Doctor Appointment System. This page lists the verified fix and inline mitigations
CVE-2026-33022 is a vulnerability in pipeline. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33027 is a path traversal in nginx-ui. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33029 is an improper input validation in nginx-ui. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-33033 is a cwe-407: inefficient algorithmic complexity in Djangoproject Django, fixed by the same patch as CVE-2026-3902.
CVE-2026-33035 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33041 is an information disclosure in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33042 is a cwe-287: improper authentication in Parse-community parse-server. CVSS 6.9 Medium. Patch commands, mitigations, and veri
CVE-2026-33051 is a vulnerability in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33052: an insecure direct object reference (IDOR) in mantisbt. Patched version and vendor advisory inside.
CVE-2026-33053 is a vulnerability in langflow. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33055 is a vulnerability in tar-rs. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33056 is a vulnerability in tar-rs. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3306: CWE-639 Authorization Bypass Through User-Controlled Key in Enterprise Server. Patch commands and verification.
CVE-2026-33060 is a vulnerability in ckan-mcp-server. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33061 is a vulnerability in Jexactyl. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33065 is a vulnerability in free5gc. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33066 is a vulnerability in siyuan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33067 is a vulnerability in siyuan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33069 is a path traversal in pjproject. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3307 is an authorization bypass through user-controlled key in Enterprise Server. This page lists verified fix commands and short-t
CVE-2026-33071 is an unrestricted file upload in FileRise. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33074 is a cwe-269: improper privilege management in discourse, fixed by the same patch as CVE-2026-27481.
CVE-2026-33081 is a vulnerability in pinchtab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3309: Improper Control of Generation of Code ('Code Injection') in Paid Membership Plugin, Ecommerce, User Registration Form, Login
CVE-2026-33093 is a missing authorization in Anviz CX7 Firmware. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-33103 is a cwe-284: improper access control in Microsoft Dynamics 365 (on-premises) version 9.0. This page lists verified fix comma
CVE-2026-3311: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in The Plus Addons for Elementor – Addon
CVE-2026-33118 is a cwe-451: user interface (ui) misrepresentation of in Microsoft Edge (Chromium-based). This page lists verified fix comma
CVE-2026-33119 is a cwe-451: user interface (ui) misrepresentation of in Microsoft Edge for Android. This page lists verified fix commands a
CVE-2026-33123 is a vulnerability in pypdf. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33126 is a vulnerability in frigate. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33129 is a vulnerability in h3. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33130 is a server-side template injection in uptime-kuma. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-33132 is an access control bypass in zitadel. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33140 is a vulnerability in PySpector. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33141 is a vulnerability in chamilo-lms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33144 is an OS command injection in gpac. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33145 is an OS command injection in xrdp. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33146 is an improper authorization in docmost. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33148 is a vulnerability in recipes. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3315 is a cwe-276 incorrect default permissions in Assa Abloy Visionline. CVSS 5.8 Medium. Patch commands, mitigations, and verific
CVE-2026-33158 is a vulnerability in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33159 is an authentication bypass in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33162 is an access control bypass in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33165 is an OS command injection in libde265. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33169 is a vulnerability in activesupport. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3317 is a cross-site scripting in Navigate CMS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33170 is a vulnerability in activesupport. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33171 is a path traversal in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33173 is a path traversal in activestorage. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33174 is an OS command injection in activestorage. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-33176 is a vulnerability in activesupport. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33177 is a vulnerability in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33179 is a cwe-476: null pointer dereference in libfuse. CVSS 5.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-3318 url redirection to untrusted site ('open redirect') in e-commerce. Runnable upgrade commands and verification steps for sysadm
CVE-2026-33182 is a vulnerability in saloon. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33185 is a discourse: group smtp test endpoint susceptible to ssrf in discourse, fixed by the same patch as CVE-2026-27481.
CVE-2026-3319 improper neutralization of input during web page generation ('cross-site scripti in Cradle. Runnable upgrade commands and veri
CVE-2026-33193 is a cross-site scripting in docmost. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33194: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in siyuan. Patch commands and verific
CVE-2026-3320 improper neutralization of input during web page generation ('cross-site scripti in Cradle. Runnable upgrade commands and veri
CVE-2026-33201 is a vulnerability in Digital Photo Frame GH-WDF10A. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-33202 is a vulnerability in activestorage. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33205 is a vulnerability in calibre. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33209 is a avo has a xss vulnerability on `return_to` param in Avo-hq avo. CVSS 5.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-33214 is a missing authorization in weblate. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33215 is an authentication bypass in nats-server. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33219 is an OS command injection in nats-server. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-33220 is a path traversal in weblate. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33222 is an access control bypass in nats-server. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33223 is an authentication bypass in nats-server. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33227: Improper input validation for resource loading in Apache ActiveMQ Client. Patch commands and verification.
CVE-2026-33230 is a nltk vulnerable to cross-site scripting in nltk. CVSS 6.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-33234 is a server-side request forgery (SSRF) in AutoGPT. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-33237 is a cwe-918: server-side request forgery (ssrf) in Wwbn AVideo. CVSS 5.5 Medium. Patch commands, mitigations, and verificati
CVE-2026-33238: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in AVideo. Patch commands and verific
CVE-2026-33246 is an authentication bypass in nats-server. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33248 is an authentication bypass in nats-server. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33249 is an access control bypass in nats-server. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33251 is a discourse has a hidden solved topics permission bypass in discourse. CVSS 5.4 Medium. Patch commands, mitigations, and v
CVE-2026-33253 is a vulnerability in SANUPS SOFTWARE STANDALONE. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-33254 - Allocation of Resources Without Limits or Throttling in DNSdist. Runnable patch commands, mitigation, and verification on t
CVE-2026-33256 - Allocation of Resources Without Limits or Throttling in Recursor. Runnable patch commands, mitigation, and verification on
CVE-2026-33257 - Allocation of Resources Without Limits or Throttling in Authoritative. Runnable patch commands, mitigation, and verificatio
CVE-2026-33258 - Allocation of Resources Without Limits or Throttling in Recursor. Runnable patch commands, mitigation, and verification on
CVE-2026-33259 - Use After Free in Recursor. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33260 - Allocation of Resources Without Limits or Throttling in Authoritative. Runnable patch commands, mitigation, and verificatio
CVE-2026-33261 - Missing Support for Integrity Check in Recursor. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33262 - NULL Pointer Dereference in Recursor. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33265 is a cwe-669 incorrect resource transfer between spheres in LibreChat. CVSS 6.3 Medium. Patch commands, mitigations, and veri
CVE-2026-33268 is a vulnerability in Lines. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3327 is a cross-site scripting in DatoCMS Web Previews. This page lists the verified fix and inline mitigations.
CVE-2026-33271 is a incorrect permission assignment in Acronis True Image, fixed by the same patch as CVE-2026-27774.
CVE-2026-33273: Unrestricted upload of file with dangerous type in MATCHA INVOICE. Patch commands and verification.
CVE-2026-33281 is a vulnerability in core. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33283 is a vulnerability in core. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33290 is a vulnerability in wp-graphql. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33291 is a cwe-863: incorrect authorization in discourse. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-33294 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33297 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3330 is a SQL injection in Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder. This page lists verified fix com
CVE-2026-33300 is a cwe-200: exposure of sensitive information to an unauthorized actor in discourse, fixed by the same patch as CVE-2026-27
CVE-2026-33303: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openemr. Patch commands and
CVE-2026-33304 is a openemr has authorization bypass in dated reminders log in openemr. CVSS 6.5 Medium. Patch commands, mitigations, and ve
CVE-2026-33305: OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor in openemr. Patch commands and verification.
CVE-2026-33306 is a vulnerability in bcrypt-ruby. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33308 is a code injection in mod_gnutls. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3331 is a vulnerability in Lobot Slider Administrator. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-33311 is a vulnerability in dicebear. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33312 is a cwe-863: incorrect authorization in Go-vikunja vikunja. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-33313 is a vulnerability in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33314 is an authentication bypass in pyload. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33315 is an authentication bypass in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33319 is an OS command injection in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3332 is a vulnerability in Xhanch – My Advanced Settings. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-33320 is a vulnerability in dasel. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33323 is a vulnerability in parse-server. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33326 is an access control bypass in keystone. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-3333 is a vulnerability in MinhNhut Link Gateway. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33332 is an improper input validation in nicegui. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33334 is a code injection in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33335 is an access control bypass in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33336 is a code injection in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33345 is a vulnerability in solidtime. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33347 is a vulnerability in commonmark. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33349 is an access control bypass in fast-xml-parser. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-3335 is a vulnerability in Canto. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33355 is a discourse filters whisper posts from private-posts feed in discourse. CVSS 6.5 Medium. Patch commands, mitigations, and
CVE-2026-33366: an authentication bypass in BUFFALO Wi-Fi router products. Patched version and vendor advisory inside.
CVE-2026-33368 is a n/a in the vendor n/a. CVSS 6.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-33369 is a n/a in the vendor n/a. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3337 is a cwe-208 (observable timing discrepancy) in AWS AWS-LC. This page lists the verified fix and inline mitigations.
CVE-2026-33370 is a n/a in the vendor n/a. CVSS 6.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-33371 is a n/a in the vendor n/a. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-33372 is a n/a in the vendor n/a. CVSS 5.4 Medium. Patch commands, mitigations, and verification.
CVE-2026-33375 is a vulnerability in Grafana OSS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33378 is a vulnerability in Grafana OSS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33380 is a vulnerability in Grafana OSS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33381 is a vulnerability in Grafana OSS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33393: Discourse fixes loose hostname matching in spam host allowlist in discourse. Patch commands and verification.
CVE-2026-33395: Discourse has stored click‑based XSS via Graphviz SVG javascript: links in discourse. Patch commands and verification.
CVE-2026-33397 is a vulnerability in angular-cli. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3340 - CWE-918 Server-Side Request Forgery (SSRF) in Langflow Desktop. Runnable patch commands, mitigation, and verification on thi
CVE-2026-33400 is a vulnerability in Wallos. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33403: Pi-hole has a Reflected XSS / HTML injection in taillog.js in web. Patch commands and verification.
CVE-2026-33406 is a pi-hole has a stored html attribute injection in Pi-hole web, fixed by the same patch as CVE-2026-33403.
CVE-2026-33410 is a discourse hardens chat dm channel creation and expansion in discourse. CVSS 5.4 Medium. Patch commands, mitigations, and
CVE-2026-33411: Discourse's solved topic stream has potential stored XSS in topic title in discourse. Patch commands and verification.
CVE-2026-33412 is an OS command injection in vim. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33414 is an OS command injection in podman. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33415 is a cwe-284: improper access control in discourse, fixed by the same patch as CVE-2026-27481.
CVE-2026-33417 is a vulnerability in Wallos. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33420 is a missing authorization in vaultwarden. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-33424 is a pm access granted through invites after access revocation in discourse. CVSS 5.9 Medium. Patch commands, mitigations, an
CVE-2026-33425 is a cwe-203: observable discrepancy in discourse. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-33428 is a cwe-863: incorrect authorization in discourse. CVSS 4.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-33429 is a vulnerability in parse-server. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3343 is a cross-site scripting in WatchGuard Fireware OS. This page lists the verified fix and inline mitigations.
CVE-2026-33431 is a cwe-24: path traversal: '../filedir' in roxy-wi. This page lists verified fix commands and short-term mitigations you ca
CVE-2026-33433 is an authentication bypass in traefik. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33438 is an OS command injection in Stirling-PDF. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-3344 is a expected behavior violation in WatchGuard Fireware OS. This page lists the verified fix and inline mitigations.
CVE-2026-33440 is a server-side request forgery in weblate. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-33448 - Format string vulnerability in Secure Access. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3345 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Langflow Desktop. Runnable patch co
CVE-2026-33452 - Buffer overflow in Secure Access. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33455 is a cwe-140: improper neutralization of delimiters in Checkmk. This page lists verified fix commands and short-term mitigati
CVE-2026-33456 is a cwe-140: improper neutralization of delimiters in Checkmk. This page lists verified fix commands and short-term mitigati
CVE-2026-33457 is a cwe-140: improper neutralization of delimiters in Checkmk. This page lists verified fix commands and short-term mitigati
CVE-2026-33458 is a server-side request forgery (ssrf) in Elastic Kibana, fixed by the same patch as CVE-2026-4498.
CVE-2026-33459 is a uncontrolled resource consumption in kibana leading to denial of service in Elastic Kibana, fixed by the same patch as C
CVE-2026-3346 - CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Langflow Desktop. Runnable pa
CVE-2026-33460 is a incorrect authorization in kibana fleet leading to information disclosure in Elastic Kibana, fixed by the same patch as
CVE-2026-33467 - CWE-347 Improper Verification of Cryptographic Signature in Elastic Package Registry. Runnable patch commands, mitigation,
CVE-2026-33469 is an access control bypass in frigate. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-3347 is a vulnerability in Multi Functional Flexi Lightbox. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-33470 is a vulnerability in frigate. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33472 is a cwe-305: authentication bypass by primary weakness in cryptomator. This page lists verified fix commands and short-term
CVE-2026-33473 is an authentication bypass in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33474 is a vulnerability in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33477 is an access control bypass in FileRise. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-33481 is a vulnerability in syft. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33486 is a vulnerability in core-bundle-dev-app. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-33495 is a vulnerability in oathkeeper. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33499 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3350: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Image Alt Text Manager – Bulk
CVE-2026-33500 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33501 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33514 is a missing authorization in discourse. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-33515 is a path traversal in squid. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33523 is a http response splitting in Apache HTTP Server. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-33527 is an access control bypass in parse-server. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-33528 is a path traversal in godoxy. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3353 is a vulnerability in Comment SPAM Wiper. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-33531 is a SQL injection in InvenTree. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33532 is a vulnerability in yaml. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33534 is a server-side request forgery in espocrm. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-33535 is an OS command injection in ImageMagick. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-33536 is an OS command injection in ImageMagick. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-33537 is a vulnerability in Lychee. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3354 is a vulnerability in Wikilookup. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33541 is a vulnerability in TSPortal. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33542 is a code injection in incus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33545: a SQL injection in Mobile-Security-Framework-MobSF. Patched version and vendor advisory inside.
CVE-2026-33549 is a vulnerability in SPIP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3355 is a cross-site scripting in Customer Reviews for WooCommerce. This page lists verified fix commands and short-term mitigation
CVE-2026-33555 is a handling of length parameter inconsistency in HAProxy. This page lists verified fix commands and short-term mitigations
CVE-2026-33558 is a vulnerability in Apache Kafka. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33559 is a vulnerability in OpenStreetMap. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33566 - Improper Neutralization of Special Elements in Data Query Logic in LogonTracer. Runnable patch commands, mitigation, and ve
CVE-2026-33569 is a cwe-319 in Anviz CX2 Lite Firmware. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33570: an access control bypass in PowerSYSTEM Center 2020. Patched version and vendor advisory inside.
CVE-2026-33572 is an OS command injection in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33574 is a path traversal in OpenClaw. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33576 is a openclaw < 2026.3.28 - unauthorized media download via zalo channel in OpenClaw, fixed by the same patch as CVE-2026-329
CVE-2026-33578 is a incorrect authorization in OpenClaw, fixed by the same patch as CVE-2026-32916.
CVE-2026-3358 is a missing authorization in Tutor LMS – eLearning and online course solution. This page lists verified fix commands and shor
CVE-2026-33580 is a improper restriction of excessive authentication attempts in OpenClaw, fixed by the same patch as CVE-2026-32916.
CVE-2026-33584: a vulnerability in Symmetric Key Agreement Platform. Patched version and vendor advisory inside.
CVE-2026-33594 - Allocation of Resources Without Limits or Throttling in DNSdist. Runnable patch commands, mitigation, and verification on t
CVE-2026-33595 - Allocation of Resources Without Limits or Throttling in DNSdist. Runnable patch commands, mitigation, and verification on t
CVE-2026-33598 - Out-of-bounds Read in DNSdist. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33600 - NULL Pointer Dereference in Recursor. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33601 - NULL Pointer Dereference in Recursor. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33602 - Heap-based Buffer Overflow in DNSdist. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33603 is a vulnerability in OX Dovecot Pro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33609 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') in Authoritative. Runnable patch comma
CVE-2026-3361 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WP Store Locator. Runnable pa
CVE-2026-33610 - Uncontrolled Resource Consumption in Authoritative. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33611 - Integer Overflow or Wraparound in Authoritative. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-33617: bundle sibling of CVE-2026-33613. Same patched build closes both.
CVE-2026-33619 is a vulnerability in pinchtab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3362 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Short Comment Filter. Runnabl
CVE-2026-33620 is a vulnerability in pinchtab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33621 is an authentication bypass in pinchtab. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-33622 is a code injection in pinchtab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33623 is an OS command injection in pinchtab. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33628 is a vulnerability in invoiceninja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33635 is a vulnerability in icalendar. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33638 is a vulnerability in Ech0. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33653 is a vulnerability in Uploady. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33657 is a vulnerability in espocrm. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33672 is a vulnerability in picomatch. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33675 is a vulnerability in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33676 is an access control bypass in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33677 is an information disclosure in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-33679 is a vulnerability in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33682 is a vulnerability in streamlit. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33683 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33685 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33688 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3369 is a cross-site scripting in Better Find and Replace – AI-Powered Suggestions. This page lists verified fix commands and short
CVE-2026-33690 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33691: OWASP CRS: Whitespace padding in filenames bypasses file upload extension checks in coreruleset. Patch commands and verifica
CVE-2026-33693 is a vulnerability in lemmy. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33699 is a denial of service in pypdf. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33700 is a vulnerability in vikunja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33705 is a cwe-538: insertion of sensitive information into in chamilo-lms. This page lists verified fix commands and short-term mi
CVE-2026-33708 is a missing authorization in chamilo-lms. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-33709 is a jupyterhub has an open redirect in jupyterhub. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-3371 is an authorization bypass through user-controlled key in Tutor LMS – eLearning and online course solution. This page lists ve
CVE-2026-33711 is a vulnerability in incus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33720 is an access control bypass in n8n. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33721 is an OS command injection in MapServer. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-33724 is a vulnerability in n8n. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33726 is an access control bypass in cilium. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33727: Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root). in pi-hole. Patch commands and verification.
CVE-2026-33729 is an improper input validation in openfga. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33730 is a vulnerability in opensourcepos. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33732 is a vulnerability in srvx. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33736 is a vulnerability in chamilo-lms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33737 is a XML external entity injection in chamilo-lms. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-33738 is a vulnerability in Lychee. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33739 is a vulnerability in fogproject. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33740 is a vulnerability in espocrm. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33741 is a cross-site scripting (XSS) in espocrm. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33742 is a vulnerability in invoiceninja. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33743 is an OS command injection in incus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33749 is a vulnerability in n8n. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33750 is a vulnerability in brace-expansion. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33751 is a vulnerability in n8n. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33753: Improper Certificate Validation in rfc3161-client in rfc3161-client. Patch commands and verification.
CVE-2026-33759 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33761 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33763 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33764 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33766 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33768 is a vulnerability in astro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33773 is an initialization of resource in Junos OS. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-33774 is a check for unusual or exceptional conditions in Junos OS. This page lists verified fix commands and short-term mitigation
CVE-2026-33775 is a memory leak in Junos OS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33776 is a missing authorization in Junos OS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33779 is a following of a certificate's chain of in Junos OS. This page lists verified fix commands and short-term mitigations you
CVE-2026-33780 is a memory leak in Junos OS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33781 is a check for unusual or exceptional conditions in Junos OS. This page lists verified fix commands and short-term mitigation
CVE-2026-33782 is a memory leak in Junos OS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33783 is a function call with incorrect argument type in Junos OS Evolved. This page lists verified fix commands and short-term mit
CVE-2026-33786 is a check for unusual or exceptional conditions in Junos OS. This page lists verified fix commands and short-term mitigation
CVE-2026-33787 is a check for unusual or exceptional conditions in Junos OS. This page lists verified fix commands and short-term mitigation
CVE-2026-33791 is an OS command injection in Junos OS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33812 - CWE-789: Memory Allocation with Excessive Size Value in golang.org/x/image/font/sfnt. Runnable patch commands, mitigation,
CVE-2026-3382 is a buffer overflow in n/a ChaiScript. This page lists the verified fix and inline mitigations.
CVE-2026-33822 is an out-of-bounds read in Microsoft Office. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-33829 is an information disclosure in Microsoft Windows. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-3383 is a divide by zero in n/a ChaiScript. This page lists the verified fix and inline mitigations.
CVE-2026-3384 is a uncontrolled recursion in n/a ChaiScript. This page lists the verified fix and inline mitigations.
CVE-2026-3385 is a uncontrolled recursion in wren-lang wren. This page lists the verified fix and inline mitigations.
CVE-2026-33853 is a vulnerability in Android-ImageMagick7. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33855 is a vulnerability in Android-ImageMagick7. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-33857 is a out-of-bounds read in Apache HTTP Server. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-3386 is a out-of-bounds read in wren-lang wren. This page lists the verified fix and inline mitigations.
CVE-2026-33865 is a stored xss via unsafe yaml parsing in mlflow in Mlflow. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-33866 is a authorization bypass in mlflow ajax endpoint in Mlflow. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-33868 is a vulnerability in mastodon. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33869 is an access control bypass in mastodon. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-3387 is a null pointer dereference in wren-lang wren. This page lists the verified fix and inline mitigations.
CVE-2026-3388 is a uncontrolled recursion in n/a Squirrel. This page lists the verified fix and inline mitigations.
CVE-2026-33882 is an improper input validation in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33883 is a vulnerability in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33884 is an access control bypass in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33885 is a vulnerability in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33886 is an information disclosure in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33887 is a vulnerability in cms. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33888 is an incorrect authorization in apostrophe. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-33889 is a cross-site scripting in apostrophe. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3389 is a null pointer dereference in n/a Squirrel. This page lists the verified fix and inline mitigations.
CVE-2026-33899 is a heap buffer overflow in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3390 is a out-of-bounds read in FascinatedBox lily. This page lists the verified fix and inline mitigations.
CVE-2026-33900 is an integer overflow in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33902 is a cwe-674: uncontrolled recursion in ImageMagick. This page lists verified fix commands and short-term mitigations you can
CVE-2026-33903 is a vulnerability in core. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33904 is a vulnerability in core. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33905 is an out-of-bounds read in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-33907 is a vulnerability in core. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33909 is a SQL injection in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3391 is a out-of-bounds read in FascinatedBox lily. This page lists the verified fix and inline mitigations.
CVE-2026-33911 is a vulnerability in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33912 is a vulnerability in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33915 is a vulnerability in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33916 is a vulnerability in handlebars.js. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3392 is a null pointer dereference in FascinatedBox lily. This page lists the verified fix and inline mitigations.
CVE-2026-33929 is a path traversal in Apache PDFBox Examples. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-3393 is a heap buffer overflow in jarikomppa soloud. This page lists the verified fix and inline mitigations.
CVE-2026-33931 is a vulnerability in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33933 is a vulnerability in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33934 is a vulnerability in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33936 is an improper input validation in python-ecdsa. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-3394 is a buffer overflow in jarikomppa soloud. This page lists the verified fix and inline mitigations.
CVE-2026-33947 is a cwe-674: uncontrolled recursion in jq. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-3395 is a code injection in MaxSite CMS. This page lists the verified fix and inline mitigations.
CVE-2026-33951 is a signalk-server: unauthenticated source priorities manipulation in signalk-server, fixed by the same patch as CVE-2026-33
CVE-2026-33952 is a vulnerability in FreeRDP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33954 is an access control bypass in LinkAce. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-33977 is a vulnerability in FreeRDP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33978: Notesnook: Stored XSS in mobile share editor via unescaped web clip title metadata in notesnook. Patch commands and verifica
CVE-2026-33983 is a vulnerability in FreeRDP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33985 is a path traversal in FreeRDP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33990: Docker Model Runner OCI Registry Client Vulnerable to Server-Side Request Forgery (SSRF) in model-runner. Patch commands and
CVE-2026-33993 is an unsafe deserialization in locutus. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-33994 is a vulnerability in locutus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33995 is a vulnerability in FreeRDP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33996 is a vulnerability in libjwt. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-33997 is a moby: off-by-one error in plugin privilege validation in moby. CVSS 6.8 Medium. Patch commands, mitigations, and verific
CVE-2026-34000 is a out-of-bounds read in Red Hat Enterprise Linux 9. Patched version, runnable upgrade commands, and how to verify the fix
CVE-2026-34002 buffer access with incorrect length value in Red Hat Enterprise Linux 10. Runnable upgrade commands and verification steps fo
CVE-2026-34018 is a SQL injection in CubeCart. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34019 is a vulnerability in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3402 is a cross-site scripting in PHPGurukul Student Record Management System. This page lists the verified fix and inline mitigati
CVE-2026-3403 is a cross-site scripting in PHPGurukul Student Record Management System. This page lists the verified fix and inline mitigati
CVE-2026-34032 is a improper null termination in Apache HTTP Server. Patched version, runnable upgrade commands, and how to verify the fix l
CVE-2026-34036: CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in dolibarr.
CVE-2026-34043: Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects in serialize-javascript. Patch comm
CVE-2026-34051 is an access control bypass in openemr. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-34052: CWE-401: Missing Release of Memory after Effective Lifetime in ltiauthenticator. Patch commands and verification.
CVE-2026-3406 is a SQL injection in projectworlds Online Art Gallery Shop. This page lists the verified fix and inline mitigations.
CVE-2026-34061 is a nimiq/core-rs-albatross: macro block proposal interlink bug in Nimiq core-rs-albatross, fixed by the same patch as CVE-2
CVE-2026-34062 - CWE-770: Allocation of Resources Without Limits or Throttling in network-libp2p. Runnable patch commands, mitigation, and v
CVE-2026-34064 - CWE-191: Integer Underflow (Wrap or Wraparound) in nimiq-account. Runnable patch commands, mitigation, and verification on
CVE-2026-34066 - CWE-20: Improper Input Validation in nimiq-blockchain. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-34068 - CWE-347: Improper Verification of Cryptographic Signature in nimiq-transaction. Runnable patch commands, mitigation, and ve
CVE-2026-34069 is a cwe-617: reachable assertion in core-rs-albatross. This page lists verified fix commands and short-term mitigations you
CVE-2026-3407 is a heap buffer overflow in YosysHQ yosys. This page lists the verified fix and inline mitigations.
CVE-2026-34071 is a vulnerability in Stirling-PDF. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3408 is a null pointer dereference in n/a Open Babel. This page lists the verified fix and inline mitigations.
CVE-2026-34080: xdg-dbus-proxy has an eavesdrop filter bypass allowing message interception in xdg-dbus-proxy. Patch commands and verificati
CVE-2026-34082 is an incorrect authorization in dify. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34083: bundle sibling of CVE-2026-33950. Same patched build closes both.
CVE-2026-34085 is an out-of-bounds write in fontconfig. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-34087 exposure of sensitive information to an unauthorized actor in OATHAuth. Runnable upgrade commands and verification steps for
CVE-2026-3409 is a code injection in eosphoros-ai db-gpt. This page lists the verified fix and inline mitigations.
CVE-2026-34090 exposure of sensitive information to an unauthorized actor in CheckUser. Runnable upgrade commands and verification steps for
CVE-2026-34091 exposure of sensitive information to an unauthorized actor in MediaWiki. Runnable upgrade commands and verification steps for
CVE-2026-3410 is a SQL injection in itsourcecode Society Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3411 is a SQL injection in itsourcecode University Management System. This page lists the verified fix and inline mitigations.
CVE-2026-3412 is a cross-site scripting in itsourcecode University Management System. This page lists the verified fix and inline mitigation
CVE-2026-3413 is a SQL injection in itsourcecode University Management System. This page lists the verified fix and inline mitigations.
CVE-2026-34161 is a cross-site scripting in chamilo-lms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34164 is a cwe-532: insertion of sensitive information into in valtimo. This page lists verified fix commands and short-term mitiga
CVE-2026-34165: go-git: Maliciously crafted idx file can cause asymmetric memory consumption in go-git. Patch commands and verification.
CVE-2026-3419 is a incorrect regular expression in fastify fastify. This page lists the verified fix and inline mitigations.
CVE-2026-34206: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in captcha-protect. Patch comma
CVE-2026-34210: mppx has Stripe charge credential replay via missing idempotency check in mppx. Patch commands and verification.
CVE-2026-34211: bundle sibling of CVE-2026-34208. Same patched build closes both.
CVE-2026-34212 is a cross-site scripting in docmost. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34213 is a vulnerability in docmost. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34216 is a vulnerability in panel. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34217 is a sandboxjs has a sandbox escape via prop object leak in new handler in Nyariv SandboxJS, fixed by the same patch as CVE-2
CVE-2026-34218 is a cwe-269: improper privilege management in Craigjbass clearancekit. CVSS 6.3 Medium. Patch commands, mitigations, and ver
CVE-2026-34225 is a server-side request forgery in open-webui. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-34227: Sliver One-Click Remote Access: Insecure CORS & Unauthenticated MCP Interface in sliver. Patch commands and verification.
CVE-2026-34229 is a emlog: stored xss in comment module via uri scheme validation bypass in emlog, fixed by the same patch as CVE-2026-34228
CVE-2026-34230 is a cwe-400: uncontrolled resource consumption in rack, fixed by the same patch as CVE-2026-26961.
CVE-2026-34231: Slippers: Cross-Site Scripting (XSS) in `attrs` Template Tag in slippers. Patch commands and verification.
CVE-2026-34233 is an access control bypass in panel. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34235 is a pjsip: heap oob read in vpx unpacketizer in Pjsip pjproject. CVSS 6.9 Medium. Patch commands, mitigations, and verificat
CVE-2026-34237: MCP Java SDK has a Hardcoded Wildcard CORS (Access-Control-Allow-Origin: *) in java-sdk. Patch commands and verification.
CVE-2026-34238 is an integer overflow in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34244 is an information disclosure in weblate. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34245 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34246 is a cross-site scripting (XSS) in panel. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-34247 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34257 is a cwe-601: url redirection to untrusted site in SAP NetWeaver Application Server ABAP. This page lists verified fix comman
CVE-2026-34258 is a vulnerability in SAPUI5 (Search UI). Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-3426 is a missing authorization in RTMKit. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34261 is a missing authorization in SAP Business Analytics and SAP Content Management. This page lists verified fix commands and sh
CVE-2026-34262 is a cwe-522: insufficiently protected credentials in SAP HANA Cockpit and HANA Database Explorer. This page lists verified f
CVE-2026-34264 is a cwe-204: observable response discrepancy in SAP Human Capital Management for SAP S/4HANA. This page lists verified fix c
CVE-2026-34266 - Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Ente
CVE-2026-34267 - Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise M
CVE-2026-34269 - Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Ente
CVE-2026-3427: a vulnerability in Yoast SEO – Advanced SEO with real-time . Patched version and vendor advisory inside.
CVE-2026-34270 - Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise My
CVE-2026-34271 - Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise My
CVE-2026-34272 - Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise My
CVE-2026-34273 - Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GoldenGa
CVE-2026-34274 - Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configur
CVE-2026-34276 - Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise My
CVE-2026-34277 - Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Ente
CVE-2026-34278 - Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise M
CVE-2026-3428 is a download of code without integrity check in Member Center(华硕大厅). This page lists verified fix commands and short-term mit
CVE-2026-34280 - Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise PeopleSoft Ente
CVE-2026-34281 - Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris execu
CVE-2026-34283 - Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identity
CVE-2026-34284 - Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business
CVE-2026-34288 - Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Identi
CVE-2026-34289 - Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Ident
CVE-2026-3429 is a improper access control in Red Hat build of Keycloak 26.4. CVSS 4.2 Medium. Patch commands, mitigations, and verification
CVE-2026-34293 - Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise M
CVE-2026-34294 - Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Oracle Identit
CVE-2026-34295 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enter
CVE-2026-34296 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Pro
CVE-2026-34298 - Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applicat
CVE-2026-34299 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enter
CVE-2026-34300 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enter
CVE-2026-34301 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enter
CVE-2026-34302 - Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow
CVE-2026-34303 - Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise My
CVE-2026-34304 - Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise M
CVE-2026-34306 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enter
CVE-2026-34307 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enter
CVE-2026-34308 - Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise My
CVE-2026-34313 - Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial
CVE-2026-34314 - Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financi
CVE-2026-34315 - Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic
CVE-2026-34317 is a resource shutdown or release in MySQL Shell. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-34318 is an information disclosure in MySQL Shell. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-34319 is an observable response discrepancy in MySQL Shell. This page lists verified fix commands and short-term mitigations you ca
CVE-2026-34321 is an improper authorization in Oracle Financial Services Analytical Applications Infrastructure. This page lists verified fi
CVE-2026-34323 is an access control in Oracle Life Sciences InForm. This page lists verified fix commands and short-term mitigations you can
CVE-2026-34324 is an access control in Oracle Life Sciences InForm. This page lists verified fix commands and short-term mitigations you can
CVE-2026-34325 is an access control in Oracle Financial Services Analytical Applications Infrastructure. This page lists verified fix comman
CVE-2026-34339 is a denial of service in Windows 10 Version 1607. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-34350 is a denial of service in Windows Server 2025. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34353 is a vulnerability in OCaml. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34360 is a cwe-918: server-side request forgery (ssrf) in Hapifhir org.hl7.fhir.core, fixed by the same patch as CVE-2026-34359.
CVE-2026-34362 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34364 is an access control bypass in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34368 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34369 is a vulnerability in AVideo. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34370 is an improper authorization in chamilo-lms. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-34371: LibreChat Affected by Arbitrary File Write via `execute_code` Artifact Filename Traversal in LibreChat. Patch commands and v
CVE-2026-34372 is a sulu checks fix permissions for subentities endpoints in sulu. CVSS 5.3 Medium. Patch commands, mitigations, and verific
CVE-2026-34373: bundle sibling of CVE-2026-34215. Same patched build closes both.
CVE-2026-34378: CWE-190: Integer Overflow or Wraparound in openexr. Patch commands and verification.
CVE-2026-3438: Nexus Repository 3 - Reflected Cross-Site Scripting (XSS) in ?describe Pages in Nexus Repository. Patch commands and verifica
CVE-2026-34380 is a cwe-190: integer overflow or wraparound in Academysoftwarefoundation openexr, fixed by the same patch as CVE-2026-34378.
CVE-2026-34382 is a admidio: missing csrf protection on custom list deletion in mylist_function.php in admidio, fixed by the same patch as C
CVE-2026-34383: bundle sibling of CVE-2026-34381. Same patched build closes both.
CVE-2026-34384 is a admidio: missing csrf protection on registration approval actions in admidio, fixed by the same patch as CVE-2026-34381.
CVE-2026-34385 is a SQL injection in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34386 is a SQL injection in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34387 is an OS command injection in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34388 is a vulnerability in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34389 is an authentication bypass in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3439 is a stack buffer overflow in SonicWall SonicOS. This page lists the verified fix and inline mitigations.
CVE-2026-34390 is an access control bypass in mantisbt. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-34391 is a vulnerability in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34395: bundle sibling of CVE-2026-34394. Same patched build closes both.
CVE-2026-34396 is a avideo: stored xss via unescaped plugin configuration values in admin panel in Wwbn AVideo, fixed by the same patch as C
CVE-2026-34397: himmelblau: NSS fake-primary group lookup reintroduces name collision risk in himmelblau. Patch commands and verification.
CVE-2026-34400: alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API in alerta. Patch commands and verifi
CVE-2026-34401: CWE-611: Improper Restriction of XML External Entity Reference in XmlNotepad. Patch commands and verification.
CVE-2026-34403 is a cwe-1385: missing origin validation in websockets in nginx-ui. This page lists verified fix commands and short-term miti
CVE-2026-34404: Nuxt OG Image vulnerable to DoS via image generation in og-image. Patch commands and verification.
CVE-2026-34405: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in og-image. Patch commands and
CVE-2026-3441 is a out-of-bounds read in Red Hat Enterprise Linux 10. CVSS 6.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-34411 is an authentication bypass in Appsmith. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-3442 is a out-of-bounds read in Red Hat Enterprise Linux 10. CVSS 6.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-34425 is a openclaw - shell-bleed protection preflight validation bypass in OpenClaw, fixed by the same patch as CVE-2026-32916.
CVE-2026-34426 is a openclaw - approval bypass via environment variable normalization in OpenClaw, fixed by the same patch as CVE-2026-32916
CVE-2026-34429 is a cross-site scripting in Vvveb. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34441: cpp-httplib: HTTP Request Smuggling via Unconsumed GET Request Body in cpp-httplib. Patch commands and verification.
CVE-2026-34442 is a cwe-20: improper input validation in Freescout-help-desk freescout. CVSS 5.4 Medium. Patch commands, mitigations, and ve
CVE-2026-34443: bundle sibling of CVE-2026-34442. Same patched build closes both.
CVE-2026-34446 is a onnx: arbitrary file read via externaldata hardlink bypass in onnx load in onnx, fixed by the same patch as CVE-2026-274
CVE-2026-34447 is a onnx: external data symlink traversal in onnx, fixed by the same patch as CVE-2026-27489.
CVE-2026-34450: Claude SDK for Python: Insecure Default File Permissions in Local Filesystem Memory Tool in anthropic-sdk-python. Patch comm
CVE-2026-34451: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropic-sdk-typescript. Patch co
CVE-2026-34452: Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape in anthropic-sdk-python. Patch comma
CVE-2026-3446 is an insufficient verification of data in CPython. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-34475 is a vulnerability in Varnish Cache. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34477 is a validation of certificate with host mismatch in Apache Log4j Core. This page lists verified fix commands and short-term
CVE-2026-34478 is a provision of specified functionality in Apache Log4j Core. This page lists verified fix commands and short-term mitigati
CVE-2026-34479 is an encoding or escaping of output in Apache Log4j 1 to Log4j 2 bridge. This page lists verified fix commands and short-ter
CVE-2026-34480 is an encoding or escaping of output in Apache Log4j Core. This page lists verified fix commands and short-term mitigations y
CVE-2026-34481 is an encoding or escaping of output in Apache Log4j JSON Template Layout. This page lists verified fix commands and short-te
CVE-2026-3449 is a incorrect control flow scoping in n/a @tootallnate/once. This page lists the verified fix and inline mitigations.
CVE-2026-34500 is an authentication bypass in Apache Tomcat. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-34504 is a server-side request forgery (ssrf) in OpenClaw, fixed by the same patch as CVE-2026-32916.
CVE-2026-34505 is a improper restriction of excessive authentication attempts in OpenClaw, fixed by the same patch as CVE-2026-32916.
CVE-2026-34510 is a openclaw < 2026.3.22 - remote file url acceptance in windows media loaders in OpenClaw, fixed by the same patch as CVE-2
CVE-2026-34511 is a openclaw < 2026.4.2 - pkce verifier exposure via oauth state parameter in OpenClaw, fixed by the same patch as CVE-2026-
CVE-2026-34515 is a cwe-36: absolute path traversal in Aio-libs aiohttp, fixed by the same patch as CVE-2026-22815.
CVE-2026-34516 is a aiohttp: multipart header size bypass in Aio-libs aiohttp, fixed by the same patch as CVE-2026-22815.
CVE-2026-34523 is a sillytavern: path traversal allows file existence oracle in SillyTavern, fixed by the same patch as CVE-2026-34522.
CVE-2026-34525 is a aiohttp: duplicate host header accepted in Aio-libs aiohttp, fixed by the same patch as CVE-2026-22815.
CVE-2026-34526 is a cwe-918: server-side request forgery (ssrf) in SillyTavern, fixed by the same patch as CVE-2026-34522.
CVE-2026-34530: bundle sibling of CVE-2026-34528. Same patched build closes both.
CVE-2026-34531 is a cwe-287: improper authentication in Miguelgrinberg Flask-HTTPAuth. CVSS 6.5 Medium. Patch commands, mitigations, and ver
CVE-2026-34533: iccDEV: UB in CIccCalculatorFunc::ApplySequence() in iccDEV. Patch commands and verification.
CVE-2026-34534 is a iccdev: hbo in ciccmpespectralmatrix::describe() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-
CVE-2026-34535 is a iccdev: segv in cicctagarray::cleanup() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-3453
CVE-2026-34536 is a iccdev: so in sicccalcop::argsused() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34537 is a iccdev: ub in ciccopdefenvvar::exec() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34538 is an exposure of resource to wrong sphere in Apache Airflow. This page lists verified fix commands and short-term mitigation
CVE-2026-34539 is a iccdev: hbo in ctiffimg::writeline() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-3454 authorization bypass through user-controlled key in GenerateBlocks. Runnable upgrade commands and verification steps for sysad
CVE-2026-34540 is a iccdev: hbo in icmemdump() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34541: bundle sibling of CVE-2026-34533. Same patched build closes both.
CVE-2026-34542 is a iccdev: sbo in cicccalculatorfunc::apply() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-3
CVE-2026-34546 is a iccdev: ub at tiffimg.h in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34547 is a iccdev: ub at iccutil.cpp in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34548 is a iccdev: ub at iccutilxml.cpp in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34549 is a iccdev: ub at iccutil.cpp in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-3455 is a cross-site scripting in n/a mailparser. This page lists the verified fix and inline mitigations.
CVE-2026-34550 is a iccdev: ub at iccio.cpp in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34551 is a iccdev: npd in cicctaglut16::write() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34552 is a iccdev: ub at icctaglut.cpp in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34553: bundle sibling of CVE-2026-34533. Same patched build closes both.
CVE-2026-34554 is a iccdev: hbo in ciccapplycmmsearch::costfunc() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-202
CVE-2026-34555 is a iccdev: sbo in cicctagfixednum::getvalues() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-
CVE-2026-34556 is a iccdev: hbo in icansitoutf8() in Internationalcolorconsortium iccDEV, fixed by the same patch as CVE-2026-34533.
CVE-2026-34561: bundle sibling of CVE-2026-34559. Same patched build closes both.
CVE-2026-34562: bundle sibling of CVE-2026-34559. Same patched build closes both.
CVE-2026-34574: bundle sibling of CVE-2026-34215. Same patched build closes both.
CVE-2026-34579 is an access control bypass in mantisbt. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-34584: listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment) in listmonk. Patch commands and verification.
CVE-2026-34586 is a cwe-863: incorrect authorization in Mrmn2 PdfDing. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-34590: bundle sibling of CVE-2026-34576. Same patched build closes both.
CVE-2026-34595: bundle sibling of CVE-2026-34215. Same patched build closes both.
CVE-2026-34596 time-of-check time-of-use (toctou) race condition in Sandboxie. Runnable upgrade commands and verification steps for sysadmin
CVE-2026-3460: an improper input validation in REST API TO MiniProgram. Patched version and vendor advisory inside.
CVE-2026-34600 is a vulnerability in joplin. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34606 is a stored xss in frappe lms in Frappe lms. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-34608: nanomq: Heap-Buffer-Overflow in webhook_inproc.c via cJSON_Parse OOB Read in nanomq. Patch commands and verification.
CVE-2026-34610: CWE-681: Incorrect Conversion between Numeric Types in leancrypto. Patch commands and verification.
CVE-2026-34611: bundle sibling of CVE-2026-34394. Same patched build closes both.
CVE-2026-34613: bundle sibling of CVE-2026-34394. Same patched build closes both.
CVE-2026-34614 is a cross-site scripting in Adobe Connect. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-34623 is a cross-site scripting in Adobe Experience Manager. This page lists verified fix commands and short-term mitigations you c
CVE-2026-34624 is a cross-site scripting in Adobe Experience Manager. This page lists verified fix commands and short-term mitigations you c
CVE-2026-34625 is a cross-site scripting in Adobe Experience Manager. This page lists verified fix commands and short-term mitigations you c
CVE-2026-34626 is a vulnerability in Acrobat Reader. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3463 is a heap buffer overflow in xlnt-community xlnt. This page lists the verified fix and inline mitigations.
CVE-2026-34654 is a code injection in Adobe Commerce. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34655 is a cross-site scripting (XSS) in Adobe Commerce. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-34656 is an access control bypass in Adobe Commerce. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34658 is a cross-site scripting (XSS) in Adobe Commerce. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-34662 is a denial of service in Illustrator. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-34663 is an out-of-bounds read in Illustrator. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-34664 is a path traversal in Substance3D - Designer. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34666: an improper input validation in CAI Content Credentials. Patched version and vendor advisory inside.
CVE-2026-34667 is a vulnerability in CAI Content Credentials. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34668: an improper input validation in CAI Content Credentials. Patched version and vendor advisory inside.
CVE-2026-34669: an improper input validation in CAI Content Credentials. Patched version and vendor advisory inside.
CVE-2026-34670: an improper input validation in CAI Content Credentials. Patched version and vendor advisory inside.
CVE-2026-34671 is a vulnerability in CAI Content Credentials. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34672 is a vulnerability in CAI Content Credentials. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34673 is a vulnerability in CAI Content Credentials. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34677 is a vulnerability in CAI Content Credentials. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34678 is a vulnerability in CAI Content Credentials. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34679: an improper input validation in CAI Content Credentials. Patched version and vendor advisory inside.
CVE-2026-3468: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Email Security. Patch commands and ve
CVE-2026-34680 is a vulnerability in CAI Content Credentials. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-34688: an improper input validation in CAI Content Credentials. Patched version and vendor advisory inside.
CVE-2026-3471 is an access control bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-34715: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in ewe. Patch command
CVE-2026-34716 is a avideo: dom xss via unsanitized display name in websocket call notification in Wwbn AVideo, fixed by the same patch as C
CVE-2026-34718 is a zammad improperly neutralizes of script-related html tags in ticket articles in zammad, fixed by the same patch as CVE-2
CVE-2026-34721 is a zammad has cross-site request forgery (csrf) in oauth callback endpoints in zammad, fixed by the same patch as CVE-2026-
CVE-2026-34722 is a zammad is missing authorization in ticket create endpoint in zammad, fixed by the same patch as CVE-2026-34248.
CVE-2026-34726: Copier `_subdirectory` allows template root escape via parent-directory traversal in copier. Patch commands and verification
CVE-2026-34729 is a phpmyfaq: stored xss via regex bypass in filter::removeattributes() in Thorsten phpMyFAQ, fixed by the same patch as CVE
CVE-2026-3473: an insecure direct object reference (IDOR) in Mattermost. Patched version and vendor advisory inside.
CVE-2026-34730: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in copier. Patch commands and verific
CVE-2026-34732 is a cwe-306: missing authentication for critical function in Wwbn AVideo, fixed by the same patch as CVE-2026-34394.
CVE-2026-34733: bundle sibling of CVE-2026-34394. Same patched build closes both.
CVE-2026-34736: Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API in openedx-platform. Patch commands and
CVE-2026-34737 is a cwe-862: missing authorization in Wwbn AVideo, fixed by the same patch as CVE-2026-34394.
CVE-2026-34738 is a cwe-285: improper authorization in Wwbn AVideo, fixed by the same patch as CVE-2026-34394.
CVE-2026-34739 is a avideo: reflected xss via unescaped ip parameter in user_location testip.php in Wwbn AVideo, fixed by the same patch as
CVE-2026-3474: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in EmailKit – Email Customizer for WooC
CVE-2026-34740 is a avideo: stored ssrf via video epg link missing isssrfsafeurl() validation in Wwbn AVideo, fixed by the same patch as CVE
CVE-2026-34744 is an information disclosure in mantisbt. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-34749 is a payload has a csrf protection bypass in authentication flow in Payloadcms payload, fixed by the same patch as CVE-2026-3
CVE-2026-3475: CWE-862 Missing Authorization in Instant Popup Builder – Powerful Popup Maker for Opt-ins, Email Newsletters & Lead Generatio
CVE-2026-34750: bundle sibling of CVE-2026-34746. Same patched build closes both.
CVE-2026-34753: vLLM affected by Server-Side Request Forgery (SSRF) in `download_bytes_from_url ` in vllm. Patch commands and verification.
CVE-2026-34754 is an access control bypass in mantisbt. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-34755 is a cwe-770: allocation of resources without limits or throttling in Vllm-project vllm, fixed by the same patch as CVE-2026-
CVE-2026-34756 is a cwe-770: allocation of resources without limits or throttling in Vllm-project vllm, fixed by the same patch as CVE-2026-
CVE-2026-34757 is an use-after-free in libpng. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34760: bundle sibling of CVE-2026-34753. Same patched build closes both.
CVE-2026-34761 is a ella core panics upon ngap handover failure in Ellanetworks core. CVSS 5.8 Medium. Patch commands, mitigations, and veri
CVE-2026-34763 is a rack: rack::directory info disclosure and dos via unescaped regex interpolation in rack, fixed by the same patch as CVE-
CVE-2026-34765 is a electron named window.open targets not scoped to the opener's browsing context in electron, fixed by the same patch as C
CVE-2026-34767: bundle sibling of CVE-2026-34764. Same patched build closes both.
CVE-2026-3477 is a missing authorization in Projectzealous01 PZ Frontend Manager. CVSS 5.3 Medium. Patch commands, mitigations, and verifica
CVE-2026-34772 is a electron: use-after-free in download save dialog callback in electron, fixed by the same patch as CVE-2026-34764.
CVE-2026-34773: bundle sibling of CVE-2026-34764. Same patched build closes both.
CVE-2026-34775: bundle sibling of CVE-2026-34764. Same patched build closes both.
CVE-2026-34776 is a electron: out-of-bounds read in second-instance ipc on macos and linux in electron, fixed by the same patch as CVE-2026-
CVE-2026-34777: bundle sibling of CVE-2026-34764. Same patched build closes both.
CVE-2026-34778 is a electron: service worker can spoof executejavascript ipc replies in electron, fixed by the same patch as CVE-2026-34764.
CVE-2026-34779 is a electron: applescript injection in app.movetoapplicationsfolder on macos in electron, fixed by the same patch as CVE-202
CVE-2026-34782 is a zammad has improper access control in ai assistance controller for text tools in zammad, fixed by the same patch as CVE-
CVE-2026-34786 is a rack: rack::static header_rules bypass via url-encoded paths in rack, fixed by the same patch as CVE-2026-26961.
CVE-2026-34787 is a emlog: local file inclusion in plugin.php via unsanitized plugin parameter in emlog, fixed by the same patch as CVE-2026
CVE-2026-34788 is a emlog: sql injection in tag_model::updatetagname() via unsanitized parameters in emlog, fixed by the same patch as CVE-2
CVE-2026-34798 is a endian firewall /cgi-bin/routing.cgi remark stored cross-site scripting in Endian Firewall, fixed by the same patch as C
CVE-2026-34799: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-3480: Missing Authorization in WP Blockade – Visual Page Builder. Patch commands and verification.
CVE-2026-34800: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34801: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34802: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34803 is a endian firewall /manage/qos/classes/ name stored cross-site scripting in Endian Firewall, fixed by the same patch as CVE
CVE-2026-34804 is a endian firewall /manage/qos/rules/ dscp stored cross-site scripting in Endian Firewall, fixed by the same patch as CVE-2
CVE-2026-34805 is a endian firewall /cgi-bin/dnat.cgi remark stored cross-site scripting in Endian Firewall, fixed by the same patch as CVE-
CVE-2026-34806 is a endian firewall /cgi-bin/snat.cgi remark stored cross-site scripting in Endian Firewall, fixed by the same patch as CVE-
CVE-2026-34807 is a endian firewall /cgi-bin/incoming.cgi remark stored cross-site scripting in Endian Firewall, fixed by the same patch as
CVE-2026-34808: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34809 is a endian firewall /cgi-bin/zonefw.cgi remark stored cross-site scripting in Endian Firewall, fixed by the same patch as CV
CVE-2026-3481: a cross-site scripting (XSS) in WP Blockade – Visual Page Builder. Patched version and vendor advisory inside.
CVE-2026-34810 is a endian firewall /cgi-bin/vpnfw.cgi remark stored cross-site scripting in Endian Firewall, fixed by the same patch as CVE
CVE-2026-34811 is a endian firewall /cgi-bin/xtaccess.cgi remark stored cross-site scripting in Endian Firewall, fixed by the same patch as
CVE-2026-34812: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34813 is a endian firewall /cgi-bin/proxyuser.cgi user stored cross-site scripting in Endian Firewall, fixed by the same patch as C
CVE-2026-34814: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34815: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34816: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34817: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34818: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34819: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34820 is a endian firewall /manage/ipsec/ remark stored cross-site scripting in Endian Firewall, fixed by the same patch as CVE-202
CVE-2026-34821: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34822: bundle sibling of CVE-2026-34790. Same patched build closes both.
CVE-2026-34823 is a endian firewall /manage/password/web/ remark stored cross-site scripting in Endian Firewall, fixed by the same patch as
CVE-2026-34826 is a rack: unbounded range count in get_byte_ranges enables dos in rack, fixed by the same patch as CVE-2026-26961.
CVE-2026-34830 is a cwe-625: permissive regular expression in rack, fixed by the same patch as CVE-2026-26961.
CVE-2026-34831 is a rack: content-length mismatch in rack::files error responses in rack, fixed by the same patch as CVE-2026-26961.
CVE-2026-34832 is a scoold: cross-account feedback deletion (idor) in Erudika scoold. CVSS 6.5 Medium. Patch commands, mitigations, and veri
CVE-2026-34835: bundle sibling of CVE-2026-26961. Same patched build closes both.
CVE-2026-34837 is a cwe-862: missing authorization in zammad, fixed by the same patch as CVE-2026-34248.
CVE-2026-3484 is a command injection in PhialsBasement nmap-mcp-server. This page lists the verified fix and inline mitigations.
CVE-2026-34847 is a hoppscotch: open redirect via `/enter?redirect=` in hoppscotch. CVSS 4.7 Medium. Patch commands, mitigations, and verifi
CVE-2026-34848 is a hoppscotch: stored xss in team member overflow tooltip via display name in hoppscotch, fixed by the same patch as CVE-20
CVE-2026-34852 is a loop with unreachable exit condition in HarmonyOS. This page lists verified fix commands and short-term mitigations you
CVE-2026-34854 is an use-after-free in EMUI. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34855 is an improper input validation in EMUI. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34857 is a race condition in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34858 is a race condition in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34859 is an use-after-free in EMUI. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3486 is a SQL injection in itsourcecode College Management System. This page lists the verified fix and inline mitigations.
CVE-2026-34860 is an access control in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34861 is a race condition in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34862 is a race condition in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34863 is an out-of-bounds write in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34864 is a buffer overflow in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34866 is a buffer copy without checking size of in HarmonyOS. This page lists verified fix commands and short-term mitigations you
CVE-2026-34867 is a double free in HarmonyOS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3487 is a SQL injection in itsourcecode College Management System. This page lists the verified fix and inline mitigations.
CVE-2026-34871 is a n/a in the vendor n/a, fixed by the same patch as CVE-2026-25212.
CVE-2026-3488 is a missing authorization in WP Statistics – Simple, privacy-friendly Google Analytics alternative. This page lists verified
CVE-2026-34881 is a server-side request forgery (ssrf) in Openstack Glance. CVSS 5 Medium. Patch commands, mitigations, and verification.
CVE-2026-34887: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Kubio AI Page Builder. Patch command
CVE-2026-34889: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Ultimate Addons for WPBakery Page Bu
CVE-2026-34890: WordPress MSTW League Manager plugin <= 2.10 - Cross Site Scripting (XSS) in MSTW League Manager. Patch commands and verific
CVE-2026-34897: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Media LIbrary Assistant. Patch comma
CVE-2026-34899: Missing Authorization in LTL Freight Quotes – Worldwide Express Edition. Patch commands and verification.
CVE-2026-34903: WordPress Ocean Extra plugin <= 2.5.3 - Broken Access Control in Ocean Extra. Patch commands and verification.
CVE-2026-3492: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gravity Forms. Patch commands
CVE-2026-34933 is a cwe-617: reachable assertion in avahi. CVSS 5.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-34939: bundle sibling of CVE-2026-34934. Same patched build closes both.
CVE-2026-3494 is a cwe-778 (insufficient logging) in MariaDB Foundation MariaDB Server. This page lists the verified fix and inline mitigati
CVE-2026-34941 is an out-of-bounds read in wasmtime. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34942 is a cwe-129: improper validation of array index in wasmtime. This page lists verified fix commands and short-term mitigation
CVE-2026-34943 is a cwe-248: uncaught exception in wasmtime. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-34944 is a cwe-248: uncaught exception in wasmtime. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-34946 is a vulnerability in wasmtime. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-34951: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in forceworkbench. Patch comman
CVE-2026-34956 buffer copy without checking size of input ('classic buffer overflow') in Fast Datapath for RHEL 7. Runnable upgrade commands
CVE-2026-34960 is a out-of-bounds read in barebox. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-34961 is a out-of-bounds read in barebox. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-34962 loop with unreachable exit condition ('infinite loop') in barebox. Runnable upgrade commands and verification steps for sysad
CVE-2026-34970 is an information disclosure in mantisbt. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-34972 is a cwe-863: incorrect authorization in openfga. CVSS 5 Medium. Patch commands, mitigations, and verification.
CVE-2026-34973: bundle sibling of CVE-2026-32629. Same patched build closes both.
CVE-2026-34974: bundle sibling of CVE-2026-32629. Same patched build closes both.
CVE-2026-34978: bundle sibling of CVE-2026-27447. Same patched build closes both.
CVE-2026-34979 is a openprinting cups: heap overflow in `get_options()` in Openprinting cups, fixed by the same patch as CVE-2026-27447.
CVE-2026-3498 is a cross-site scripting in BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks, WordPress Block Plugin, Sections & Templ
CVE-2026-34980 is a cwe-20: improper input validation in Openprinting cups, fixed by the same patch as CVE-2026-27447.
CVE-2026-34981: CWE-918: Server-Side Request Forgery (SSRF) in whisperX-FastAPI. Patch commands and verification.
CVE-2026-34985 is a loris has incorrect access checks in media module in Aces Loris, fixed by the same patch as CVE-2026-33350.
CVE-2026-34990: bundle sibling of CVE-2026-27447. Same patched build closes both.
CVE-2026-34999: OpenViking 0.2.5 < 0.2.14 Bot Proxy Endpoints Allow Unauthenticated Access in OpenViking. Patch commands and verification.
CVE-2026-35007 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35008 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35009 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35010 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35011 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35012 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35013 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35014 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35015 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35016 is a cross-site scripting (XSS) in tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-35023: Wimi Teamwork On-Premises < 8.2.0 IDOR via preview.php in Wimi Teamwork. Patch commands and verification.
CVE-2026-3503: Fault injection attack with ML-DSA and ML-KEM on ARM in wolfSSL (wolfCrypt). Patch commands and verification.
CVE-2026-35034 is a denial of service in jellyfin. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3504 - CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Dokan: AI Powered WooCommerce Multivendor Marketplace
CVE-2026-35040 is a cwe-697: incorrect comparison in fast-jwt. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-35041 is a vulnerability in fast-jwt. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35046: bundle sibling of CVE-2026-35045. Same patched build closes both.
CVE-2026-35052: D-Tale affected by Remote Code Execution through redis/shelf storage in dtale. Patch commands and verification.
CVE-2026-35054 is a xenforo stored cross-site scripting via bb code rendering in XenForo. CVSS 5.1 Medium. Patch commands, mitigations, and
CVE-2026-35055 is a xenforo cross-site scripting via lightbox in posts in XenForo, fixed by the same patch as CVE-2026-35054.
CVE-2026-35057 is a xenforo stored cross-site scripting via structured text mentions in XenForo, fixed by the same patch as CVE-2026-35054.
CVE-2026-3506 is a vulnerability in WP-Chatbot for Messenger. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-35061 is a missing authorization in Anviz CX7 Firmware. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-35062 is a vulnerability in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-35070: an OS command injection in SmartFabric Storage Software. Patched version and vendor advisory inside.
CVE-2026-35072 is an OS command injection in PowerProtect Data Domain. This page lists verified fix commands and short-term mitigations you
CVE-2026-35073 is an OS command injection in PowerProtect Data Domain. This page lists verified fix commands and short-term mitigations you
CVE-2026-35074 is an OS command injection in PowerProtect Data Domain. This page lists verified fix commands and short-term mitigations you
CVE-2026-3508 is a out-of-bounds read in ASUS System Control Interface. Patched version, runnable upgrade commands, and how to verify the fi
CVE-2026-3512: Writeprint Stylometry <= 0.1 - Reflected Cross-Site Scripting via 'p' Parameter in Writeprint Stylometry. Patch commands and
CVE-2026-3513: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TableOn – WordPress Posts Table Filte
CVE-2026-35153 is a vulnerability in PowerProtect Data Domain. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-35154 is an improper privilege management in PowerProtect Data Domain appliances. This page lists verified fix commands and short-t
CVE-2026-35157 improper neutralization of formula elements in a csv file in ECS. Runnable upgrade commands and verification steps for sysadm
CVE-2026-3516: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Contact List – Online Staff Di
CVE-2026-35165 is a loris has incorrect access checks in document_repository in Aces Loris, fixed by the same patch as CVE-2026-33350.
CVE-2026-35166 is a hugo does not properly escape some markdown links in Gohugoio hugo. CVSS 5.3 Medium. Patch commands, mitigations, and ve
CVE-2026-35173: Chyrp Lite has an IDOR via Mass Assignment in Post Model in chyrp-lite. Patch commands and verification.
CVE-2026-35177 is a path traversal issue with zip.vim in vim in vim, fixed by the same patch as CVE-2026-34982.
CVE-2026-35179: bundle sibling of CVE-2026-34394. Same patched build closes both.
CVE-2026-35180 is a cwe-352: cross-site request forgery (csrf) in Wwbn AVideo, fixed by the same patch as CVE-2026-34394.
CVE-2026-35181: bundle sibling of CVE-2026-34394. Same patched build closes both.
CVE-2026-35186 is a cwe-789: memory allocation with excessive size in wasmtime. This page lists verified fix commands and short-term mitigat
CVE-2026-35195 is an out-of-bounds write in wasmtime. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35197 is a code injection in dye template expressions in Mattieb dye. CVSS 6.6 Medium. Patch commands, mitigations, and verificatio
CVE-2026-35199: SymCrypt SymCryptXmssSign function - Heap overflow via 64->32-bit leaf-count truncation in SymCrypt. Patch commands and veri
CVE-2026-35201 is a discount has an out-of-bounds read in rdiscount in Davidfstr rdiscount. CVSS 5.9 Medium. Patch commands, mitigations, an
CVE-2026-35206 is a path traversal in helm. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35207 is a cwe-295: improper certificate validation in dde-control-center. This page lists verified fix commands and short-term mit
CVE-2026-35208: lichess.org has an Unsanitized Stream Title Injection on /streamer in lila. Patch commands and verification.
CVE-2026-3523 is a SQL injection in blobfolio Apocalypse Meow. This page lists the verified fix and inline mitigations.
CVE-2026-35232 is an access control in Oracle Fusion Middleware. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-35233 - An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link fiel
CVE-2026-35234 is an access control in MySQL Server. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35235 is an access control in MySQL Server. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35236 is an access control in MySQL Server. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35237 is an access control in MySQL Server. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35238 is an access control in MySQL Server. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35239 is an access control in MySQL Server. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35240 is an access control in MySQL Server. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35241 is an access control in PeopleSoft Enterprise CS Student Records. This page lists verified fix commands and short-term mitiga
CVE-2026-35244 is an access control in Oracle Hyperion Infrastructure Technology. This page lists verified fix commands and short-term mitig
CVE-2026-35247 is an access control in Oracle VM VirtualBox. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-35248 is an access control in Oracle VM VirtualBox. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-35252 is an access control in Oracle Security Service. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-35253 origin validation error in Oracle Macaron Tool of Oracle Open Source Projects. Runnable upgrade commands and verification ste
CVE-2026-35254 improper limitation of a pathname to a restricted directory ('path traversal') in Oracle OCI CLI of Oracle Open Source Projec
CVE-2026-35255 improper control of generation of code ('code injection') in Oracle Cloud Native Environment Command Line Interface. Runnable
CVE-2026-35339 - CWE-253: Incorrect Check of Function Return Value in coreutils. Runnable patch commands, mitigation, and verification on th
CVE-2026-3534: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Astra. Patch commands and veri
CVE-2026-35340 - CWE-253: Incorrect Check of Function Return Value in coreutils. Runnable patch commands, mitigation, and verification on th
CVE-2026-35345 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35347 - CWE-20: Improper Input Validation in coreutils. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-35348 - CWE-248: Uncaught Exception in coreutils. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-35349 - CWE-59: Improper Link Resolution Before File Access ('Link Following') in coreutils. Runnable patch commands, mitigation, a
CVE-2026-35350 - CWE-281: Improper Preservation of Permissions in coreutils. Runnable patch commands, mitigation, and verification on this p
CVE-2026-35351 - CWE-281: Improper Preservation of Permissions in coreutils. Runnable patch commands, mitigation, and verification on this p
CVE-2026-35354 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35355 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35356 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35357 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35358 - CWE-706: Use of Incorrectly-Resolved Name or Reference in coreutils. Runnable patch commands, mitigation, and verification
CVE-2026-35359 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35360 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35363 - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in coreutils. Runnable patch command
CVE-2026-35364 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35365 - CWE-59: Improper Link Resolution Before File Access ('Link Following') in coreutils. Runnable patch commands, mitigation, a
CVE-2026-35366 - CWE-754: Improper Check for Unusual or Exceptional Conditions in coreutils. Runnable patch commands, mitigation, and verifi
CVE-2026-35369 - CWE-20: Improper Input Validation in coreutils. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-35370 - CWE-863: Incorrect Authorization in coreutils. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-35372 - CWE-61: UNIX Symbolic Link (Symlink) Following in coreutils. Runnable patch commands, mitigation, and verification on this
CVE-2026-35374 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35376 - CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition in coreutils. Runnable patch commands, mitigation, and verificat
CVE-2026-35380 - CWE-20: Improper Input Validation in coreutils. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-35383: Bentley Systems iTwin Platform exposed access token in iTwin Platform. Patch commands and verification.
CVE-2026-35390: bundle sibling of CVE-2026-34833. Same patched build closes both.
CVE-2026-35396: bundle sibling of CVE-2026-35395. Same patched build closes both.
CVE-2026-35398 is a cwe-601: url redirection to untrusted site ('open redirect') in Labredescefetrj WeGIA, fixed by the same patch as CVE-20
CVE-2026-35403 is a loris has potential cross-site scripting in survey_accounts module in Aces Loris, fixed by the same patch as CVE-2026-33
CVE-2026-35404: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in openedx-platform. Patch commands and verification.
CVE-2026-35406: Aardvark-dns has incorrect error handling for malformed tcp packets in aardvark-dns. Patch commands and verification.
CVE-2026-35407 is a saleor has cross-account email change via unbound confirmation token in saleor, fixed by the same patch as CVE-2026-3375
CVE-2026-35410: bundle sibling of CVE-2026-35408. Same patched build closes both.
CVE-2026-35411 is a directus is an open redirect in admin 2fa setup page in directus, fixed by the same patch as CVE-2026-35408.
CVE-2026-35413 is a directus graphql schema sdl disclosure setting in directus, fixed by the same patch as CVE-2026-35408.
CVE-2026-35414 is a always-incorrect control flow implementation in Openbsd OpenSSH, fixed by the same patch as CVE-2026-35385.
CVE-2026-35419 is an out-of-bounds read in Windows 11 Version 24H2. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-35422: an authentication bypass in Windows 10 Version 1607. Patched version and vendor advisory inside.
CVE-2026-35423 is an out-of-bounds read in Windows 10 Version 1607. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-35429 is a vulnerability in Microsoft Edge for Android. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-35440: a vulnerability in Microsoft 365 Apps for Enterprise. Patched version and vendor advisory inside.
CVE-2026-35441 is a cwe-400: uncontrolled resource consumption in directus, fixed by the same patch as CVE-2026-35408.
CVE-2026-35449 is a cwe-200: exposure of sensitive information to an unauthorized actor in Wwbn AVideo, fixed by the same patch as CVE-2026-
CVE-2026-35450 is a cwe-306: missing authentication for critical function in Wwbn AVideo, fixed by the same patch as CVE-2026-34394.
CVE-2026-35451 is a cross-site scripting in twenty. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35452 is a cwe-200: exposure of sensitive information to an unauthorized actor in Wwbn AVideo, fixed by the same patch as CVE-2026-
CVE-2026-35453 improper neutralization of input during web page generation ('cross-site scripti in PhpSpreadsheet. Runnable upgrade commands
CVE-2026-3546 is an information disclosure in e-shot. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-35460: Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name in papra. Patch commands and verificatio
CVE-2026-35461 is a papra has a blind server-side request forgery (ssrf) via webhook url in Papra-hq papra, fixed by the same patch as CVE-2
CVE-2026-35462 is a papra does not reject expired api keys in Papra-hq papra, fixed by the same patch as CVE-2026-35460.
CVE-2026-35466: Stored XSS via unsanitized input from remote service in cveClient/cveInterface.js. Patch commands and verification.
CVE-2026-35468 is a cwe-252: unchecked return value in Nimiq core-rs-albatross, fixed by the same patch as CVE-2026-33184.
CVE-2026-35472: bundle sibling of CVE-2026-35395. Same patched build closes both.
CVE-2026-35473: bundle sibling of CVE-2026-35395. Same patched build closes both.
CVE-2026-35474: bundle sibling of CVE-2026-35395. Same patched build closes both.
CVE-2026-35475: bundle sibling of CVE-2026-35395. Same patched build closes both.
CVE-2026-35477: bundle sibling of CVE-2026-35476. Same patched build closes both.
CVE-2026-35479 is a inventree plugin installation - insufficient permissions in InvenTree, fixed by the same patch as CVE-2026-35476.
CVE-2026-35480: go-ipld-prime's DAG-CBOR decoder unbounded memory allocation from CBOR headers in go-ipld-prime. Patch commands and verifica
CVE-2026-35483: bundle sibling of CVE-2026-35050. Same patched build closes both.
CVE-2026-35484: bundle sibling of CVE-2026-35050. Same patched build closes both.
CVE-2026-35487: bundle sibling of CVE-2026-35050. Same patched build closes both.
CVE-2026-35491: Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration in FTL. Patch commands and verificatio
CVE-2026-35492: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in kedro-plugins. Patch commands and
CVE-2026-3550 is a cwe-862 missing authorization in Firetree RockPress. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-35504 is a vulnerability in PowerSYSTEM Center 2020. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-35507 is a use of less trusted source in Milesmcc Shynet. CVSS 6.4 Medium. Patch commands, mitigations, and verification.
CVE-2026-35508: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Shynet. Patch commands and ve
CVE-2026-3551 is a cross-site scripting in Custom New User Notification. This page lists verified fix commands and short-term mitigations yo
CVE-2026-35514 - CWE-306: Missing Authentication for Critical Function in chartbrew. Runnable patch commands, mitigation, and verification o
CVE-2026-35515: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in nest. Patch co
CVE-2026-35516 is a cwe-918: server-side request forgery (ssrf) in Kovah LinkAce. CVSS 5 Medium. Patch commands, mitigations, and verificati
CVE-2026-35527 is a server-side request forgery (ssrf) in incus. Patched version, runnable upgrade commands, and how to verify the fix lande
CVE-2026-35539: bundle sibling of CVE-2026-35537. Same patched build closes both.
CVE-2026-3554 is a vulnerability in Sherk Custom Post Type Displays. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-35540 is a incorrect resource transfer between spheres in Roundcube Webmail, fixed by the same patch as CVE-2026-35537.
CVE-2026-35541 is a access of resource using incompatible type ('type confusion') in Roundcube Webmail, fixed by the same patch as CVE-2026-
CVE-2026-35542 is a incorrect resource transfer between spheres in Roundcube Webmail, fixed by the same patch as CVE-2026-35537.
CVE-2026-35543 is a incorrect resource transfer between spheres in Roundcube Webmail, fixed by the same patch as CVE-2026-35537.
CVE-2026-35544 is a incorrect resource transfer between spheres in Roundcube Webmail, fixed by the same patch as CVE-2026-35537.
CVE-2026-35545 is a incorrect resource transfer between spheres in Roundcube Webmail, fixed by the same patch as CVE-2026-35537.
CVE-2026-35549 is a memory allocation with excessive size value in MariaDB. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-35553 is a stack buffer overflow in DRFEC.SYS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35559: bundle sibling of CVE-2026-5485. Same patched build closes both.
CVE-2026-35565 is a cross-site scripting in Apache Storm UI. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-35571: Emissary has Stored XSS via Navigation Template Link Injection in emissary. Patch commands and verification.
CVE-2026-35577 is a cwe-346: origin validation error in apollo-mcp-server. This page lists verified fix commands and short-term mitigations
CVE-2026-35583: bundle sibling of CVE-2026-35571. Same patched build closes both.
CVE-2026-35584 is a cwe-306: missing authentication for critical function in Freescout-help-desk freescout, fixed by the same patch as CVE-2
CVE-2026-35586 is a cwe-863: incorrect authorization in pyload, fixed by the same patch as CVE-2026-35187.
CVE-2026-35588 is a SQL injection in glances. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35592: bundle sibling of CVE-2026-35187. Same patched build closes both.
CVE-2026-35593 is a path traversal in Trilium. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-35594 is a cwe-613: insufficient session expiration in vikunja. This page lists verified fix commands and short-term mitigations yo
CVE-2026-35596 is an incorrect authorization in vikunja. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35597 is a vulnerability in vikunja. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35598 is a missing authorization in vikunja. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35599 is a cwe-407: inefficient algorithmic complexity in vikunja. This page lists verified fix commands and short-term mitigations
CVE-2026-35600 is a cross-site scripting in vikunja. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35601 is a cwe-93: improper neutralization of crlf sequences in vikunja. This page lists verified fix commands and short-term mitig
CVE-2026-35602 is an allocation of resources without limits in vikunja. This page lists verified fix commands and short-term mitigations you
CVE-2026-35603 is an untrusted search path in claude-code. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-35605: bundle sibling of CVE-2026-34528. Same patched build closes both.
CVE-2026-35606 is a cwe-862: missing authorization in filebrowser, fixed by the same patch as CVE-2026-34528.
CVE-2026-35608: QuickDrop has stored XSS in SVG file preview endpoint allowing JavaScript execution in quickdrop. Patch commands and verific
CVE-2026-35613: Path traversal in coursevault-preview due to improper base-directory boundary validation in coursevault-preview. Patch comma
CVE-2026-35619 is an incorrect authorization in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-3562: CWE-347: Improper Verification of Cryptographic Signature in Hue Bridge. Patch commands and verification.
CVE-2026-35620 is a missing authorization in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35622 is a cwe-290: authentication bypass by spoofing in OpenClaw. This page lists verified fix commands and short-term mitigations
CVE-2026-35623 is a restriction of excessive authentication attempts in OpenClaw. This page lists verified fix commands and short-term mitig
CVE-2026-35626 is an asymmetric resource consumption (amplification) in OpenClaw. This page lists verified fix commands and short-term mitig
CVE-2026-35627 is a cwe-696: incorrect behavior order in OpenClaw. This page lists verified fix commands and short-term mitigations you can
CVE-2026-35628 is a restriction of excessive authentication attempts in OpenClaw. This page lists verified fix commands and short-term mitig
CVE-2026-35629 is a server-side request forgery in OpenClaw. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-3563: CWE-1289 Improper validation of unsafe equivalence in input in PowerShell Universal. Patch commands and verification.
CVE-2026-35632 is an unix symbolic link (symlink) following in OpenClaw. This page lists verified fix commands and short-term mitigations yo
CVE-2026-35633 is an uncontrolled memory allocation in OpenClaw. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-35634 is a cwe-288: authentication bypass using an alternate in OpenClaw. This page lists verified fix commands and short-term miti
CVE-2026-35635 is a cwe-706: use of incorrectly-resolved name or in OpenClaw. This page lists verified fix commands and short-term mitigatio
CVE-2026-35637 is a cwe-696: incorrect behavior order in OpenClaw. This page lists verified fix commands and short-term mitigations you can
CVE-2026-35640 is a cwe-696: incorrect behavior order in OpenClaw. This page lists verified fix commands and short-term mitigations you can
CVE-2026-35642 is a cwe-288: authentication bypass using an alternate in OpenClaw. This page lists verified fix commands and short-term miti
CVE-2026-35645 is a cwe-648: incorrect use of privileged apis in OpenClaw. This page lists verified fix commands and short-term mitigations
CVE-2026-35646 is a restriction of excessive authentication attempts in OpenClaw. This page lists verified fix commands and short-term mitig
CVE-2026-35647 is a cwe-288: authentication bypass using an alternate in OpenClaw. This page lists verified fix commands and short-term miti
CVE-2026-35649 is a cwe-183: permissive list of allowed inputs in OpenClaw. This page lists verified fix commands and short-term mitigations
CVE-2026-3565 - CWE-352 Cross-Site Request Forgery (CSRF) in Taqnix. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-35651 is a cwe-150: improper neutralization of escape, meta in OpenClaw. This page lists verified fix commands and short-term mitig
CVE-2026-35652 is a cwe-696: incorrect behavior order in OpenClaw. This page lists verified fix commands and short-term mitigations you can
CVE-2026-35654 is a cwe-288: authentication bypass using an alternate in OpenClaw. This page lists verified fix commands and short-term miti
CVE-2026-35655 is a reliance on untrusted inputs in a in OpenClaw. This page lists verified fix commands and short-term mitigations you can
CVE-2026-35656 is a cwe-290: authentication bypass by spoofing in OpenClaw. This page lists verified fix commands and short-term mitigations
CVE-2026-35658 is an exposure of resource to wrong sphere in OpenClaw. This page lists verified fix commands and short-term mitigations you
CVE-2026-35659 is an insufficient verification of data in OpenClaw. This page lists verified fix commands and short-term mitigations you can
CVE-2026-35661 is a cwe-288: authentication bypass using an alternate in OpenClaw. This page lists verified fix commands and short-term miti
CVE-2026-35662 is a missing authorization in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35664 is a cwe-288: authentication bypass using an alternate in OpenClaw. This page lists verified fix commands and short-term miti
CVE-2026-35665 is an asymmetric resource consumption (amplification) in OpenClaw. This page lists verified fix commands and short-term mitig
CVE-2026-35667 is a resource shutdown or release in OpenClaw. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-3567: CWE-862 Missing Authorization in RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress. Patch commands and verificatio
CVE-2026-35670 is a reliance on untrusted inputs in a in OpenClaw. This page lists verified fix commands and short-term mitigations you can
CVE-2026-3568 is an authorization bypass through user-controlled key in MStore API – Create Native Android & iOS Apps On The Cloud. This pag
CVE-2026-3569 - CWE-862 Missing Authorization in Liaison Site Prober. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3570 is a vulnerability in Smarter Analytics. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-3571: Missing Authorization in Pie Register – User Registration, Profiles & Content Restriction. Patch commands and verification.
CVE-2026-3572: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in iTracker360. Patch commands an
CVE-2026-3574 is a cross-site scripting in Experto Dashboard for WooCommerce. This page lists verified fix commands and short-term mitigatio
CVE-2026-3577: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Keep Backup Daily. Patch comma
CVE-2026-3581 is a missing authorization in Basic Google Maps Placemarks. This page lists verified fix commands and short-term mitigations y
CVE-2026-3582 is a cwe-862 missing authorization in Github Enterprise Server. CVSS 5.3 Medium. Patch commands, mitigations, and verification
CVE-2026-3590 is a vulnerability in Mattermost. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-35901 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-35902 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3591 is a vulnerability in BIND 9. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3592 is a vulnerability in BIND 9. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3594: Exposure of Sensitive Information to an Unauthorized Actor in Riaxe Product Customizer. Patch commands and verification.
CVE-2026-3595 is a missing authorization in Riaxe Product Customizer. This page lists verified fix commands and short-term mitigations you c
CVE-2026-3600: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Investi. Patch commands and verificat
CVE-2026-3601 missing authorization in User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Pr
CVE-2026-3604: a cross-site scripting (XSS) in WP SEO Structured Data Schema. Patched version and vendor advisory inside.
CVE-2026-3606 is a out-of-bounds read in n/a Ettercap. This page lists the verified fix and inline mitigations.
CVE-2026-3607 is a vulnerability in GitLab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3609 is a incorrect privilege assignment in XIGNCODE3 Anti-Cheat. Patched version, runnable upgrade commands, and how to verify the
CVE-2026-3610 is a cross-site scripting in HSC Cybersecurity Mailinspector. This page lists the verified fix and inline mitigations.
CVE-2026-3616 is a SQL injection in DefaultFuction Jeson Customer Relationship Management System. This page lists the verified fix and inlin
CVE-2026-3617 is a vulnerability in Paypal Shortcodes. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-3618: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Columns by BestWebSoft – Additional C
CVE-2026-3619 is a vulnerability in Sheets2Table. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-36341 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3635 is a vulnerability in fastify. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-36358 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3636 is an information disclosure in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-3637 is a missing authorization in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-3638 is a cwe-862: missing authorization in Devolutions Server. CVSS 5.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-36387 unrestricted upload of file with dangerous type in the affected product. Runnable upgrade commands and verification steps for
CVE-2026-36388 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3641 is an improper input validation in Appmax. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-3642 is a missing authorization in e-shot. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-36438 is a vulnerability in n/a. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3644: Incomplete control character validation in http.cookies in CPython. Patch commands and verification.
CVE-2026-3645 is a vulnerability in Punnel – Landing Page Builder. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-3646: Missing Authorization in LTL Freight Quotes – R+L Carriers Edition. Patch commands and verification.
CVE-2026-3649 is a missing authorization in Katalogportal-pdf-sync Widget. This page lists verified fix commands and short-term mitigations
CVE-2026-3651 is a vulnerability in Build App Online. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3659 is a cross-site scripting in WP Circliful. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3661 is a command injection in Wavlink WL-NU516U1. This page lists the verified fix and inline mitigations.
CVE-2026-3662 is a command injection in Wavlink WL-NU516U1. This page lists the verified fix and inline mitigations.
CVE-2026-3663 is a out-of-bounds read in xlnt-community xlnt. This page lists the verified fix and inline mitigations.
CVE-2026-3664 is a out-of-bounds read in xlnt-community xlnt. This page lists the verified fix and inline mitigations.
CVE-2026-3665 is a null pointer dereference in xlnt-community xlnt. This page lists the verified fix and inline mitigations.
CVE-2026-3667 is a improper authorization in Freedom Factory dGEN1. This page lists the verified fix and inline mitigations.
CVE-2026-3669 is a improper authorization in Freedom Factory dGEN1. This page lists the verified fix and inline mitigations.
CVE-2026-3670 is a improper authorization in Freedom Factory dGEN1. This page lists the verified fix and inline mitigations.
CVE-2026-3671 is a improper authorization in Freedom Factory dGEN1. This page lists the verified fix and inline mitigations.
CVE-2026-3672 is a SQL injection in n/a JeecgBoot. This page lists the verified fix and inline mitigations.
CVE-2026-3673 - CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Frappe. Runnable patch
CVE-2026-3674 is a improper authorization in Freedom Factory dGEN1. This page lists the verified fix and inline mitigations.
CVE-2026-3675 is a improper authorization in Freedom Factory dGEN1. This page lists the verified fix and inline mitigations.
CVE-2026-36756 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-36757 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-36758 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-36759 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-36761 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-36763 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-36764 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-36766 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3680 is a command injection in RyuzakiShinji biome-mcp-server. This page lists the verified fix and inline mitigations.
CVE-2026-3681 is a SSRF in welovemedia FFmate. This page lists the verified fix and inline mitigations.
CVE-2026-3682 is a argument injection in welovemedia FFmate. This page lists the verified fix and inline mitigations.
CVE-2026-3683 is a SSRF in bufanyun HotGo. This page lists the verified fix and inline mitigations.
CVE-2026-3689 is a path traversal in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-36906 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3691 is an information disclosure in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3693 is a improper control of resource identifiers in Shy2593666979 AgentChat. CVSS 6.9 Medium. Patch commands, mitigations, and ve
CVE-2026-3694 is a cross-site scripting (XSS) in Bold Page Builder. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-3695: SourceCodester Modern Image Gallery App delete.php path traversal in Modern Image Gallery App. Patch commands and verificatio
CVE-2026-3696: Totolink N300RH CGI cstecgi.cgi setWiFiWpsConfig os command injection in N300RH. Patch commands and verification.
CVE-2026-3697 is a stack-based buffer overflow in Planet ICG-2510. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3702: SourceCodester Loan Management System index.php cross site scripting in Loan Management System. Patch commands and verificati
CVE-2026-3704 is a command injection in Wavlink NU516U1. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-3705: code-projects Simple Flight Ticket Booking System Adminsearch.php sql injection in Simple Flight Ticket Booking System. Patch
CVE-2026-3706: mkj Dropbear S Range Check curve25519.c unpackneg signature verification in Dropbear. Patch commands and verification.
CVE-2026-3707: MrNanko webp4j gif_decoder.c DecodeGifFromMemory integer overflow in webp4j. Patch commands and verification.
CVE-2026-3708: code-projects Simple Flight Ticket Booking System login.php sql injection in Simple Flight Ticket Booking System. Patch comma
CVE-2026-3709: code-projects Simple Flight Ticket Booking System register.php sql injection in Simple Flight Ticket Booking System. Patch co
CVE-2026-3710: code-projects Simple Flight Ticket Booking System Adminadd.php sql injection in Simple Flight Ticket Booking System. Patch co
CVE-2026-37100 is an access control in An. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3711: code-projects Simple Flight Ticket Booking System Adminupdate.php sql injection in Simple Flight Ticket Booking System. Patch
CVE-2026-3713: pnggroup libpng pnm2png pnm2png.c do_pnm2png heap-based overflow in libpng. Patch commands and verification.
CVE-2026-3714: Improper Neutralization of Special Elements Used in a Template Engine in OpenCart. Patch commands and verification.
CVE-2026-3716: Wavlink WL-WN579X3-C adm.cgi sub_401AD4 cross site scripting in WL-WN579X3-C. Patch commands and verification.
CVE-2026-3719: Tsinghua Unigroup Electronic Archives System downLoad path traversal in Electronic Archives System. Patch commands and verifi
CVE-2026-3720: 1024-lab/lab1024 SmartAdmin Notice notice-form-drawer.vue cross site scripting in SmartAdmin. Patch commands and verification
CVE-2026-3721 is a cross site scripting in 1024-lab SmartAdmin. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-3723: code-projects Simple Flight Ticket Booking System Admindelete.php sql injection in Simple Flight Ticket Booking System. Patch
CVE-2026-3724: Improper Authorization in Patients Waiting Area Queue Management System. Patch commands and verification.
CVE-2026-3725: Improper Neutralization of Special Elements Used in a Template Engine in SmartAdmin. Patch commands and verification.
CVE-2026-3730: itsourcecode Free Hotel Reservation System index.php sql injection in Free Hotel Reservation System. Patch commands and verif
CVE-2026-3731: libssh SFTP Extension Name sftp.c sftp_extensions_get_data out-of-bounds in libssh. Patch commands and verification.
CVE-2026-3733: xuxueli xxl-job JobInfoController.java server-side request forgery in xxl-job. Patch commands and verification.
CVE-2026-3734: Improper Authorization in Client Database Management System. Patch commands and verification.
CVE-2026-37346 is a SQL injection in SourceCodester Payroll. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-3735 is a sql injection in Code-projects Simple Flight Ticket Booking System. CVSS 6.9 Medium. Patch commands, mitigations, and ver
CVE-2026-3736 is a sql injection in Code-projects Simple Flight Ticket Booking System. CVSS 6.9 Medium. Patch commands, mitigations, and ver
CVE-2026-3737: Improper Authorization in Pet Grooming Management Software. Patch commands and verification.
CVE-2026-3738: Improper Authorization in Pet Grooming Management Software. Patch commands and verification.
CVE-2026-3739 is a improper authentication in Suitenumerique messages. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3740 is a sql injection in Itsourcecode University Management System. CVSS 6.9 Medium. Patch commands, mitigations, and verificatio
CVE-2026-3741 is a yifang cms d_friendlink.php update cross site scripting in Yifang CMS. CVSS 5.1 Medium. Patch commands, mitigations, and
CVE-2026-3742 is a yifang cms d_singlepage.php update cross site scripting in Yifang CMS. CVSS 5.1 Medium. Patch commands, mitigations, and
CVE-2026-3743: YiFang CMS D_singlePageGroup.php update cross site scripting in CMS. Patch commands and verification.
CVE-2026-3744: code-projects Student Web Portal signup.php valreg_passwdation sql injection in Student Web Portal. Patch commands and verifi
CVE-2026-3745: code-projects Student Web Portal profile.php sql injection in Student Web Portal. Patch commands and verification.
CVE-2026-37458 is a improper input validation in the affected product. Patched version, runnable upgrade commands, and how to verify the fix
CVE-2026-3746: SourceCodester Simple Responsive Tourism Website Login Login.php sql injection in Simple Responsive Tourism Website. Patch co
CVE-2026-3747: itsourcecode University Management System add_result.php sql injection in University Management System. Patch commands and ve
CVE-2026-3748: Bytedesk SVG File UploadRestController.java uploadFile unrestricted upload in Bytedesk. Patch commands and verification.
CVE-2026-3749: Bytedesk SVG File UploadRestService.java handleFileUpload unrestricted upload in Bytedesk. Patch commands and verification.
CVE-2026-3750 is a server-side request forgery in the vendor ContiNew Admin. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-37503 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-37504 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-37505 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3751 is a sql injection in Sourcecodester Employee Task Management System. CVSS 5.1 Medium. Patch commands, mitigations, and verifi
CVE-2026-3752 is a sql injection in Sourcecodester Employee Task Management System. CVSS 5.1 Medium. Patch commands, mitigations, and verifi
CVE-2026-3753: SourceCodester Sales and Inventory System add_sales_print.php sql injection in Sales and Inventory System. Patch commands and
CVE-2026-3754: SourceCodester Sales and Inventory System add_stock.php sql injection in Sales and Inventory System. Patch commands and verif
CVE-2026-3755 is a sql injection in Sourcecodester Sales and Inventory System. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-3756: SourceCodester Sales and Inventory System check_item_details.php sql injection in Sales and Inventory System. Patch commands
CVE-2026-3757: projectworlds Online Art Gallery Shop pass sql injection in Online Art Gallery Shop. Patch commands and verification.
CVE-2026-3758: projectworlds Online Art Gallery Shop adminHome.php sql injection in Online Art Gallery Shop. Patch commands and verification
CVE-2026-3759: projectworlds Online Art Gallery Shop adminHome.php sql injection in Online Art Gallery Shop. Patch commands and verification
CVE-2026-3760: itsourcecode University Management System view_result.php sql injection in University Management System. Patch commands and v
CVE-2026-3761: Improper Authorization in Client Database Management System. Patch commands and verification.
CVE-2026-3762: Improper Authorization in Client Database Management System. Patch commands and verification.
CVE-2026-3763: Cross Site Scripting in Simple Flight Ticket Booking System. Patch commands and verification.
CVE-2026-3764: Improper Authorization in Client Database Management System. Patch commands and verification.
CVE-2026-3765: itsourcecode University Management System att_single_view.php sql injection in University Management System. Patch commands a
CVE-2026-3766: Cross Site Scripting in Web-based Pharmacy Product Management System. Patch commands and verification.
CVE-2026-3767 is a sql injection in Itsourcecode sanitize or validate this input. CVSS 5.3 Medium. Patch commands, mitigations, and verifica
CVE-2026-3770: SourceCodester Computer Laboratory Management System cross-site request forgery in Computer Laboratory Management System. Pat
CVE-2026-3771: SourceCodester/janobe Resort Reservation System accomodation.php sql injection in Resort Reservation System. Patch commands a
CVE-2026-3773 is a SQL injection in Accessibility Suite by Ability, Inc. This page lists verified fix commands and short-term mitigations yo
CVE-2026-3774: Self-Modifications Affecting Altered Printing and Redaction in Foxit PDF Editor in Foxit PDF Editor. Patch commands and verif
CVE-2026-37750 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3776: bundle sibling of CVE-2026-3774. Same patched build closes both.
CVE-2026-3777: bundle sibling of CVE-2026-3774. Same patched build closes both.
CVE-2026-3778: bundle sibling of CVE-2026-3774. Same patched build closes both.
CVE-2026-3781: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Attendance Manager. Patch commands an
CVE-2026-3783 is a token leak with redirect and netrc in curl. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3784 is a wrong proxy connection reuse with credentials in curl. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-3785: EasyCMS Request Parameter RbacnodeAction.class.php sql injection in EasyCMS. Patch commands and verification.
CVE-2026-3786: EasyCMS Request Parameter RbacuserAction.class.php sql injection in EasyCMS. Patch commands and verification.
CVE-2026-3788 is a server-side request forgery in the vendor Bytedesk. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3789 is a server-side request forgery in the vendor Bytedesk. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3790 is a sql injection in Sourcecodester Sales and Inventory System. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-3791: SourceCodester Sales and Inventory System Search dashboard.php sql injection in Sales and Inventory System. Patch commands an
CVE-2026-3792 is a sql injection in Sourcecodester Sales and Inventory System. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-3793 is a sql injection in Sourcecodester Sales and Inventory System. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-3794: doramart DoraCMS Email API send improper authentication in DoraCMS. Patch commands and verification.
CVE-2026-3795: doramart DoraCMS v1.js createFileBypath path traversal in DoraCMS. Patch commands and verification.
CVE-2026-3796 is a improper access controls in Qi-anxin QAX Virus Removal. CVSS 4.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-3797 is a unrestricted upload in Tiandy Video Surveillance System 视频监控平台. CVSS 5.3 Medium. Patch commands, mitigations, and verific
CVE-2026-37978: an insecure direct object reference (IDOR) in Red Hat build of Keycloak 26.4. Patched version and vendor advisory inside.
CVE-2026-37979 is a vulnerability in Red Hat build of Keycloak 26.4. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-3798: Comfast CF-AC100 Request Path mbox-config sub_44AC14 command injection in CF-AC100. Patch commands and verification.
CVE-2026-37980 is a cross-site scripting in Red Hat Build of Keycloak. This page lists verified fix commands and short-term mitigations you
CVE-2026-37981: a path traversal in Red Hat build of Keycloak 26.4. Patched version and vendor advisory inside.
CVE-2026-37982 is a vulnerability in Red Hat build of Keycloak 26.4. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-3800 is a unrestricted upload in Sourcecodester Resort Reservation System. CVSS 5.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-3806: SourceCodester/janobe Resort Reservation System room_rates.php sql injection in Resort Reservation System. Patch commands and
CVE-2026-3812 is a cross site scripting in Itsourcecode Payroll Management System. CVSS 5.3 Medium. Patch commands, mitigations, and verific
CVE-2026-3813 is a opencc jflow wf_ccform.java calculate injection in Opencc JFlow. CVSS 5.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-3816 is a denial of service in Owasp DefectDojo. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3817: Improper Authorization in Patients Waiting Area Queue Management System. Patch commands and verification.
CVE-2026-3818: Tiandy Easy7 CMS Windows GetDBData.jsp sql injection in Easy7 CMS Windows. Patch commands and verification.
CVE-2026-3819 is a cross site scripting in Sourcecodester Resort Reservation System. CVSS 5.1 Medium. Patch commands, mitigations, and verif
CVE-2026-3824 is a wellchoose|iftop - open redirect in Wellchoose IFTOP. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-3825 is a wellchoose|iftop - reflected cross-site scripting in Wellchoose IFTOP. CVSS 5.1 Medium. Patch commands, mitigations, and
CVE-2026-3829: a missing authorization in WP Encryption – One Click Free SSL Certi. Patched version and vendor advisory inside.
CVE-2026-3831: Missing Authorization in Database for Contact Form 7, WPforms, Elementor forms. Patch commands and verification.
CVE-2026-3833 - Improper Handling of Case Sensitivity in the affected product. Runnable patch commands, mitigation, and verification on this
CVE-2026-3837 - CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Frappe. Runnable patch
CVE-2026-38432 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3846: Same-origin policy bypass in the CSS Parsing and Computation component in Firefox. Patch commands and verification.
CVE-2026-3848: Improper Neutralization of CRLF Sequences ('CRLF Injection') in GitLab in GitLab. Patch commands and verification.
CVE-2026-3849: Buffer Overflow in HPKE via Oversized ECH Config in wolfSSL. Patch commands and verification.
CVE-2026-38533 is an improper authorization in An. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3856: IBM Db2 Recovery Expert Missing Integrity Check in Db2 Recovery Expert. Patch commands and verification.
CVE-2026-38569 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3862: Cross-Site Scripting Vulnerability in SiteMinder Administrative UI in SiteMinder. Patch commands and verification.
CVE-2026-3864 is a cwe-22 path traversal in Kubernetes CSI Driver for NFS. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-38669 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-3867 - CWE-282: Improper Ownership Management in EDR-8010 Series. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-38743 - CWE-1220: Insufficient Granularity of Access Control in Apache Airflow. Runnable patch commands, mitigation, and verificati
CVE-2026-3875 is a cross-site scripting in BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor. This page lists ver
CVE-2026-3878 is a cross-site scripting in WP Docs. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3881: Performance Monitor <= 1.0.6 - Unauthenticated Blind SSRF in Performance Monitor. Patch commands and verification.
CVE-2026-3884 is a cross-site scripting (xss) in the vendor spin.js. CVSS 6.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-3885 is a cross-site scripting in WP Shortcodes Plugin, Shortcodes Ultimate. This page lists verified fix commands and short-term m
CVE-2026-38935 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-38936 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-38939 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-38940 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-38947 improper neutralization of input during web page generation ('cross-site scripti in the affected product. Runnable upgrade co
CVE-2026-38948 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-38993 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-3903: Modular Connector <= 2.5.1 - Cross-Site Request Forgery via postConfirmOauth in Modular DS: Monitor, update, and backup multi
CVE-2026-3904 is a cwe-366 race condition within a thread in the Gnu C Library glibc. CVSS 6.2 Medium. Patch commands, mitigations, and veri
CVE-2026-3906 is a cwe-862 missing authorization in Wordpress Foundation WordPress. CVSS 4.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-39103 is a heap-based buffer overflow in the affected product. Patched version, runnable upgrade commands, and how to verify the fi
CVE-2026-39112 is a cross-site scripting in Java. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3925 is a incorrect security ui in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3927 is a incorrect security ui in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3928 is a insufficient policy enforcement in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-3930 is a unsafe navigation in Google Chrome. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-39309 is a vulnerability in Trilium. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-39311 is a cross-site scripting (XSS) in Trilium. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-39314 is a cwe-191: integer underflow (wrap or wraparound) in Openprinting cups, fixed by the same patch as CVE-2026-27447.
CVE-2026-39315 is a cwe-184: incomplete list of disallowed inputs in unhead. This page lists verified fix commands and short-term mitigation
CVE-2026-39316 is a cwe-416: use after free in Openprinting cups, fixed by the same patch as CVE-2026-27447.
CVE-2026-3932 is a insufficient policy enforcement in Google Chrome. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-39321: bundle sibling of CVE-2026-34215. Same patched build closes both.
CVE-2026-39335: bundle sibling of CVE-2026-35534. Same patched build closes both.
CVE-2026-39336 is a churchcrm has stored xss from unescaped config values in html attributes in Churchcrm CRM, fixed by the same patch as CV
CVE-2026-3934 is a insufficient policy enforcement in Google Chrome. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-39345: OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader in orangehrm. Patch commands and verif
CVE-2026-39346 is a cwe-284: improper access control in orangehrm, fixed by the same patch as CVE-2026-39345.
CVE-2026-39347: bundle sibling of CVE-2026-39345. Same patched build closes both.
CVE-2026-39348 is a cwe-862: missing authorization in orangehrm, fixed by the same patch as CVE-2026-39345.
CVE-2026-3935 is a incorrect security ui in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39350 is a cwe-185: incorrect regular expression in istio. This page lists verified fix commands and short-term mitigations you can
CVE-2026-39351 is a frappe allows unrestricted doctype access via api exploit in frappe. CVSS 6.9 Medium. Patch commands, mitigations, and v
CVE-2026-39354: CWE-639: Authorization Bypass Through User-Controlled Key in scoold. Patch commands and verification.
CVE-2026-39360 is a cwe-862: missing authorization in rustfs. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39362 is a cwe-918: server-side request forgery (ssrf) in InvenTree, fixed by the same patch as CVE-2026-35476.
CVE-2026-39365 is a vite has a path traversal in optimized deps `.map` handling in Vitejs vite, fixed by the same patch as CVE-2026-39363.
CVE-2026-39366 is a cwe-345: insufficient verification of data authenticity in Wwbn AVideo, fixed by the same patch as CVE-2026-34394.
CVE-2026-39367: bundle sibling of CVE-2026-34394. Same patched build closes both.
CVE-2026-39368 is a cwe-918: server-side request forgery (ssrf) in Wwbn AVideo, fixed by the same patch as CVE-2026-34394.
CVE-2026-3937 is a incorrect security ui in Google Chrome. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-39373 is a jwcrypto: jwe zip decompression bomb in Latchset jwcrypto. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-39374: Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint in plane. Patch commands and verification.
CVE-2026-39377 is a path traversal in nbconvert. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39378 is a path traversal in nbconvert. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3938 is a insufficient policy enforcement in Google Chrome. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-39380: Open Source Point of Sale has Stored XSS in Stock Location (Configuration) in opensourcepos. Patch commands and verification
CVE-2026-39381: bundle sibling of CVE-2026-34215. Same patched build closes both.
CVE-2026-39383 is a server-side request forgery (ssrf) in gotenberg. Patched version, runnable upgrade commands, and how to verify the fix l
CVE-2026-39389 is a cwe-285: improper authorization in Ci4-cms-erp ci4ms, fixed by the same patch as CVE-2026-34559.
CVE-2026-3939 is a insufficient policy enforcement in Google Chrome. CVSS 6.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-39390: bundle sibling of CVE-2026-34559. Same patched build closes both.
CVE-2026-39391 is a ci4ms has stored xss via unescaped blacklist note in admin user list in Ci4-cms-erp ci4ms, fixed by the same patch as CV
CVE-2026-39392: bundle sibling of CVE-2026-34559. Same patched build closes both.
CVE-2026-39395: Cosign's verify-blob-attestation reports false positive when payload parsing fails in cosign. Patch commands and verificatio
CVE-2026-3940 is a insufficient policy enforcement in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39400 is a stored xss via job html/table output in cronicle in Jhuckaby Cronicle. CVSS 5.3 Medium. Patch commands, mitigations, and
CVE-2026-39401: Privilege Escalation via update_event Job Output in Cronicle in Cronicle. Patch commands and verification.
CVE-2026-39402 is a incorrect authorization in lxc. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-39406: @hono/node-server has a middleware bypass via repeated slashes in serveStatic in node-server. Patch commands and verificatio
CVE-2026-39407: Hono has a middleware bypass via repeated slashes in serveStatic in hono. Patch commands and verification.
CVE-2026-39408: bundle sibling of CVE-2026-39407. Same patched build closes both.
CVE-2026-39409: bundle sibling of CVE-2026-39407. Same patched build closes both.
CVE-2026-3941 is a insufficient policy enforcement in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39410: bundle sibling of CVE-2026-39407. Same patched build closes both.
CVE-2026-39411 is a cwe-287: improper authentication in lobehub. CVSS 5 Medium. Patch commands, mitigations, and verification.
CVE-2026-39412 is a cwe-200: exposure of sensitive information to an unauthorized actor in Harttle liquidjs, fixed by the same patch as CVE-
CVE-2026-39413: LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API in LightRAG. Patch commands and verification.
CVE-2026-39415: Frappe Learning Management System has Client-Side Manipulation of Quiz Scores in lms. Patch commands and verification.
CVE-2026-39417 is an OS command injection in MaxKB. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39418 is a server-side request forgery in MaxKB. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-3942 is a incorrect security ui in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39420 is a protection mechanism failure in MaxKB. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-39421 is a protection mechanism failure in MaxKB. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-39422 is a cross-site scripting in MaxKB. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39423 is a cross-site scripting in MaxKB. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39424 is a vulnerability in MaxKB. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39425 is a vulnerability in MaxKB. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39426 is a cross-site scripting in MaxKB. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39428 is a cross-site scripting (XSS) in v6. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3943: H3C ACG1000-AK230 aaa_portal_auth_local_submit command injection in ACG1000-AK230. Patch commands and verification.
CVE-2026-3944: itsourcecode University Management System att_add.php sql injection in University Management System. Patch commands and verif
CVE-2026-3946 is a phpems index.php cross site scripting in the vendor PHPEMS. CVSS 5.1 Medium. Patch commands, mitigations, and verificatio
CVE-2026-39464: Server-Side Request Forgery (SSRF) in Coming Soon Page, Under Construction & Maintenance Mode by SeedProd. Patch commands an
CVE-2026-39469: WordPress PageLayer plugin <= 2.0.8 - Sensitive Data Exposure in PageLayer. Patch commands and verification.
CVE-2026-39473: WordPress Simple History plugin <= 5.24.0 - Sensitive Data Exposure in Simple History. Patch commands and verification.
CVE-2026-39476: WordPress User Feedback plugin <= 1.10.1 - Broken Access Control in User Feedback. Patch commands and verification.
CVE-2026-39477: WordPress CartFlows plugin <= 2.2.3 - Broken Access Control in CartFlows. Patch commands and verification.
CVE-2026-39482: WordPress Post Expirator plugin <= 4.9.4 - Cross Site Scripting (XSS) in Post Expirator. Patch commands and verification.
CVE-2026-39483: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in VK All in One Expansion Unit. Patch
CVE-2026-39484: WordPress Hide My WP Ghost plugin < 7.0.00 - Open Redirection in Hide My WP Ghost. Patch commands and verification.
CVE-2026-39485: WordPress Youtube Embed Plus plugin <= 14.2.4 - Broken Access Control in Youtube Embed Plus. Patch commands and verification
CVE-2026-39488 is a wordpress surecart plugin <= 4.0.2 - broken access control in SureCart. CVSS 6.5 Medium. Patch commands, mitigations, an
CVE-2026-3949: strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds in libheif. Patch commands and verification.
CVE-2026-3950: strukturag libheif stsz/stts track.cc load out-of-bounds in libheif. Patch commands and verification.
CVE-2026-39500: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themesflat-addons-for-elementor. Pat
CVE-2026-39501: WordPress FOX plugin <= 1.4.5 - Broken Access Control in FOX. Patch commands and verification.
CVE-2026-39504: WordPress InstaWP Connect plugin <= 0.1.2.5 - Broken Access Control in InstaWP Connect. Patch commands and verification.
CVE-2026-39505 is a missing authorization in Craig Hewitt Seriously Simple Podcasting. CVSS 5.3 Medium. Patch commands, mitigations, and ver
CVE-2026-39506: WordPress AI Engine (Pro) plugin < 3.4.2 - Broken Access Control in AI Engine (Pro). Patch commands and verification.
CVE-2026-39508: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Advanced Coupons for WooCommerce Cou
CVE-2026-39509: WordPress Directorist plugin <= 8.5.10 - Broken Access Control in Directorist. Patch commands and verification.
CVE-2026-3951 is a cross site scripting in Lockerproject Locker. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39516: WordPress Nexter Blocks plugin <= 4.7.0 - Sensitive Data Exposure in Nexter Blocks. Patch commands and verification.
CVE-2026-39517: WordPress Blog Filter plugin <= 1.7.6 - Cross Site Scripting (XSS) in Blog Filter. Patch commands and verification.
CVE-2026-39520: WordPress weDocs plugin <= 2.1.18 - Broken Access Control in weDocs. Patch commands and verification.
CVE-2026-39521 is a server-side request forgery (ssrf) in Nelio Software Nelio Content. CVSS 4.9 Medium. Patch commands, mitigations, and ve
CVE-2026-39526 is a authorization bypass through user-controlled key in WpStream. CVSS 5.4 Medium. Patch commands, mitigations, and verifica
CVE-2026-39528: WordPress WP Delicious plugin <= 1.9.5 - Broken Access Control in WP Delicious. Patch commands and verification.
CVE-2026-39535: WordPress Display Eventbrite Events plugin <= 6.5.6 - Broken Access Control in Display Eventbrite Events. Patch commands and
CVE-2026-39536: Exposure of Sensitive System Information to an Unauthorized Control Sphere in RSVP and Event Management. Patch commands and
CVE-2026-3954 is a openbmb xagent workspace.py workspace path traversal in Openbmb XAgent. CVSS 6.9 Medium. Patch commands, mitigations, and
CVE-2026-39541: WordPress Hydra Booking plugin <= 1.1.38 - Cross Site Scripting (XSS) in Hydra Booking. Patch commands and verification.
CVE-2026-39542: Insertion of Sensitive Information Into Sent Data in Doofinder for WooCommerce. Patch commands and verification.
CVE-2026-39543: WordPress Tourfic plugin <= 2.21.4 - Broken Access Control in Tourfic. Patch commands and verification.
CVE-2026-3955: elecV2P jsfile Endpoint wbjs.js runJSFile code injection in elecV2P. Patch commands and verification.
CVE-2026-3956 is a sql injection in Xierongwkhd weimai-wetapp. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-39561: WordPress Revive.so plugin <= 2.0.7 - Broken Access Control in Revive.so. Patch commands and verification.
CVE-2026-39562 is a missing authorization in Boldgrid Client Invoicing by Sprout Invoices. CVSS 5.3 Medium. Patch commands, mitigations, and
CVE-2026-39563: WordPress Share This Image plugin <= 2.12 - Broken Access Control in Share This Image. Patch commands and verification.
CVE-2026-39564: WordPress Sunshine Photo Cart plugin < 3.6.2 - Sensitive Data Exposure in Sunshine Photo Cart. Patch commands and verificati
CVE-2026-39565: WordPress WpTravelly plugin <= 2.1.7 - Broken Access Control in WpTravelly. Patch commands and verification.
CVE-2026-39566: WordPress DirectoryPress plugin <= 3.6.26 - Sensitive Data Exposure in DirectoryPress. Patch commands and verification.
CVE-2026-39569: WordPress 12 Step Meeting List plugin <= 3.19.9 - Broken Access Control in 12 Step Meeting List. Patch commands and verifica
CVE-2026-3957 is a sql injection in Xierongwkhd weimai-wetapp. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-39570: WordPress 12 Step Meeting List plugin <= 3.19.9 - Sensitive Data Exposure in 12 Step Meeting List. Patch commands and verifi
CVE-2026-39571: WordPress Instantio plugin <= 3.3.30 - Sensitive Data Exposure in Instantio. Patch commands and verification.
CVE-2026-39572: Exposure of Sensitive System Information to an Unauthorized Control Sphere in Bus Ticket Booking with Seat Reservation. Patc
CVE-2026-39575: WordPress Custom Query Blocks plugin <= 5.5.0 - Cross Site Scripting (XSS) in Custom Query Blocks. Patch commands and verifi
CVE-2026-3958: Woahai321 ListSync JSON api_server.py requests.post server-side request forgery in ListSync. Patch commands and verification.
CVE-2026-39585: WordPress Booktics plugin <= 1.0.16 - Broken Access Control in Booktics. Patch commands and verification.
CVE-2026-39586: WordPress RepairBuddy plugin <= 4.1132 - Sensitive Data Exposure in RepairBuddy. Patch commands and verification.
CVE-2026-39588 is a missing authorization in Nmerii NM Gift Registry and Wishlist Lite. CVSS 5.3 Medium. Patch commands, mitigations, and ve
CVE-2026-3959: 0xKoda WireMCP Tshark CLI index.js server.tool os command injection in WireMCP. Patch commands and verification.
CVE-2026-39592: WordPress DEPART plugin <= 1.0.7 - Broken Access Control in DEPART. Patch commands and verification.
CVE-2026-39593 is a missing authorization in HAPPY. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-3960 - CWE-94 Improper Control of Generation of Code in h2oai/h2o-3. Runnable patch commands, mitigation, and verification on this
CVE-2026-39602: WordPress Order Tracking plugin <= 3.4.3 - Broken Access Control in Order Tracking. Patch commands and verification.
CVE-2026-39603 is a cross-site request forgery (csrf) in Themegoods Grand Photography. CVSS 5.4 Medium. Patch commands, mitigations, and ver
CVE-2026-39604: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in MyBookTable Bookstore. Patch command
CVE-2026-39605: WordPress Super Custom Login plugin <= 1.1 - Broken Access Control in Super Custom Login. Patch commands and verification.
CVE-2026-39606: WordPress BizReview plugin <= 1.5.13 - Broken Access Control in BizReview. Patch commands and verification.
CVE-2026-39607: WordPress Filter Plus plugin <= 1.1.17 - Broken Access Control in Filter Plus. Patch commands and verification.
CVE-2026-39608: WordPress iPOSpays Gateways WC plugin <= 1.3.7 - Broken Access Control in iPOSpays Gateways WC. Patch commands and verificat
CVE-2026-39609: WordPress Wava Payment plugin <= 0.3.7 - Broken Access Control in Wava Payment. Patch commands and verification.
CVE-2026-3961 is a server-side request forgery in Zyddnys manga-image-translator. CVSS 5.3 Medium. Patch commands, mitigations, and verifica
CVE-2026-39610: WordPress WpXmas-Snow plugin <= 1.1 - Broken Access Control in WpXmas-Snow. Patch commands and verification.
CVE-2026-39612: WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution in KuteShop. Patch commands and verification.
CVE-2026-39614: WordPress JW Player for WordPress plugin <= 2.3.6 - Broken Access Control in JW Player for WordPress. Patch commands and ver
CVE-2026-39615: WordPress Download Manager plugin <= 3.3.53 - Cross Site Scripting (XSS) in Download Manager. Patch commands and verificatio
CVE-2026-39616: Authorization Bypass Through User-Controlled Key in Download Attachments. Patch commands and verification.
CVE-2026-39618: WordPress NewsExo theme <= 7.1 - Cross Site Request Forgery (CSRF) in NewsExo. Patch commands and verification.
CVE-2026-3962 is a cross site scripting in Jcharis Machine-Learning-Web-Apps. CVSS 5.3 Medium. Patch commands, mitigations, and verification
CVE-2026-39622: WordPress Education Base theme <= 3.0.8 - Broken Access Control in Education Base. Patch commands and verification.
CVE-2026-39624: WordPress Biolife theme <= 3.2.3 - Arbitrary Shortcode Execution in Biolife. Patch commands and verification.
CVE-2026-39625: WordPress TechOne theme <= 3.0.3 - Arbitrary Shortcode Execution in TechOne. Patch commands and verification.
CVE-2026-39626: WordPress Armania theme <= 1.4.8 - Arbitrary Shortcode Execution in Armania. Patch commands and verification.
CVE-2026-39627 is a wordpress ashe theme <= 2.266 - broken access control in Wproyal Ashe. CVSS 4.3 Medium. Patch commands, mitigations, and
CVE-2026-39628: WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution in DukaMarket. Patch commands and verification.
CVE-2026-39629: WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution in Uminex. Patch commands and verification.
CVE-2026-3963 is a use of hard-coded cryptographic key in Perfree go-fastdfs-web. CVSS 6.3 Medium. Patch commands, mitigations, and verifica
CVE-2026-39630: WordPress Getty Images plugin <= 4.1.0 - Server Side Request Forgery (SSRF) in Getty Images. Patch commands and verification
CVE-2026-39631: WordPress WPSchoolPress plugin <= 2.2.35 - Broken Access Control in WPSchoolPress. Patch commands and verification.
CVE-2026-39632: WordPress Grand Blog theme <= 3.1 - Cross Site Request Forgery (CSRF) in Grand Blog. Patch commands and verification.
CVE-2026-39633 is a cross-site request forgery (csrf) in Themegoods Grand Car Rental. CVSS 6.5 Medium. Patch commands, mitigations, and veri
CVE-2026-39634: WordPress Grand Portfolio theme <= 3.3 - Cross Site Request Forgery (CSRF) in Grand Portfolio. Patch commands and verificati
CVE-2026-39635: WordPress Grand Magazine theme <= 3.5.5 - Cross Site Request Forgery (CSRF) in Grand Magazine. Patch commands and verificati
CVE-2026-39636: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Livemesh Addons for Elementor. Patch
CVE-2026-39637: WordPress Mogi theme <= 1.2.3 - Arbitrary Shortcode Execution in Mogi. Patch commands and verification.
CVE-2026-39638: WordPress Qubely plugin <= 1.8.14 - Cross Site Scripting (XSS) in Qubely. Patch commands and verification.
CVE-2026-39639: WordPress RPS Include Content plugin <= 1.2.2 - Broken Access Control in RPS Include Content. Patch commands and verificatio
CVE-2026-3964: OpenAkita Chat API Endpoint shell.py run os command injection in OpenAkita. Patch commands and verification.
CVE-2026-39641: WordPress Blackfyre theme <= 2.5.4 - Cross Site Request Forgery (CSRF) in Blackfyre. Patch commands and verification.
CVE-2026-39643 is a missing authorization in Payment Plugins for PayPal WooCommerce. CVSS 5.3 Medium. Patch commands, mitigations, and verif
CVE-2026-39644: WordPress Wp Ultimate Review plugin <= 2.3.8 - Broken Access Control in Wp Ultimate Review. Patch commands and verification.
CVE-2026-39645: Server-Side Request Forgery (SSRF) in GlobalPayments WooCommerce. Patch commands and verification.
CVE-2026-39646: WordPress Leaflet Map plugin <= 3.4.4 - Cross Site Scripting (XSS) in Leaflet Map. Patch commands and verification.
CVE-2026-39647: Server-Side Request Forgery (SSRF) in MP3 Audio Player for Music, Radio & Podcast by Sonaar. Patch commands and verification
CVE-2026-39648: WordPress Cream Blog theme <= 2.1.7 - Broken Access Control in Cream Blog. Patch commands and verification.
CVE-2026-39649: WordPress Royale News theme <= 2.2.4 - Broken Access Control in Royale News. Patch commands and verification.
CVE-2026-3965 is a whyour qinglong api express.ts protection mechanism in Whyour qinglong. CVSS 5.3 Medium. Patch commands, mitigations, and
CVE-2026-39650: WordPress UnitechPay plugin <= 1.0.2 - Broken Access Control in UnitechPay. Patch commands and verification.
CVE-2026-39651: WordPress Total Poll Lite plugin <= 4.12.0 - Broken Access Control in Total Poll Lite. Patch commands and verification.
CVE-2026-39652: WordPress iGMS Direct Booking plugin <= 1.3 - Broken Access Control in iGMS Direct Booking. Patch commands and verification.
CVE-2026-39653: Missing Authorization in Video Conferencing with Zoom. Patch commands and verification.
CVE-2026-39654: WordPress WP Simple HTML Sitemap plugin <= 3.8 - Cross Site Scripting (XSS) in WP Simple HTML Sitemap. Patch commands and ve
CVE-2026-39656: WordPress Razorpay for WooCommerce plugin <= 4.8.2 - Broken Access Control in Razorpay for WooCommerce. Patch commands and v
CVE-2026-39657: WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control in leadlovers forms. Patch commands and verification.
CVE-2026-39658 is a missing authorization in Coding Panda Panda Pods Repeater Field. CVSS 5.3 Medium. Patch commands, mitigations, and verif
CVE-2026-3966 is a server-side request forgery in 648540858 wvp-GB28181-pro. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39662: Missing Authorization in Product Price by Formula for WooCommerce. Patch commands and verification.
CVE-2026-39663: WordPress TrueBooker plugin <= 1.1.5 - Broken Access Control in TrueBooker. Patch commands and verification.
CVE-2026-39664: WordPress Leadrebel plugin <= 1.0.2 - Broken Access Control in Leadrebel. Patch commands and verification.
CVE-2026-39665: WordPress SEO Friendly Images plugin <= 3.0.5 - Cross Site Scripting (XSS) in SEO Friendly Images. Patch commands and verifi
CVE-2026-39666: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Hello Bar Popup Builder. Patch comma
CVE-2026-39667: WordPress Korea SNS plugin <= 1.7.0 - Cross Site Scripting (XSS) in Korea SNS. Patch commands and verification.
CVE-2026-39668 is a missing authorization in G5theme Book Previewer for Woocommerce. CVSS 5.3 Medium. Patch commands, mitigations, and verif
CVE-2026-39669: WordPress NitroPack plugin <= 1.19.3 - Broken Access Control in NitroPack. Patch commands and verification.
CVE-2026-3967 is a deserialization in Alfresco Activiti. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39670 is a server-side request forgery (ssrf) in Brecht Visual Link Preview. CVSS 6 Medium. Patch commands, mitigations, and verifi
CVE-2026-39672 is a missing authorization in ShipTime: Discounted Shipping Rates. CVSS 5.3 Medium. Patch commands, mitigations, and verifica
CVE-2026-39673: WordPress iZooto plugin <= 3.7.20 - Broken Access Control in iZooto. Patch commands and verification.
CVE-2026-39674: WordPress MK Google Directions plugin <= 3.1.1 - Cross Site Scripting (XSS) in MK Google Directions. Patch commands and veri
CVE-2026-39675: WordPress Court Reservation plugin <= 1.10.11 - Broken Access Control in Court Reservation. Patch commands and verification.
CVE-2026-39676: WordPress Download Manager plugin <= 3.3.52 - Broken Access Control in Download Manager. Patch commands and verification.
CVE-2026-39678 is a missing authorization in Dotonpaper Pinpoint Booking System. CVSS 5.3 Medium. Patch commands, mitigations, and verificat
CVE-2026-3968 is a code injection in Autohomecorp frostmourne. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39680: WordPress Diet Calorie Calculator plugin <= 1.1.1 - Broken Access Control in Diet Calorie Calculator. Patch commands and ver
CVE-2026-39682: WordPress linkPizza-Manager plugin <= 5.5.5 - Broken Access Control in linkPizza-Manager. Patch commands and verification.
CVE-2026-39683: WordPress Garden Gnome Package plugin <= 2.4.1 - Cross Site Scripting (XSS) in Garden Gnome Package. Patch commands and veri
CVE-2026-39685: WordPress The Moneytizer plugin <= 10.0.10 - Broken Access Control in The Moneytizer. Patch commands and verification.
CVE-2026-39686: WordPress BSK PDF Manager plugin <= 3.7.2 - Sensitive Data Exposure in BSK PDF Manager. Patch commands and verification.
CVE-2026-39687 is a missing authorization in Rapid Car Check Vehicle Data. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-39688: WordPress WP Frontend Profile plugin <= 1.3.9 - Broken Access Control in WP Frontend Profile. Patch commands and verificatio
CVE-2026-39689: WordPress eShipper Commerce plugin <= 2.16.12 - Broken Access Control in eShipper Commerce. Patch commands and verification.
CVE-2026-3969: FeMiner wms Basic Organizational Structure depart_add_bg.php sql injection in wms. Patch commands and verification.
CVE-2026-39690 is a missing authorization in Paul Bearne Author Avatars List/Block. CVSS 5.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-39691: Missing Authorization in Cryptocurrency Donation Box – Bitcoin & Crypto Donations. Patch commands and verification.
CVE-2026-39692: WordPress tagDiv Composer plugin <= 5.4.3 - Cross Site Scripting (XSS) in tagDiv Composer. Patch commands and verification.
CVE-2026-39693: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in FSM Custom Featured Image Caption. P
CVE-2026-39694 is a missing authorization in Nsquared Simply Schedule Appointments. CVSS 5.3 Medium. Patch commands, mitigations, and verifi
CVE-2026-39695: WordPress Podigee plugin <= 1.4.0 - Server Side Request Forgery (SSRF) in Podigee. Patch commands and verification.
CVE-2026-39696: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Elfsight WhatsApp Chat CC. Patch com
CVE-2026-39697: Missing Authorization in MAIO – The new AI GEO / SEO tool. Patch commands and verification.
CVE-2026-39698 is a missing authorization in Publisherdesk The Publisher Desk ads.txt. CVSS 5.3 Medium. Patch commands, mitigations, and ver
CVE-2026-39699: WordPress AI Workflow Automation plugin <= 1.4.2 - Broken Access Control in AI Workflow Automation. Patch commands and verif
CVE-2026-39700: WordPress WowOptin plugin <= 1.4.32 - Broken Access Control in WowOptin. Patch commands and verification.
CVE-2026-39701: WordPress ShopWP plugin <= 5.2.4 - Broken Access Control in ShopWP. Patch commands and verification.
CVE-2026-39702: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Animation Addons for Elementor. Patc
CVE-2026-39703: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WPBITS Addons For Elementor Page Bui
CVE-2026-39704: Missing Authorization in Precious Metals Automated Product Pricing – Pro. Patch commands and verification.
CVE-2026-39705: WordPress MIPL WC Multisite Sync plugin <= 1.4.4 - Broken Access Control in MIPL WC Multisite Sync. Patch commands and verif
CVE-2026-39706: WordPress Make My Trivia plugin <= 1.1.0 - Broken Access Control in Make My Trivia. Patch commands and verification.
CVE-2026-39707: Missing Authorization in Accept PayPal Payments using Contact Form 7. Patch commands and verification.
CVE-2026-39708: WordPress UiCore Elements plugin <= 1.3.14 - Cross Site Scripting (XSS) in UiCore Elements. Patch commands and verification.
CVE-2026-39709: WordPress The Tribal plugin <= 1.3.4 - Sensitive Data Exposure in The Tribal. Patch commands and verification.
CVE-2026-39710 is a cross-site request forgery (csrf) in Stmcan RT-Theme 18 | Extensions. CVSS 5.4 Medium. Patch commands, mitigations, and
CVE-2026-39711: WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Sensitive Data Exposure in RT-Theme 18 | Extensions. Patch commands and v
CVE-2026-39712: WordPress tagDiv Composer plugin <= 5.4.3 - Arbitrary Shortcode Execution in tagDiv Composer. Patch commands and verificatio
CVE-2026-39713: Missing Authorization in Mailercloud – Integrate webforms and synchronize website contacts. Patch commands and verification.
CVE-2026-39714: WordPress G5Plus April theme <= 6.8 - Broken Access Control in G5Plus April. Patch commands and verification.
CVE-2026-39715 is a missing authorization in AnyTrack Affiliate Link Manager. CVSS 5.3 Medium. Patch commands, mitigations, and verification
CVE-2026-39716: WordPress Flipmart theme <= 2.8 - Broken Access Control in Flipmart. Patch commands and verification.
CVE-2026-3977 is a projectsend ajax endpoints authorization in the vendor projectsend. CVSS 5.3 Medium. Patch commands, mitigations, and ver
CVE-2026-3979: quickjs-ng quickjs quickjs.c js_iterator_concat_return use after free in quickjs. Patch commands and verification.
CVE-2026-3980: itsourcecode Online Doctor Appointment System patient_action.php sql injection in Online Doctor Appointment System. Patch com
CVE-2026-39805 - CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in bandit. Runnable patch commands
CVE-2026-39807 - CWE-807 Reliance on Untrusted Inputs in a Security Decision in bandit. Runnable patch commands, mitigation, and verificatio
CVE-2026-39809 is a SQL injection in FortiClientEMS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3981: itsourcecode Online Doctor Appointment System doctor_action.php sql injection in Online Doctor Appointment System. Patch comm
CVE-2026-39810 is an information disclosure in FortiClientEMS. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-39811 is an integer overflow in FortiWeb. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39812 is a cross-site scripting in FortiSandbox. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-39814 is an execute unauthorized code or commands in FortiWeb. This page lists verified fix commands and short-term mitigations you
CVE-2026-39817 improper limitation of a pathname to a restricted directory ('path traversal') in cmd/go. Runnable upgrade commands and verif
CVE-2026-39819 is a insecure temporary file in cmd/go. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-3982: itsourcecode University Management System view_result.php cross site scripting in University Management System. Patch command
CVE-2026-39823 improper neutralization of input during web page generation ('cross-site scripti in html/template. Runnable upgrade commands
CVE-2026-39825 inconsistent interpretation of http requests ('http request/response smuggling') in net/http/httputil. Runnable upgrade comma
CVE-2026-39826 improper neutralization of input during web page generation ('cross-site scripti in html/template. Runnable upgrade commands
CVE-2026-3983: Cross Site Scripting in Division Regional Athletic Meet Game Result Matrix System. Patch commands and verification.
CVE-2026-39837: Stored XSS through the dynamic table format in Cargo in Mediawiki - Cargo Extension. Patch commands and verification.
CVE-2026-39838: ProofreadPage improperly sanitizes multiline styles using Sanitizer::checkCSS in MediaWiki - ProofreadPage Extension. Patch
CVE-2026-39839: bundle sibling of CVE-2026-39837. Same patched build closes both.
CVE-2026-3984: Cross Site Scripting in Division Regional Athletic Meet Game Result Matrix System. Patch commands and verification.
CVE-2026-39840: bundle sibling of CVE-2026-39837. Same patched build closes both.
CVE-2026-39841: bundle sibling of CVE-2026-39837. Same patched build closes both.
CVE-2026-39844: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in nicegui. Patch commands and verifi
CVE-2026-39845 is a server-side request forgery in weblate. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-39848 is a missing authentication in dockyard. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39851 is a saleor has a user enumeration vulnerability due to different error messages in saleor, fixed by the same patch as CVE-20
CVE-2026-39855 is an out-of-bounds read in osslsigncode. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39856 is an out-of-bounds read in osslsigncode. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39857 is an information disclosure in apostrophe. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-39859: bundle sibling of CVE-2026-34166. Same patched build closes both.
CVE-2026-3986: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Calculated Fields Form. Patch
CVE-2026-39862: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in tophat. Patch commands
CVE-2026-39864: Kamailio Auth: Processing Vulnerability For Additional Authenticated User Identity Checks in kamailio. Patch commands and ve
CVE-2026-39865 is a axios http/2 session cleanup state corruption in axios. CVSS 5.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-39869 buffer copy without checking size of input ('classic buffer overflow') in iOS and iPadOS. Runnable upgrade commands and verif
CVE-2026-39880: Remnawave Backend has a race condition in HWID device limit allows bypassing max devices in backend. Patch commands and veri
CVE-2026-39881 is a vim ex command injection in vims netbeans integration in vim, fixed by the same patch as CVE-2026-34982.
CVE-2026-39882: bundle sibling of CVE-2026-29181. Same patched build closes both.
CVE-2026-39886 is an integer overflow in openexr. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39892: cryptography has a buffer overflow if non-contiguous buffers were passed to APIs in cryptography. Patch commands and verific
CVE-2026-3990: CesiumGS CesiumJS standalone.html cross site scripting in CesiumJS. Patch commands and verification.
CVE-2026-39901 is a monetr: protected transactions deletable via put in monetr. CVSS 5.7 Medium. Patch commands, mitigations, and verificati
CVE-2026-3992: CodeGenieApp serverless-express Users Endpoint dynamodb.ts injection in serverless-express. Patch commands and verification.
CVE-2026-39921 is a server-side request forgery in GeoNode. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-39922 is a server-side request forgery in GeoNode. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-3993 is a cross site scripting in Itsourcecode Payroll Management System. CVSS 5.3 Medium. Patch commands, mitigations, and verific
CVE-2026-39933: Multiple XSS vulnerabilities in GlobalWatchlist in Mediawiki - GlobalWatchlist Extension. Patch commands and verification.
CVE-2026-39934: Growth Experiments ReassignMenteesJob runs as an infinite loop in Mediawiki - GrowthExperiments Extension. Patch commands an
CVE-2026-39935: XSS-via-i18n in localised wiki names in Mediawiki - CampaignEvents Extension. Patch commands and verification.
CVE-2026-39936: Stored XSS in Score due to usage of non-reserved data attributes in Mediawiki - Score Extension. Patch commands and verifica
CVE-2026-3994: rui314 mold Object File input-files.cc initialize_sections heap-based overflow in mold. Patch commands and verification.
CVE-2026-39940 is a cwe-601: url redirection to untrusted site in CRM. This page lists verified fix commands and short-term mitigations you
CVE-2026-39941 is a cross-site scripting in CRM. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39943 is an information disclosure in directus. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39946 is a SQL injection in openbao. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3995 is a cross-site scripting in OPEN-BRAIN. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39956 is an out-of-bounds read in jq. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39958 is a cwe-93: improper neutralization of crlf sequences in oma. This page lists verified fix commands and short-term mitigatio
CVE-2026-3996 is a vulnerability in WP Games Embed. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-39960 is a cross-site scripting (XSS) in mantisbt. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-39961 is an improper privilege management in aiven-operator. This page lists verified fix commands and short-term mitigations you c
CVE-2026-39963 is a cwe-565: reliance on cookies without validation in Serendipity. This page lists verified fix commands and short-term mit
CVE-2026-39964 is a cross-site scripting (XSS) in typebot.io. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-39966 is an access control bypass in typebot.io. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-39969 is an authentication bypass in typebot.io. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-3997 is a vulnerability in Text Toggle. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-39979 is an out-of-bounds read in jq. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-3998 is a cross-site scripting in WM JqMath. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-39984 is a cwe-295: improper certificate validation in timestamp-authority. This page lists verified fix commands and short-term mi
CVE-2026-39985 is a cwe-601: url redirection to untrusted site in Loris. This page lists verified fix commands and short-term mitigations yo
CVE-2026-40001 improper privilege management in ZTE PROCESS Guard service. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-40002 is an improper privilege management in Red Magic 11 Pro (NX809J). This page lists verified fix commands and short-term mitiga
CVE-2026-40003 is a out-of-bounds write in ZX297520V3 BootROM. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-40004 is a uncontrolled search path element in ZXCLOUD iRAI. Patched version, runnable upgrade commands, and how to verify the fix
CVE-2026-40016 is a vulnerability in OX Dovecot Pro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4002 is a cross-site request forgery in Petje.af. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-40021 is an encoding or escaping of output in Apache Log4net. This page lists verified fix commands and short-term mitigations you
CVE-2026-40023 is an encoding or escaping of output in Apache Log4cxx. This page lists verified fix commands and short-term mitigations you
CVE-2026-40025 is a sleuth kit apfs keybag parser out-of-bounds read in sleuthkit, fixed by the same patch as CVE-2026-40024.
CVE-2026-40026 is a sleuth kit iso9660 susp extension reference out-of-bounds read in sleuthkit, fixed by the same patch as CVE-2026-40024.
CVE-2026-40028 is a hayabusa < 3.8.0 xss via json log import in Yamato-security hayabusa. CVSS 5.1 Medium. Patch commands, mitigations, and
CVE-2026-40038 is a cross-site scripting in Pachno. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4004 is a code injection in Task Manager. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40041 is a cross-site request forgery in Pachno. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-40045 is a vulnerability in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4005 is a cross-site scripting in Coachific Shortcode. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-4006: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Draft List. Patch commands and
CVE-2026-40061 is an OS command injection in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40071 is an incorrect authorization in pyload. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40074 is a vulnerability in kit. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40086 is a path traversal in rembg. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40087 is a vulnerability in langchain. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4009 is a out-of-bounds read in Jarikomppa soloud. CVSS 4.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-40091 is a cwe-532: insertion of sensitive information into in spicedb. This page lists verified fix commands and short-term mitiga
CVE-2026-40094 is a denial of service in core-rs-albatross. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-40096 is a cross-site scripting in immich. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40098 is a missing authorization in magento-lts. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-40099 - CWE-863: Incorrect Authorization in kirby. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4010: ThakeeNathees pocketlang pkByteBufferAddString memory corruption in pocketlang. Patch commands and verification.
CVE-2026-40100 is a server-side request forgery in FastGPT. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-40102 is a code injection in plane. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40103 is a cwe-836: use of password hash instead in vikunja. This page lists verified fix commands and short-term mitigations you c
CVE-2026-40104 is an allocation of resources without limits in org.xwiki.platform:xwiki-platform-legacy-oldcore. This page lists verified fi
CVE-2026-40105 is a vulnerability in xwiki-platform. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4011 is a cross-site scripting in Power Charts – Responsive Beautiful Charts & Graphs. This page lists verified fix commands and sh
CVE-2026-40112 is a cross-site scripting in PraisonAI. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40115 is an allocation of resources without limits in PraisonAI. This page lists verified fix commands and short-term mitigations y
CVE-2026-40117 is a missing authorization in PraisonAIAgents. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40118 is a vulnerability in UDP Console. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4012 is a rxi fe fe.c read_ out-of-bounds in Rxi fe. CVSS 4.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-40129: a code injection in SAP Application Server ABAP for SAP NetW. Patched version and vendor advisory inside.
CVE-2026-4013: Improper Authorization in Web-based Pharmacy Product Management System. Patch commands and verification.
CVE-2026-40132: a missing authorization in SAP Strategic Enterprise Management (BSP. Patched version and vendor advisory inside.
CVE-2026-40133: a missing authorization in SAP S/4HANA Condition Maintenance. Patched version and vendor advisory inside.
CVE-2026-40134: a missing authorization in SAP Incentive and Commission Management. Patched version and vendor advisory inside.
CVE-2026-40135: an OS command injection in SAP NetWeaver Application Server for ABA. Patched version and vendor advisory inside.
CVE-2026-40136 is a vulnerability in SAP Financial Consolidation. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-40137: a cross-site scripting (XSS) in Business Server Pages Application (TAF_A. Patched version and vendor advisory inside.
CVE-2026-4014: itsourcecode Cafe Reservation System Registration signup.php sql injection in Cafe Reservation System. Patch commands and ver
CVE-2026-40148 is a cwe-409: improper handling of highly compressed in PraisonAI. This page lists verified fix commands and short-term mitig
CVE-2026-4015: GPAC TeXML File load_text.c txtin_process_texml stack-based overflow in GPAC. Patch commands and verification.
CVE-2026-40151 is an information disclosure in PraisonAI. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-40152 is a path traversal in PraisonAIAgents. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40155 is an incorrect authorization in nextjs-auth0. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40159 is an information disclosure in PraisonAI. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-4016: GPAC SVG Parser load_svg.c svgin_process out-of-bounds write in GPAC. Patch commands and verification.
CVE-2026-40169 is a heap buffer overflow in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40175 is a cwe-113: improper neutralization of crlf sequences in axios. This page lists verified fix commands and short-term mitiga
CVE-2026-40178 is an authentication bypass in ajenti. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40179 is a cross-site scripting in prometheus. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40182 - CWE-789: Memory Allocation with Excessive Size Value in opentelemetry-dotnet. Runnable patch commands, mitigation, and veri
CVE-2026-40183 is a heap buffer overflow in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40186 is a cross-site scripting in apostrophe. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4019 - CWE-862 Missing Authorization in Complianz – GDPR/CCPA Cookie Consent. Runnable patch commands, mitigation, and verification
CVE-2026-40190 is a vulnerability in langsmith-sdk. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40191 is an incorrect authorization in clearancekit. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40199 is a handling of length parameter inconsistency in Net::CIDR::Lite. This page lists verified fix commands and short-term miti
CVE-2026-40201 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @diplodoc/search-extension.
CVE-2026-40212 is a cross-site scripting in Skyline. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40214 is a improper ownership management in Cyborg. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4022 is a vulnerability in Show Posts list – Easy designs. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-40223 is a behavior order in systemd. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40224 is an incorrect authorization in systemd. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40225 is a resource transfer between spheres in systemd. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-40226 is an use of less trusted source in systemd. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-40227 is a comparison using wrong factors in systemd. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-40229 - CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in helpy. Runnable patch
CVE-2026-40230 - CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in helpy. Runnable patch
CVE-2026-4024 - CWE-862 Missing Authorization in Royal Addons for Elementor – Addons and Templates Kit for Elementor. Runnable patch command
CVE-2026-40249 is a cwe-754: improper check for unusual or in free5gc. This page lists verified fix commands and short-term mitigations you
CVE-2026-4025: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in PrivateContent Free. Patch commands a
CVE-2026-40252 is a cwe-284: improper access control in FastGPT. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-40253 is an out-of-bounds read in opencryptoki. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40254 - CWE-193: Off-by-one Error in FreeRDP. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40255 is a cwe-601: url redirection to untrusted site in http-core. This page lists verified fix commands and short-term mitigation
CVE-2026-40256 is a path traversal in weblate. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40260 is a cwe-776: improper restriction of recursive entity in pypdf. This page lists verified fix commands and short-term mitigat
CVE-2026-40265 is a missing authorization in note-mark. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40282 is a cross-site scripting in WeGIA. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40283 is a cross-site scripting in WeGIA. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40284 is a cross-site scripting in WeGIA. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40293 is an information disclosure in openfga. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40295 is an open redirect in devise. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40296 improper neutralization of input during web page generation ('cross-site scripti in PhpSpreadsheet. Runnable upgrade commands
CVE-2026-40299 is a cwe-601: url redirection to untrusted site in next-intl. This page lists verified fix commands and short-term mitigation
CVE-2026-40300 is an access control bypass in zulip. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40301 is a cross-site scripting in dom-sanitizer. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-40302 is a cross-site scripting in zrok. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40304 is a cwe-284: improper access control in zrok. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40305 is an improper authorization in Dnn.Platform. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-40306 is a cwe-330: use of insufficiently random values in Dnn.Platform. This page lists verified fix commands and short-term mitig
CVE-2026-40310 is a heap buffer overflow in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40311 is an use-after-free in ImageMagick. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40312 is a cwe-193: off-by-one error in ImageMagick. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-4032 is a cross-site scripting in CodeColorer. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40320 is a vulnerability in giskard-oss. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40332 url redirection to untrusted site ('open redirect') in MasaCMS. Runnable upgrade commands and verification steps for sysadmin
CVE-2026-40333 is an out-of-bounds read in libgphoto2. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40335 is an out-of-bounds read in libgphoto2. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40337 is a cwe-283: unverified ownership in sentry-kernel. This page lists verified fix commands and short-term mitigations you can
CVE-2026-40338 is an out-of-bounds read in libgphoto2. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40339 is an out-of-bounds read in libgphoto2. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40340 is an out-of-bounds read in libgphoto2. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40343 is a cwe-754: improper check for unusual or in udr. This page lists verified fix commands and short-term mitigations you can
CVE-2026-40346 is a server-side request forgery in @nocobase/plugin-workflow-request. This page lists verified fix commands and short-term m
CVE-2026-40347 is a denial of service in python-multipart. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-40353 is a cross-site scripting in wger. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40355 - CWE-476 NULL Pointer Dereference in Kerberos 5. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40356 - CWE-191 Integer Underflow (Wrap or Wraparound) in Kerberos 5. Runnable patch commands, mitigation, and verification on this
CVE-2026-40374: an information disclosure in Power Automate for Desktop. Patched version and vendor advisory inside.
CVE-2026-40380 is a path traversal in Windows 10 Version 1607. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-40385 is an integer overflow in libexif. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40386 is an integer underflow (wrap or wraparound) in libexif. This page lists verified fix commands and short-term mitigations you
CVE-2026-4039: OpenClaw Skill Env applySkillConfigenvOverrides code injection in OpenClaw. Patch commands and verification.
CVE-2026-40394 is an always-incorrect control flow implementation in Varnish Cache. This page lists verified fix commands and short-term mit
CVE-2026-40395 is an allocation of resources without limits in Varnish Enterprise. This page lists verified fix commands and short-term miti
CVE-2026-40396 is an always-incorrect control flow implementation in Varnish Cache. This page lists verified fix commands and short-term mit
CVE-2026-4040: OpenClaw File Existence tools.exec.safeBins information exposure in OpenClaw. Patch commands and verification.
CVE-2026-40416: a vulnerability in Microsoft Edge (Chromium-based). Patched version and vendor advisory inside.
CVE-2026-40421: an arbitrary file read in Microsoft 365 Apps for Enterprise. Patched version and vendor advisory inside.
CVE-2026-40431 - CWE-319 Cleartext transmission of sensitive information in X3050. Runnable patch commands, mitigation, and verification on
CVE-2026-40435 is a vulnerability in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4044: projectsend Delete import-orphans.php realpath path traversal in projectsend. Patch commands and verification.
CVE-2026-40446 is an access of resource using incompatible type in Escargot. This page lists verified fix commands and short-term mitigation
CVE-2026-40447 is an integer overflow in Escargot. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40448 - CWE-190 Integer overflow or wraparound in ONE. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40449 - CWE-190 Integer overflow or wraparound in ONE. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4045 is a projectsend auth.php response discrepancy in the vendor projectsend. CVSS 6.3 Medium. Patch commands, mitigations, and ve
CVE-2026-40450 - CWE-190 Integer overflow or wraparound in ONE. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40451 - Cross-site scripting (XSS) in Chrome browser extension. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40460 is an authentication bypass in NGINX Plus. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-40462 is an arbitrary file read in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40476 is a cwe-407: inefficient algorithmic complexity in graphql-php. This page lists verified fix commands and short-term mitigat
CVE-2026-40479 is a cross-site scripting in kimai. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40483 is a cross-site scripting in CRM. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40485 is a vulnerability in CRM. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40486 is a vulnerability in kimai. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40490 is an information disclosure in async-http-client. This page lists verified fix commands and short-term mitigations you can r
CVE-2026-40491 is a path traversal in gdown. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40500 is a server-side request forgery in processwire. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-40505 is a neutralization of escape, meta, or control in MuPDF. This page lists verified fix commands and short-term mitigations yo
CVE-2026-40529 - Improper neutralization of special elements used in an SQL command ('SQL Injection') in CMS ALAYA. Runnable patch commands,
CVE-2026-4054 is a denial of service in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4055 is an access control bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-40550 - CWE-250: Execution with Unnecessary Privileges in mpGabinet. Runnable patch commands, mitigation, and verification on this
CVE-2026-40552 - CWE-669: Incorrect Resource Transfer Between Spheres in mpGabinet. Runnable patch commands, mitigation, and verification on
CVE-2026-40557 - CWE-295 Improper Certificate Validation in Apache Storm Prometheus Reporter. Runnable patch commands, mitigation, and verif
CVE-2026-4056: a vulnerability in User Registration & Membership – Free & . Patched version and vendor advisory inside.
CVE-2026-40561 inconsistent interpretation of http requests ('http request/response smuggling') in Starlet. Runnable upgrade commands and ve
CVE-2026-40565 is a cross-site scripting in freescout. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40566 is a server-side request forgery in freescout. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40567 is a cwe-116: improper encoding or escaping of in freescout. This page lists verified fix commands and short-term mitigations
CVE-2026-4057 is a missing authorization in Download Manager. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40570 is a vulnerability in freescout. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40574 is an incorrect authorization in oauth2-proxy. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40584 is an information disclosure in RansomLook. This page lists verified fix commands and short-term mitigations you can run toda
CVE-2026-40587 is a cwe-613: insufficient session expiration in blueprintue-self-hosted-edition. This page lists verified fix commands and s
CVE-2026-4059 is a cross-site scripting in ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin. This page lists verified f
CVE-2026-40590 is a vulnerability in freescout. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40592 is a missing authorization in freescout. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40593 is a cross-site scripting in CRM. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40594 is a cwe-346: origin validation error in pyload. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-40598 is a cross-site scripting (XSS) in mantisbt. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-40602 is a code injection in home-assistant-cli. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-40603 - CWE-284: Improper Access Control in chartbrew. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40606 is a vulnerability in mitmproxy. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40608 is an allocation of resources without limits in next-ai-draw-io. This page lists verified fix commands and short-term mitigat
CVE-2026-40610 is a vulnerability in BentoML. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40612 is a uncontrolled recursion in jq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-40622 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4063: CWE-862 Missing Authorization in Social Icons Widget & Block – Social Media Icons & Share Buttons. Patch commands and verific
CVE-2026-40638 is a path traversal in PowerScale InsightIQ. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-4065 is a missing authorization in Nextendweb Smart Slider 3. CVSS 5.4 Medium. Patch commands, mitigations, and verification.
CVE-2026-4066 is a vulnerability in Smart Custom Fields. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-4067 is a vulnerability in Ad Short. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4068: CWE-352 Cross-Site Request Forgery (CSRF) in Add Custom Fields to Media. Patch commands and verification.
CVE-2026-40684 - CWE-684 Incorrect Provision of Specified Functionality in Exim. Runnable patch commands, mitigation, and verification on th
CVE-2026-40685 - CWE-684 Incorrect Provision of Specified Functionality in Exim. Runnable patch commands, mitigation, and verification on th
CVE-2026-40687 - CWE-909 Missing Initialization of Resource in Exim. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40688 is an out-of-bounds write in FortiWeb. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4069 is a vulnerability in Alfie – Feed Plugin. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-40690 - CWE-1220: Insufficient Granularity of Access Control in Apache Airflow. Runnable patch commands, mitigation, and verificati
CVE-2026-40699 is a vulnerability in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4070: a cross-site request forgery (CSRF) in Alfie – Feed Plugin. Patched version and vendor advisory inside.
CVE-2026-40701 is an use-after-free in NGINX Plus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40703 is a cross-site request forgery (CSRF) in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4072 is a vulnerability in WordPress PayPal Donation. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-40728 is a missing authorization in Magazine Blocks. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40729 is a missing authorization in 3D viewer – Embed 3D Models. This page lists verified fix commands and short-term mitigations y
CVE-2026-4073: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pdfl.io. Patch commands and verificat
CVE-2026-40730 is a missing authorization in ThemeGrill Demo Importer. This page lists verified fix commands and short-term mitigations you
CVE-2026-40734 is a cross-site scripting in Categories Images. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-40737 is an authorization bypass through user-controlled key in COMPE. This page lists verified fix commands and short-term mitigat
CVE-2026-4074 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Quran Live Multilanguage. Run
CVE-2026-40740 is a missing authorization in Tutor LMS. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40742 is a missing authorization in Nelio AB Testing. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-4075 is a vulnerability in BWL Advanced FAQ Manager Lite. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-4076 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Slider Bootstrap Carousel. Ru
CVE-2026-40763 is a missing authorization in Royal Elementor Addons. This page lists verified fix commands and short-term mitigations you ca
CVE-2026-4077 is a vulnerability in Ecover Builder For Dummies. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-40778 is a missing authorization in Majestic Support. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-4078 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ITERAS. Runnable patch comman
CVE-2026-40786 is a missing authorization in MyRewards. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4079: SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection in SQL Chart Builder. Patch commands and verification.
CVE-2026-4082 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ER Swiffy Insert. Runnable pa
CVE-2026-4083: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Scoreboard for HTML5 Games Lit
CVE-2026-4084 is a vulnerability in fyyd podcast shortcodes. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4085 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Easy Social Photos Gallery –
CVE-2026-4086 is a vulnerability in WP Random Button. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-40864 is a cross-site request forgery (CSRF) in jupyterhub. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-4087 is a SQL injection in Pre* Party Resource Hints. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-40874 is a cwe-284: improper access control in mailcow-dockerized. This page lists verified fix commands and short-term mitigations
CVE-2026-4088 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Switch CTA Box. Runnable patc
CVE-2026-40881 is an allocation of resources without limits in zebra-network. This page lists verified fix commands and short-term mitigatio
CVE-2026-40883 is a cross-site request forgery in goshs. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40888 is a cwe-284: improper access control in hrms. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-40889 is a cwe-284: improper access control in hrms. This page lists verified fix commands and short-term mitigations you can run t
CVE-2026-4089 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Twittee Text Tweet. Runnable
CVE-2026-40891 - CWE-789: Memory Allocation with Excessive Size Value in opentelemetry-dotnet. Runnable patch commands, mitigation, and veri
CVE-2026-40894 - CWE-789: Memory Allocation with Excessive Size Value in opentelemetry-dotnet. Runnable patch commands, mitigation, and veri
CVE-2026-40895 is an information disclosure in follow-redirects. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-40896 is a vulnerability in openproject. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4090 - CWE-352 Cross-Site Request Forgery (CSRF) in Inquiry cart. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-40907 is a vulnerability in AVideo. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40908 is an information disclosure in AVideo. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4091 is a cross-site request forgery in OPEN-BRAIN. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-40910 is an authentication bypass in frp. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40915 is an integer overflow in Red Hat Enterprise Linux 6. This page lists verified fix commands and short-term mitigations you ca
CVE-2026-40916 is an out-of-bounds write in Red Hat Enterprise Linux 6. This page lists verified fix commands and short-term mitigations you
CVE-2026-40917 is an out-of-bounds read in Red Hat Enterprise Linux 6. This page lists verified fix commands and short-term mitigations you
CVE-2026-40918 is a calculation of buffer size in Red Hat Enterprise Linux 6. This page lists verified fix commands and short-term mitigatio
CVE-2026-40919 is an out-of-bounds write in Red Hat Enterprise Linux 6. This page lists verified fix commands and short-term mitigations you
CVE-2026-40922 is a cross-site scripting in siyuan. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40923 is a path traversal in pipeline. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40924 is a denial of service in pipeline. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40927 is a cross-site scripting in docmost. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40928 is a cross-site request forgery in AVideo. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-40929 is a cross-site request forgery in AVideo. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-4093: a cross-site scripting (XSS) in Term Reference Tree. Patched version and vendor advisory inside.
CVE-2026-40935 is a cwe-804: guessable captcha in AVideo. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-40939 is a cwe-613: insufficient session expiration in dsf. This page lists verified fix commands and short-term mitigations you ca
CVE-2026-40942 is a vulnerability in dsf. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40944 is a cwe-295: improper certificate validation in oxia. This page lists verified fix commands and short-term mitigations you c
CVE-2026-40948 is a cross-site request forgery in Apache Airflow Providers Keycloak. This page lists verified fix commands and short-term mi
CVE-2026-40949 - Buffer overflow in Secure Access. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40951 - Memory corruption in Secure Access. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40962 is an integer overflow in FFmpeg. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-40966 - CWE-284 Improper Access Control in Spring AI. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40968 - CWE-653: Improper Isolation or Compartmentalization in Spring gRPC. Runnable patch commands, mitigation, and verification o
CVE-2026-40970 - CWE-295: Improper Certificate Validation in Spring Boot. Runnable patch commands, mitigation, and verification on this page
CVE-2026-40971 - CWE-295: Improper Certificate Validation in Spring Boot. Runnable patch commands, mitigation, and verification on this page
CVE-2026-40974 - CWE-295: Improper Certificate Validation in Spring Boot. Runnable patch commands, mitigation, and verification on this page
CVE-2026-40975 - CWE-330: Use of Insufficiently Random Values in Spring Boot. Runnable patch commands, mitigation, and verification on this
CVE-2026-40977 - CWE-59: Improper Link Resolution Before File Access in Spring Boot. Runnable patch commands, mitigation, and verification o
CVE-2026-40979 - CWE-377: Insecure Temporary File in Spring AI. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-40980 - CWE-400: Uncontrolled Resource Consumption in Spring AI. Runnable patch commands, mitigation, and verification on this page
CVE-2026-41004 insertion of sensitive information into log file in Spring Cloud Config. Runnable upgrade commands and verification steps for
CVE-2026-41016 - CWE-295: Improper Certificate Validation in Apache Airflow Providers SMTP. Runnable patch commands, mitigation, and verific
CVE-2026-41018 insertion of sensitive information into log file in Apache Airflow Providers Elasticsearch. Runnable upgrade commands and ver
CVE-2026-41030 is a resource transfer between spheres in ONLYOFFICE DesktopEditors. This page lists verified fix commands and short-term mit
CVE-2026-41034 is an out-of-bounds read in ONLYOFFICE DocumentServer. This page lists verified fix commands and short-term mitigations you c
CVE-2026-41043 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Apache ActiveMQ. Runnable pa
CVE-2026-4105 is a improper access control in Red Hat Hardened Images. CVSS 6.7 Medium. Patch commands, mitigations, and verification.
CVE-2026-41051 is a vulnerability in openSUSE Tumbleweed. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4106 - CWE-200 Information Exposure in HT Mega Addons for Elementor. Runnable patch commands, mitigation, and verification on this
CVE-2026-41061 is a cross-site scripting in AVideo. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41062 is a path traversal in AVideo. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41063 is a cross-site scripting in AVideo. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41067 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in astro. Runnable patch comma
CVE-2026-41069 is an out-of-bounds read in libheif. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41071 is an out-of-bounds read in libheif. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41073 is a path traversal in rt. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41078 - CWE-770: Allocation of Resources Without Limits or Throttling in opentelemetry-dotnet. Runnable patch commands, mitigation,
CVE-2026-41079 - CWE-125: Out-of-bounds Read in cups. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41081 - CWE-287 Improper Authentication in Apache Storm Client. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4109 is a missing authorization in Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered). This page lists ve
CVE-2026-41097 is a vulnerability in Windows 10 Version 1809. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-41100: an access control bypass in Microsoft 365 Copilot for Android. Patched version and vendor advisory inside.
CVE-2026-41119 is an authentication bypass in Live Optics. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-41125 is a SQL injection in blueplanet 100 NX3 M8. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-41126 is a cwe-601: url redirection to untrusted site in bigbluebutton. This page lists verified fix commands and short-term mitiga
CVE-2026-41127 is a vulnerability in bigbluebutton. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41128 is a missing authorization in cms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41129 is a server-side request forgery in cms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41130 is a server-side request forgery in cms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41131 is an incorrect authorization in openfga. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41132 is an authentication bypass in ckan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41136 is a cwe-440: expected behavior violation in amf. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-4114 is a handling of unicode encoding in SMA1000. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-41148 is a code injection in mermaid. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41149 is a cross-site scripting (XSS) in mermaid. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4115 is an authentication bypass in PuTTY. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41153 is a command injection in Junie. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41161 is a observable timing discrepancy in server. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41168 - CWE-834: Excessive Iteration in pypdf. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4117 - CWE-862 Missing Authorization in CalJ Shabbat Times. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41173 - CWE-770: Allocation of Resources Without Limits or Throttling in opentelemetry-dotnet-contrib. Runnable patch commands, mit
CVE-2026-41174 - CWE-863: Incorrect Authorization in traefik. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41177 - CWE-73: External Control of File Name or Path in squidex. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-4118 - CWE-352 Cross-Site Request Forgery (CSRF) in Call To Action Plugin. Runnable patch commands, mitigation, and verification on
CVE-2026-41181 is a vulnerability in traefik. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41182 - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in langsmith-sdk. Runnable patch commands, mitigation,
CVE-2026-41183 is an information disclosure in freescout. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-41194 is a cross-site request forgery in freescout. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-41195 is a server-side request forgery (SSRF) in mosparo. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-4120: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Info Cards – Add Text and Medi
CVE-2026-41206 - CWE-184: Incomplete List of Disallowed Inputs in PySpector. Runnable patch commands, mitigation, and verification on this p
CVE-2026-4121 - CWE-352 Cross-Site Request Forgery (CSRF) in Kcaptcha. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41213 - CWE-307: Improper Restriction of Excessive Authentication Attempts in node-oauth2-server. Runnable patch commands, mitigati
CVE-2026-41217 is an arbitrary file read in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41219 is an information disclosure in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-41226 - URL redirection to untrusted site ('Open Redirect') in Multiple laser printers and MFPs which implement Web Image Monitor.
CVE-2026-41232 - CWE-863: Incorrect Authorization in froxlor. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41233 - CWE-863: Incorrect Authorization in froxlor. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41238 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in DOMPurify. Runnable patch c
CVE-2026-41239 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in DOMPurify. Runnable patch c
CVE-2026-4124 is a missing authorization in Ziggeo. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41240 - CWE-183: Permissive List of Allowed Inputs in DOMPurify. Runnable patch commands, mitigation, and verification on this page
CVE-2026-41243 - CWE-284: Improper Access Control in OpenLearn. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41244 - CWE-208: Observable Timing Discrepancy in mojic. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41245 is a path traversal in junrar. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-4125 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WPMK Block. Runnable patch co
CVE-2026-41250 improper neutralization of input during web page generation ('cross-site scripti in taiga-front. Runnable upgrade commands an
CVE-2026-41253 is an inclusion of functionality from untrusted control in iTerm2. This page lists verified fix commands and short-term mitig
CVE-2026-41254 is a behavior order in little cms color engine. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-41255 is a cross-site request forgery (CSRF) in ckan. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-41256 improper neutralization of null byte or nul character in jq. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-41257 is a integer overflow or wraparound in jq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4126 - CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Table Manager. Runnable patch commands, mitigation, an
CVE-2026-41263 - CWE-208: Observable Timing Discrepancy in traefik. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4127 is a vulnerability in Speedup Optimization. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4128 - CWE-862 Missing Authorization in TP Restore Categories And Taxonomies. Runnable patch commands, mitigation, and verification
CVE-2026-41281 is an information disclosure in あんしんフィルター for au. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-41282 is a code injection in Nuclei. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41285 is a validation of specified quantity in input in OpenBSD. This page lists verified fix commands and short-term mitigations y
CVE-2026-41292 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41297 is a server-side request forgery in OpenClaw. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-41298 is a missing authorization in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41300 is a cwe-372: incomplete internal state distinction in OpenClaw. This page lists verified fix commands and short-term mitigat
CVE-2026-41301 is a vulnerability in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41302 is a server-side request forgery in OpenClaw. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-41305 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in postcss. Runnable patch com
CVE-2026-41308 authentication bypass using an alternate path or channel in PasswordPusher. Runnable upgrade commands and verification steps
CVE-2026-4131 - CWE-352 Cross-Site Request Forgery (CSRF) in WP Responsive Popup + Optin. Runnable patch commands, mitigation, and verificat
CVE-2026-41310 allocation of resources without limits or throttling in opentelemetry-dotnet. Runnable upgrade commands and verification step
CVE-2026-41312 - CWE-789: Memory Allocation with Excessive Size Value in pypdf. Runnable patch commands, mitigation, and verification on thi
CVE-2026-41313 - CWE-834: Excessive Iteration in pypdf. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41314 - CWE-789: Memory Allocation with Excessive Size Value in pypdf. Runnable patch commands, mitigation, and verification on thi
CVE-2026-41317 - CWE-352: Cross-Site Request Forgery (CSRF) in press. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41318 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in anything-llm. Runnable patc
CVE-2026-41319 - CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in MailKit. Runn
CVE-2026-41320 is a SQL injection in hrms. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41322 - CWE-525: Use of Web Browser Cache Containing Sensitive Information in astro. Runnable patch commands, mitigation, and verif
CVE-2026-4133 - CWE-352 Cross-Site Request Forgery (CSRF) in TextP2P Texting Widget. Runnable patch commands, mitigation, and verification o
CVE-2026-41331 is a vulnerability in OpenClaw. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41332 - CWE-184: Incomplete List of Disallowed Inputs in OpenClaw. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-41333 - Improper Control of Interaction Frequency in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41335 - CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere in OpenClaw. Runnable patch commands, m
CVE-2026-41337 - CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in OpenClaw. Runnable patch commands, mitigation, and verificati
CVE-2026-41338 - CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in OpenClaw. Runnable patch commands, mitigation, and verificati
CVE-2026-41339 - CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere in OpenClaw. Runnable patch commands, m
CVE-2026-41340 - CWE-372: Incomplete Internal State Distinction in OpenClaw. Runnable patch commands, mitigation, and verification on this p
CVE-2026-41343 - Improper Control of Interaction Frequency in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41344 - CWE-863: Incorrect Authorization in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41345 - CWE-522 Insufficiently Protected Credentials in OpenClaw. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-41346 - Improper Control of Interaction Frequency in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4135 is a cwe-59: improper link resolution before file in Software Fix. This page lists verified fix commands and short-term mitiga
CVE-2026-41350 - CWE-863: Incorrect Authorization in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41351 - CWE-294 Authentication Bypass by Capture-replay in OpenClaw. Runnable patch commands, mitigation, and verification on this
CVE-2026-41354 - CWE-706: Use of Incorrectly-Resolved Name or Reference in OpenClaw. Runnable patch commands, mitigation, and verification o
CVE-2026-41355 - CWE-829: Inclusion of Functionality from Untrusted Control Sphere in OpenClaw. Runnable patch commands, mitigation, and ver
CVE-2026-4136: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in Membership Plugin – Restrict Content. Patch commands and v
CVE-2026-41360 - CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition in OpenClaw. Runnable patch commands, mitigation, and verificati
CVE-2026-41361 - CWE-184: Incomplete List of Disallowed Inputs in OpenClaw. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-41363 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OpenClaw. Runnable patch commands,
CVE-2026-41365 - CWE-441: Unintended Proxy or Intermediary ('Confused Deputy') in OpenClaw. Runnable patch commands, mitigation, and verific
CVE-2026-41366 - CWE-732: Incorrect Permission Assignment for Critical Resource in OpenClaw. Runnable patch commands, mitigation, and verifi
CVE-2026-41367 - CWE-863: Incorrect Authorization in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41372 - CWE-639 Authorization Bypass Through User-Controlled Key in OpenClaw. Runnable patch commands, mitigation, and verification
CVE-2026-41373 - CWE-427 Uncontrolled Search Path Element in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41374 - CWE-408: Incorrect Behavior Order: Early Amplification in OpenClaw. Runnable patch commands, mitigation, and verification o
CVE-2026-41377 - CWE-636: Not Failing Securely (Failing Open) in OpenClaw. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-4138 - CWE-352 Cross-Site Request Forgery (CSRF) in DX Unanswered Comments. Runnable patch commands, mitigation, and verification o
CVE-2026-41383 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OpenClaw. Runnable patch commands,
CVE-2026-41388 - CWE-372: Incomplete Internal State Distinction in OpenClaw. Runnable patch commands, mitigation, and verification on this p
CVE-2026-41389 is a cwe-73: external control of file name in OpenClaw. This page lists verified fix commands and short-term mitigations you
CVE-2026-4139 - CWE-352 Cross-Site Request Forgery (CSRF) in mCatFilter. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41391 - CWE-184: Incomplete List of Disallowed Inputs in OpenClaw. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-41392 - CWE-184: Incomplete List of Disallowed Inputs in OpenClaw. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-41393 - CWE-346: Origin Validation Error in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4140 - CWE-352 Cross-Site Request Forgery (CSRF) in Ni WooCommerce Order Export. Runnable patch commands, mitigation, and verificat
CVE-2026-41400 - CWE-770: Allocation of Resources Without Limits or Throttling in OpenClaw. Runnable patch commands, mitigation, and verific
CVE-2026-41403 - CWE-807 Reliance on Untrusted Inputs in a Security Decision in OpenClaw. Runnable patch commands, mitigation, and verificat
CVE-2026-41407 - CWE-208 Observable Timing Discrepancy in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4141: Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form in Quran Translations. Patch commands and ve
CVE-2026-41411 - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vim. Runnable patch c
CVE-2026-41413 is a server-side request forgery (ssrf) in istio. Patched version, runnable upgrade commands, and how to verify the fix lande
CVE-2026-41415 - CWE-125: Out-of-bounds Read in pjproject. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41417 improper neutralization of crlf sequences ('crlf injection') in netty. Runnable upgrade commands and verification steps for s
CVE-2026-41418 - CWE-208: Observable Timing Discrepancy in 4gaBoards. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4142 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Sentence To SEO (keywords, de
CVE-2026-41425 - CWE-352: Cross-Site Request Forgery (CSRF) in authlib. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41426 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pretalx. Runnable patch com
CVE-2026-4143 is a vulnerability in Neos Connector for Fakturama. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-41455 - CWE-918 Server-Side Request Forgery (SSRF) in wekan. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41456 is a cross-site scripting in bludit. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-41457 - CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in owntone-server. Runnable pat
CVE-2026-41459 - CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in xerteonlinetoolkits. Runnable patch c
CVE-2026-4146: Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter in Loco Translate. Patch commands and ve
CVE-2026-41461 - CWE-918 Server-Side Request Forgery (SSRF) in SocialEngine. Runnable patch commands, mitigation, and verification on this p
CVE-2026-41466 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ProjeQtor. Runnable patch co
CVE-2026-41467 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ProjeQtor. Runnable patch co
CVE-2026-41469 - CWE-693 Protection Mechanism Failure in SicuroWeb (Sicuro24). Runnable patch commands, mitigation, and verification on this
CVE-2026-41472 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cyberpanel. Runnable patch c
CVE-2026-41481 - CWE-918: Server-Side Request Forgery (SSRF) in langchain-text-splitters. Runnable patch commands, mitigation, and verificat
CVE-2026-41483 allocation of resources without limits or throttling in opentelemetry-dotnet-contrib. Runnable upgrade commands and verificat
CVE-2026-41484 allocation of resources without limits or throttling in opentelemetry-dotnet-contrib. Runnable upgrade commands and verificat
CVE-2026-41487 is a improper access control in langfuse. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41493 improper limitation of a pathname to a restricted directory ('path traversal') in yard. Runnable upgrade commands and verific
CVE-2026-41495 insertion of sensitive information into log file in n8n-mcp. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-41499 - CWE-124: Buffer Underwrite ('Buffer Underflow') in wazuh. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-41506 is a insufficiently protected credentials in go-git. Patched version, runnable upgrade commands, and how to verify the fix la
CVE-2026-41509 is a stack-based buffer overflow in CROSS-implementation. Patched version, runnable upgrade commands, and how to verify the f
CVE-2026-41511 loop with unreachable exit condition ('infinite loop') in openmcdf. Runnable upgrade commands and verification steps for sysa
CVE-2026-41513 is an open redirect in horilla-hr. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41519 is a insufficient session expiration in weblate. Patched version, runnable upgrade commands, and how to verify the fix landed
CVE-2026-41525 - CWE-669 Incorrect Resource Transfer Between Spheres in Dolphin. Runnable patch commands, mitigation, and verification on th
CVE-2026-41526 - CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences in KCoreAddons. Runnable patch commands, mitigation,
CVE-2026-41527 is an always-incorrect control flow implementation in Kleopatra. This page lists verified fix commands and short-term mitigat
CVE-2026-41572 is a improper authorization in note-mark. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41575 improper neutralization of input during web page generation ('cross-site scripti in IP. Runnable upgrade commands and verific
CVE-2026-41585 is a uncaught exception in zebra. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41591 improper neutralization of input during web page generation ('cross-site scripti in marko. Runnable upgrade commands and veri
CVE-2026-4160 is an authorization bypass through user-controlled key in Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversat
CVE-2026-41606 - CWE-674 Uncontrolled Recursion in Apache Thrift. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41607 - CWE-125 Out-of-bounds Read in Apache Thrift. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4161 is a vulnerability in Review Map by RevuKangaroo. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-41610: a cross-site scripting (XSS) in Visual Studio Code. Patched version and vendor advisory inside.
CVE-2026-41612: a path traversal in Visual Studio Code - Live Preview extens. Patched version and vendor advisory inside.
CVE-2026-41614: an access control bypass in M365 Copilot for Desktop. Patched version and vendor advisory inside.
CVE-2026-41645 improper control of generation of code ('code injection') in nuclei. Runnable upgrade commands and verification steps for sys
CVE-2026-41646 is a improper access control in nuclei. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41647 is a null pointer dereference in incus. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41648 allocation of resources without limits or throttling in incus. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-4165: Worksuite HR, CRM and Project Management create cross site scripting in HR, CRM and Project Management. Patch commands and ve
CVE-2026-41650 xml injection (aka blind xpath injection) in fast-xml-parser. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-41654 is a improper input validation in weblate. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41655 improper limitation of a pathname to a restricted directory ('path traversal') in admidio. Runnable upgrade commands and veri
CVE-2026-41656 improper limitation of a pathname to a restricted directory ('path traversal') in admidio. Runnable upgrade commands and veri
CVE-2026-41657 is a incorrect authorization in admidio. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41658 is a missing authorization in admidio. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4166: Wavlink WL-NU516U1 login.cgi sub_404F68 cross site scripting in WL-NU516U1. Patch commands and verification.
CVE-2026-41661 improper neutralization of input during web page generation ('cross-site scripti in admidio. Runnable upgrade commands and ve
CVE-2026-41662 improper check for unusual or exceptional conditions in admidio. Runnable upgrade commands and verification steps for sysadmi
CVE-2026-41664 - CWE-190 Integer overflow or wraparound in ONE. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41665 - CWE-190 Integer overflow or wraparound in ONE. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41666 - CWE-190 Integer overflow or wraparound in ONE. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41667 - CWE-190 Integer overflow or wraparound in ONE. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41671 is a improper authentication in admidio. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4168: Tecnick TCExam Group tce_edit_group.php cross site scripting in TCExam. Patch commands and verification.
CVE-2026-41682 is a signed to unsigned conversion error in pupnp. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-41684 is a null pointer dereference in incus. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41685 allocation of resources without limits or throttling in incus. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-41686 incorrect permission assignment for critical resource in anthropic-sdk-typescript. Runnable upgrade commands and verification
CVE-2026-41687 is a server-side request forgery (ssrf) in Wallos. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-41689 is a incorrect authorization in Wallos. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4169 is a cross site scripting in Tecnick TCExam. CVSS 4.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-41691 improper limitation of a pathname to a restricted directory ('path traversal') in i18next-http-backend. Runnable upgrade comm
CVE-2026-41692 improper neutralization of input during web page generation ('cross-site scripti in i18nextify. Runnable upgrade commands and
CVE-2026-4171: CodeGenieApp serverless-express API Endpoint TodoList.ts authorization in serverless-express. Patch commands and verification
CVE-2026-4173 is a sql injection in Codephiliax Chat2DB. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-4174: Radare2 Mach-O File mach0.c walk_exports_trie resource consumption in Radare2. Patch commands and verification.
CVE-2026-4175: Aureus ERP Chatter Message content-text-entry.blade.php cross site scripting in ERP. Patch commands and verification.
CVE-2026-4179: stm32: usb: Infinite while loop in Interrupt Handler in Zephyr. Patch commands and verification.
CVE-2026-4180 is a d-link dir-816 goahead redirect.asp access control in D-link DIR-816. CVSS 6.9 Medium. Patch commands, mitigations, and v
CVE-2026-4185: GPAC MP4Box swf_parse.c swf_def_bits_jpeg stack-based overflow in GPAC. Patch commands and verification.
CVE-2026-4186: UEditor JSONP Callback controller.php cross site scripting in UEditor. Patch commands and verification.
CVE-2026-4187 is a missing authentication in Tiandy Easy7 Integrated Management Platform. CVSS 6.9 Medium. Patch commands, mitigations, and
CVE-2026-41885 improper limitation of a pathname to a restricted directory ('path traversal') in i18next-locize-backend. Runnable upgrade co
CVE-2026-41887 improper limitation of a pathname to a restricted directory ('path traversal') in framework. Runnable upgrade commands and ve
CVE-2026-41888 is an access control bypass in distribution. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-4189 is a phpipam section edit-result.php sql injection in the vendor phpipam. CVSS 5.1 Medium. Patch commands, mitigations, and ve
CVE-2026-41890 is a improper input validation in ci4ms. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41891 is a insufficient session expiration in ci4ms. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4190: JawherKl node-api-postgres user.js User.getAll sql injection in node-api-postgres. Patch commands and verification.
CVE-2026-41903 is a incorrect authorization in freescout. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-41909 - CWE-863 Incorrect Authorization in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4191 is a unrestricted upload in Jawherkl node-api-postgres. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-41911 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OpenClaw. Runnable patch commands,
CVE-2026-41912 - CWE-918 Server-Side Request Forgery (SSRF) in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41913 - CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in OpenClaw. Runnable
CVE-2026-41914 - CWE-918 Server-Side Request Forgery (SSRF) in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41915 - CWE-184: Incomplete List of Disallowed Inputs in OpenClaw. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-4192: AvinashBole quip-mcp-server index.ts setupToolHandlers command injection in quip-mcp-server. Patch commands and verification.
CVE-2026-41928 exposure of sensitive system information to an unauthorized control sphere in Vvveb. Runnable upgrade commands and verificati
CVE-2026-41929 improper neutralization of input during web page generation ('cross-site scripti in Vvveb. Runnable upgrade commands and veri
CVE-2026-4193: D-Link DIR-823G goahead UpdateClientInfo access control in DIR-823G. Patch commands and verification.
CVE-2026-41931 initialization of a resource with an insecure default in Vvveb. Runnable upgrade commands and verification steps for sysadmin
CVE-2026-41932 is a cross-site scripting (XSS) in Vvveb. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-41933 is a vulnerability in Vvveb. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4194: D-Link DNS-1550-04 system_mgr.cgi cgi_set_wto access control in DNS-120. Patch commands and verification.
CVE-2026-4195 is a d-link dns-1550-04 wizard_mgr.cgi command injection in D-link DNS-120. CVSS 5.3 Medium. Patch commands, mitigations, and
CVE-2026-41950 is a authorization bypass through user-controlled key in dify. Patched version, runnable upgrade commands, and how to verify
CVE-2026-41954 is an information disclosure in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-41959 is an arbitrary file read in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4196: D-Link DNS-1550-04 remote_backup.cgi cgi_set_rsync_server command injection in DNS-120. Patch commands and verification.
CVE-2026-41960 is an information disclosure in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-41961 is a vulnerability in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41965 is a vulnerability in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41966 is a vulnerability in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41967 is a vulnerability in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41968 is a vulnerability in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-41969 is a vulnerability in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4197: D-Link DNS-1550-04 download_mgr.cgi RSS_Item_List command injection in DNS-120. Patch commands and verification.
CVE-2026-41970 is an OS command injection in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-41971 is a vulnerability in HarmonyOS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4198: hypermodel-labs mcp-server-auto-commit index.ts getGitChanges command injection in mcp-server-auto-commit. Patch commands and
CVE-2026-41989 - CWE-787 Out-of-bounds Write in Libgcrypt. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4199: bazinga012 mcp_code_executor index.ts installDependencies command injection in mcp_code_executor. Patch commands and verifica
CVE-2026-41990 - CWE-787 Out-of-bounds Write in Libgcrypt. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-41999 is an access control bypass in Authoritative. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4200 is a server-side request forgery in glowxq-oj. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-42000 is an OS command injection in Authoritative. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-42002 is a race condition in Authoritative. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42006 is a vulnerability in OX Dovecot Pro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4201: glowxq glowxq-oj SysFileController.java upload unrestricted upload in glowxq-oj. Patch commands and verification.
CVE-2026-42028 improper limitation of a pathname to a restricted directory ('path traversal') in novagallery. Runnable upgrade commands and
CVE-2026-4203: D-Link DNS-1550-04 network_mgr.cgi cgi_dhcpd command injection in DNS-120. Patch commands and verification.
CVE-2026-42030 improper neutralization of script-related html tags in a web page (basic xss) in MapServer. Runnable upgrade commands and ver
CVE-2026-42032 is an access control bypass in ckan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42034 - CWE-770: Allocation of Resources Without Limits or Throttling in axios. Runnable patch commands, mitigation, and verificati
CVE-2026-42036 - CWE-770: Allocation of Resources Without Limits or Throttling in axios. Runnable patch commands, mitigation, and verificati
CVE-2026-42037 - CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in axios. Runnable patch commands, mitigation, and ver
CVE-2026-42038 - CWE-918: Server-Side Request Forgery (SSRF) in axios. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42039 - CWE-674: Uncontrolled Recursion in axios. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4204: D-Link DNS-1550-04 gui_mgr.cgi cgi_mycloud_auto_downlaod command injection in DNS-120. Patch commands and verification.
CVE-2026-42041 - CWE-287: Improper Authentication in axios. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42042 - CWE-183: Permissive List of Allowed Inputs in axios. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42044 - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes in axios. Runnable patch commands,
CVE-2026-42045 is a cross-site scripting (XSS) in lobehub. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4205: D-Link DNS-1550-04 app_mgr.cgi FTP_Server_BlockIP_Del command injection in DNS-120. Patch commands and verification.
CVE-2026-42050 is a stack-based buffer overflow in ImageMagick. Patched version, runnable upgrade commands, and how to verify the fix landed
CVE-2026-42051 is a missing authorization in kirby. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42052 improper neutralization of input during web page generation ('cross-site scripti in beets. Runnable upgrade commands and veri
CVE-2026-42058 is an arbitrary file read in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4206: D-Link DNS-1550-04 dsk_mgr.cgi ScanDisk_run_e2fsck command injection in DNS-120. Patch commands and verification.
CVE-2026-42063 is a vulnerability in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4207: D-Link DNS-1550-04 system_mgr.cgi cgi_ntp_time command injection in DNS-120. Patch commands and verification.
CVE-2026-42077 improperly controlled modification of object prototype attributes ('prototype po in evolver. Runnable upgrade commands and ve
CVE-2026-42078 improper limitation of a pathname to a restricted directory ('path traversal') in PPTAgent. Runnable upgrade commands and ver
CVE-2026-42080 improper limitation of a pathname to a restricted directory ('path traversal') in PPTAgent. Runnable upgrade commands and ver
CVE-2026-42085 is a relative path traversal in cosmos. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42086 improper neutralization of input during web page generation ('cross-site scripti in cosmos. Runnable upgrade commands and ver
CVE-2026-4209: D-Link DNS-1550-04 account_mgr.cgi cgi_chg_admin_pw command injection in DNS-120. Patch commands and verification.
CVE-2026-42091 is a cross-site request forgery (csrf) in goshs. Patched version, runnable upgrade commands, and how to verify the fix landed
CVE-2026-42092 exposure of sensitive information to an unauthorized actor in titra. Runnable upgrade commands and verification steps for sys
CVE-2026-42095 - CWE-306 Missing Authentication for Critical Function in Arianna. Runnable patch commands, mitigation, and verification on t
CVE-2026-4210: D-Link DNS-1550-04 time_machine.cgi cgi_tm_set_share command injection in DNS-120. Patch commands and verification.
CVE-2026-42138 improper neutralization of input during web page generation ('cross-site scripti in dify. Runnable upgrade commands and verif
CVE-2026-42140 is a server-side request forgery (ssrf) in macro-plantuml. Patched version, runnable upgrade commands, and how to verify the
CVE-2026-42144 is a integer overflow or wraparound in CImg. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42146 is a memory allocation with excessive size value in CImg. Patched version, runnable upgrade commands, and how to verify the f
CVE-2026-4215 is a server-side request forgery in Flowci flow-core-x. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-42150 improper neutralization of input during web page generation ('cross-site scripti in wlc. Runnable upgrade commands and verifi
CVE-2026-42157 is a cross-site scripting (XSS) in flowsint. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-42159 is a cross-site scripting (XSS) in flowsint. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-4216: i-SENS SmartLog App air.SmartLog.android hard-coded credentials in SmartLog App. Patch commands and verification.
CVE-2026-42174 is a missing authorization in kirby. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42175: a server-side request forgery (SSRF) in requests-hardened. Patched version and vendor advisory inside.
CVE-2026-42176 is a missing authentication for critical function in scoold. Patched version, runnable upgrade commands, and how to verify th
CVE-2026-42177 is an access control bypass in linux-entra-sso. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-42180 is a server-side request forgery (ssrf) in lemmy. Patched version, runnable upgrade commands, and how to verify the fix lande
CVE-2026-42181 is a server-side request forgery (ssrf) in lemmy. Patched version, runnable upgrade commands, and how to verify the fix lande
CVE-2026-42185 is a improper privilege management in people. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4219: Hard-coded Credentials in YWF BPOF APGCS App. Patch commands and verification.
CVE-2026-42190 is a cross-site request forgery (csrf) in sdk. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42191: a cross-site scripting (XSS) in opentelemetry-dotnet. Patched version and vendor advisory inside.
CVE-2026-42192 improper neutralization of input during web page generation ('cross-site scripti in plunk. Runnable upgrade commands and veri
CVE-2026-42194 is a server-side request forgery (ssrf) in admidio. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-42199 is a integer overflow or wraparound in grid. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4220 is a unrestricted upload in Technologies Integrated Management Platform. CVSS 6.9 Medium. Patch commands, mitigations, and ver
CVE-2026-42202 is a improper authorization in nova-toggle-5. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42206 insufficient verification of data authenticity in core-bundle-dev-app. Runnable upgrade commands and verification steps for s
CVE-2026-42207 is an open redirect in magento-lts. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42209 is a divide by zero in FlashMQ. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4221 is a unrestricted upload in Tiandy Easy7 Integrated Management Platform. CVSS 6.9 Medium. Patch commands, mitigations, and ver
CVE-2026-42213 improper limitation of a pathname to a restricted directory ('path traversal') in SolidCAM-GPPL-IDE. Runnable upgrade command
CVE-2026-42217 is a integer overflow or wraparound in openexr. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4222: SSCMS download PathUtils.RemoveParentPath path traversal in SSCMS. Patch commands and verification.
CVE-2026-42220 exposure of sensitive information to an unauthorized actor in nginx-ui. Runnable upgrade commands and verification steps for
CVE-2026-42223 exposure of sensitive information to an unauthorized actor in nginx-ui. Runnable upgrade commands and verification steps for
CVE-2026-42227 is a authorization bypass through user-controlled key in n8n. Patched version, runnable upgrade commands, and how to verify t
CVE-2026-42228 is a missing authorization in n8n. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42229 improper neutralization of special elements used in an sql command ('sql injecti in n8n. Runnable upgrade commands and verifi
CVE-2026-4223: itsourcecode Payroll Management System manage_employee.php sql injection in Payroll Management System. Patch commands and ver
CVE-2026-42230 url redirection to untrusted site ('open redirect') in n8n. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-42233 improper neutralization of special elements used in an sql command ('sql injecti in n8n. Runnable upgrade commands and verifi
CVE-2026-42237 improper neutralization of special elements used in an sql command ('sql injecti in n8n. Runnable upgrade commands and verifi
CVE-2026-4224: Stack overflow parsing XML with deeply nested DTD content models in CPython. Patch commands and verification.
CVE-2026-42241 memory allocation with excessive size value in ParquetSharp. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-4225: CMS Made Simple User Management listusers.php cross site scripting in CMS Made Simple. Patch commands and verification.
CVE-2026-42254 - CWE-706 Use of Incorrectly-Resolved Name or Reference in Hickory DNS. Runnable patch commands, mitigation, and verification
CVE-2026-42256 use of blocking code in single-threaded, non-blocking context in net-imap. Runnable upgrade commands and verification steps f
CVE-2026-42257 improper neutralization of crlf sequences ('crlf injection') in net-imap. Runnable upgrade commands and verification steps fo
CVE-2026-42258 improper neutralization of special elements used in a command ('command injectio in net-imap. Runnable upgrade commands and v
CVE-2026-42259 url redirection to untrusted site ('open redirect') in saltcorn. Runnable upgrade commands and verification steps for sysadmi
CVE-2026-42267 improper neutralization of formula elements in a csv file in kimai. Runnable upgrade commands and verification steps for sysa
CVE-2026-42276 is a authorization bypass through user-controlled key in onyx. Patched version, runnable upgrade commands, and how to verify
CVE-2026-42277 is a authorization bypass through user-controlled key in onyx. Patched version, runnable upgrade commands, and how to verify
CVE-2026-42279 authorization bypass through user-controlled key in solidtime. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-4228: LB-LINK BL-WR9000 set_wifi sub_458754 command injection in BL-WR9000. Patch commands and verification.
CVE-2026-42282 insertion of sensitive information into log file in n8n-mcp. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-4229: vanna-ai vanna bigquery_vector.py remove_training_data sql injection in vanna. Patch commands and verification.
CVE-2026-42291 authorization bypass through user-controlled key in sysreptor. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-4230: vanna-ai vanna Endpoint __init__.py update_sql sql injection in vanna. Patch commands and verification.
CVE-2026-42303 is an authentication bypass in fides. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42307 improper neutralization of special elements used in an os command ('os command i in vim. Runnable upgrade commands and verifi
CVE-2026-42308 is a integer overflow or wraparound in Pillow. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42309 is a heap-based buffer overflow in Pillow. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4231: vanna-ai vanna Endpoint __init__.py run_sql server-side request forgery in vanna. Patch commands and verification.
CVE-2026-42310 loop with unreachable exit condition ('infinite loop') in Pillow. Runnable upgrade commands and verification steps for sysadm
CVE-2026-42312 is a improper certificate validation in pyload. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42314 improper limitation of a pathname to a restricted directory ('path traversal') in pyload. Runnable upgrade commands and verif
CVE-2026-42316 improper neutralization of special elements in data query logic in kafka-sink-azure-kusto. Runnable upgrade commands and veri
CVE-2026-4232: Tiandy Integrated Management Platform getAuthorityByUserId sql injection in Integrated Management Platform. Patch commands an
CVE-2026-4233 is a thingsgateway download path traversal in the vendor ThingsGateway. CVSS 5.3 Medium. Patch commands, mitigations, and veri
CVE-2026-42333 exposure of sensitive information to an unauthorized actor in quarkus-openapi-generator. Runnable upgrade commands and verifi
CVE-2026-42338 is a cross-site scripting (XSS) in ip-address. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4234: SSCMS DDL SitesAddController.Submit.cs sql injection in SSCMS. Patch commands and verification.
CVE-2026-42343 is a uncontrolled resource consumption in FastGPT. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-42344 time-of-check time-of-use (toctou) race condition in FastGPT. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-42346 is a server-side request forgery (ssrf) in postiz-app. Patched version, runnable upgrade commands, and how to verify the fix
CVE-2026-42348: an OS command injection in opentelemetry-dotnet-contrib. Patched version and vendor advisory inside.
CVE-2026-4235: itsourcecode Online Enrollment System login.php sql injection in Online Enrollment System. Patch commands and verification.
CVE-2026-42350 url redirection to untrusted site ('open redirect') in kargo. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-4236: itsourcecode Online Enrollment System index.php sql injection in Online Enrollment System. Patch commands and verification.
CVE-2026-42367 - insufficiently protected credentials in Gv-Lpc2011/Lpc2211. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-4237: itsourcecode Free Hotel Reservation System index.php sql injection in Free Hotel Reservation System. Patch commands and verif
CVE-2026-42371 - CWE-197 Numeric Truncation Error in uriparser. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4238: itsourcecode College Management System courses.php sql injection in College Management System. Patch commands and verificatio
CVE-2026-4239: Lagom WHMCS Template Datatables prototype pollution in WHMCS Template. Patch commands and verification.
CVE-2026-42396 is a code injection in Authoritative. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4240 is a open5gs cca smf_s6b_sta_cb denial of service in the vendor Open5GS. CVSS 6.9 Medium. Patch commands, mitigations, and ver
CVE-2026-42404 - CWE-918 Server-Side Request Forgery (SSRF) in Apache Neethi. Runnable patch commands, mitigation, and verification on this
CVE-2026-42408 is an information disclosure in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-4241: itsourcecode College Management System time-table.php sql injection in College Management System. Patch commands and verifica
CVE-2026-42410 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in TheGem Theme Elements (for E
CVE-2026-42412 - CWE-862 Missing Authorization in WP User Frontend. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42420 - CWE-770: Allocation of Resources Without Limits or Throttling in OpenClaw. Runnable patch commands, mitigation, and verific
CVE-2026-42424 - CWE-73: External Control of File Name or Path in OpenClaw. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-42427 - CWE-184: Incomplete List of Disallowed Inputs in OpenClaw. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-42429 - CWE-863: Incorrect Authorization in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42430 - CWE-918 Server-Side Request Forgery (SSRF) in OpenClaw. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42436 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42438 is a incorrect authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42439 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42446 is an out-of-bounds read in NanaZip. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42451 improper neutralization of input during web page generation ('cross-site scripti in grimmory. Runnable upgrade commands and v
CVE-2026-42456 exposure of sensitive information to an unauthorized actor in anything-llm. Runnable upgrade commands and verification steps
CVE-2026-42458 is a cross-site scripting (XSS) in magento-lts. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-42474 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42475 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42476 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42477 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42478 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42479 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42480 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42481 - n/a in n/a. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42509 improper neutralization of input during web page generation ('cross-site scripti in Apache Wicket. Runnable upgrade commands
CVE-2026-42510 - CWE-829 Inclusion of Functionality from Untrusted Control Sphere in Ironic. Runnable patch commands, mitigation, and verifi
CVE-2026-42519 - Security Vulnerability in Jenkins Script Security Plugin. Runnable patch commands, mitigation, and verification on this pag
CVE-2026-42521 - Security Vulnerability in Jenkins Matrix Authorization Strategy Plugin. Runnable patch commands, mitigation, and verificati
CVE-2026-42522 - Security Vulnerability in Jenkins GitHub Branch Source Plugin. Runnable patch commands, mitigation, and verification on thi
CVE-2026-42525 - Security Vulnerability in Jenkins Microsoft Entra ID (previously Azure AD) Plugin. Runnable patch commands, mitigation, and
CVE-2026-4253: Tenda AC8 Web UploadCfg route_set_user_policy_rule os command injection in AC8. Patch commands and verification.
CVE-2026-42534 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42541 is a missing authorization in kubewarden-controller. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-42545 is a denial of service in granian. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42549 is a path traversal in core. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42554 improper neutralization of input during web page generation ('cross-site scripti in fiber. Runnable upgrade commands and veri
CVE-2026-42565 url redirection to untrusted site ('open redirect') in authkit-session. Runnable upgrade commands and verification steps for
CVE-2026-42572: an insecure direct object reference (IDOR) in hatchet. Patched version and vendor advisory inside.
CVE-2026-42576 is a incorrect type conversion or cast in apko. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42580 is a vulnerability in netty. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42581 is a vulnerability in netty. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42585 is a vulnerability in netty. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42586 is a vulnerability in netty. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42592 is a race condition in gotenberg. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42593 is a path traversal in gotenberg. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42597 is an arbitrary file read in gotenberg. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-42598 is a path traversal in Pode. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42600 improper limitation of a pathname to a restricted directory ('path traversal') in minio. Runnable upgrade commands and verifi
CVE-2026-42610 is a incorrect authorization in grav. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4262 is an access control bypass in HiJiffy Chatbot. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4263 is an access control bypass in HiJiffy Chatbot. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-42641 - Server-Side Request Forgery (SSRF) in Share This Image. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42642 - Missing Authorization in GiveWP. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-42643 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Image Widget. Runnable patch comman
CVE-2026-42644 - Exposure of Sensitive System Information to an Unauthorized Control Sphere in BetterDocs. Runnable patch commands, mitigati
CVE-2026-42645 - Cross-Site Request Forgery (CSRF) in Barcode Scanner with Inventory & Order Manager. Runnable patch commands, mitigation, a
CVE-2026-42648 - Missing Authorization in Spectra. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-4265: Guest user can upload files without permission across teams in Mattermost. Patch commands and verification.
CVE-2026-4268: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WP Go Maps (formerly WP Google
CVE-2026-4270 is a aws api mcp file access restriction bypass in AWS API MCP Server. CVSS 5.5 Medium. Patch commands, mitigations, and verif
CVE-2026-4271: Libsoup: libsoup: denial of service via use-after-free in http/2 server in Red Hat Enterprise Linux 10. Patch commands and ve
CVE-2026-4274 is an access control bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-4278 is a vulnerability in Simple Download Counter. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-42780 is a path traversal in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42781 is a denial of service in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42788 - CWE-770 Allocation of Resources Without Limits or Throttling in bandit. Runnable patch commands, mitigation, and verificati
CVE-2026-4279 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Bread & Butter: AI-Powered Le
CVE-2026-42798 - CWE-190 Integer Overflow or Wraparound in little cms color engine. Runnable patch commands, mitigation, and verification on
CVE-2026-4280 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Breaking News WP. Runnable patch co
CVE-2026-4281: a vulnerability in FormLift for Infusionsoft Web Forms. Patched version and vendor advisory inside.
CVE-2026-42827 is an OS command injection in Microsoft 365 Copilot. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-42830: a vulnerability in Azure Monitor Agent Metrics Extension. Patched version and vendor advisory inside.
CVE-2026-42838: a vulnerability in Microsoft Edge (Chromium-based). Patched version and vendor advisory inside.
CVE-2026-4284 is a server-side request forgery in Taoofagi easegen-admin. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-42841 improper neutralization of input during web page generation ('cross-site scripti in grav. Runnable upgrade commands and verif
CVE-2026-42842 improper neutralization of input during web page generation ('cross-site scripti in grav. Runnable upgrade commands and verif
CVE-2026-4285: taoofagi easegen-admin Pdf2MdUtil.java recognizeMarkdown path traversal in easegen-admin. Patch commands and verification.
CVE-2026-42857 improper neutralization of input during web page generation ('cross-site scripti in openedx-platform. Runnable upgrade comman
CVE-2026-42866 improper limitation of a pathname to a restricted directory ('path traversal') in tookie-osint. Runnable upgrade commands and
CVE-2026-4287 is a sql injection in Tiandy Easy7 Integrated Management Platform. CVSS 6.9 Medium. Patch commands, mitigations, and verificat
CVE-2026-42870 improper neutralization of input during web page generation ('cross-site scripti in WeGIA. Runnable upgrade commands and veri
CVE-2026-42871 exposure of sensitive information to an unauthorized actor in WeGIA. Runnable upgrade commands and verification steps for sys
CVE-2026-42872 improper neutralization of input during web page generation ('cross-site scripti in WeGIA. Runnable upgrade commands and veri
CVE-2026-42875 is a improper authorization in external-secrets. Patched version, runnable upgrade commands, and how to verify the fix landed
CVE-2026-42876 is a improper authorization in external-secrets. Patched version, runnable upgrade commands, and how to verify the fix landed
CVE-2026-4288 is a sql injection in Tiandy Easy7 Integrated Management Platform. CVSS 6.9 Medium. Patch commands, mitigations, and verificat
CVE-2026-42883 is a incorrect authorization in audiobookshelf. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42884 is a incorrect authorization in audiobookshelf. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-42885 improper limitation of a pathname to a restricted directory ('path traversal') in audiobookshelf. Runnable upgrade commands a
CVE-2026-42886 improper handling of highly compressed data (data amplification) in audiobookshelf. Runnable upgrade commands and verificatio
CVE-2026-42887 improper neutralization of input during web page generation ('cross-site scripti in audiobookshelf. Runnable upgrade commands
CVE-2026-42888 improper limitation of a pathname to a restricted directory ('path traversal') in audiobookshelf. Runnable upgrade commands a
CVE-2026-4289: Tiandy Easy7 Integrated Management Platform getRecByTemplateId sql injection in Easy7 Integrated Management Platform. Patch c
CVE-2026-42891 is a vulnerability in Microsoft Edge for Android. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-42919 is a stack-based buffer overflow in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-42923 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42926 is a vulnerability in NGINX Open Source. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4293 is a cross-site scripting (XSS) in DDC4002. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-42934 is an out-of-bounds read in NGINX Plus. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-42937 is an arbitrary file read in BIG-IP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42946 is an OS command injection in NGINX Plus. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-42948 is a cross-site scripting (XSS) in WAB-BE187-M. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-42950 is a denial of service in WAB-BE187-M. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42960 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-42961 is a vulnerability in WAB-BE187-M. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4299 is a missing authorization in MainWP Child Reports. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-4300: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Robo Gallery – Photo & Image Slider.
CVE-2026-43002 is a incorrect behavior order in Horizon. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4301 missing authorization in Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings. Runnable upgrade commands and verification
CVE-2026-4303: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WP Visitor Statistics (Real Time Traf
CVE-2026-4305 is a cross-site scripting in Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely. This page lis
CVE-2026-4307: frdel/agent0ai agent-zero files.py get_abs_path path traversal in agent-zero. Patch commands and verification.
CVE-2026-4308 is a server-side request forgery in Frdel agent-zero. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-4309 is a vulnerability in Aterm W1200EX(-MS). Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4319: code-projects Simple Food Order System add-item.php sql injection in Simple Food Order System. Patch commands and verificatio
CVE-2026-4324: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Red Hat Satellite 6.17 for RHEL 9. Pa
CVE-2026-4325: bundle sibling of CVE-2026-3872. Same patched build closes both.
CVE-2026-4330: Authorization Bypass Through User-Controlled Key in Blog2Social: Social Media Auto Post & Scheduler. Patch commands and verif
CVE-2026-4331: a vulnerability in Blog2Social: Social Media Auto Post & Sc. Patched version and vendor advisory inside.
CVE-2026-4332: bundle sibling of CVE-2026-1092. Same patched build closes both.
CVE-2026-4333: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LearnPress – WordPress LMS Plugin for
CVE-2026-4335: a vulnerability in ShortPixel Image Optimizer – Optimize Im. Patched version and vendor advisory inside.
CVE-2026-4336 is a cross-site scripting in Ultimate FAQ Accordion Plugin. This page lists verified fix commands and short-term mitigations y
CVE-2026-4341: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Prime Slider – Addons for Elementor.
CVE-2026-4346 is a vulnerability in TL-WR850N v3. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4349: Duende IdentityServer4 Token Renewal Endpoint authorize improper authentication in IdentityServer4. Patch commands and verifi
CVE-2026-43504 - CWE-863 Incorrect Authorization in Prosody. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-43505 - CWE-420 Unprotected Alternate Channel in Prosody. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-43506 - CWE-401 Missing Release of Memory after Effective Lifetime in Prosody. Runnable patch commands, mitigation, and verificatio
CVE-2026-43507 - CWE-770 Allocation of Resources Without Limits or Throttling in Prosody. Runnable patch commands, mitigation, and verificat
CVE-2026-43527 is a server-side request forgery (ssrf) in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix la
CVE-2026-4353 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CI HUB Connector. Runnable pa
CVE-2026-43532 is a incomplete list of disallowed inputs in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix
CVE-2026-4354: TRENDnet TEW-824DRU Web apply_sec.cgi sub_420A78 cross site scripting in TEW-824DRU. Patch commands and verification.
CVE-2026-4355: Portabilis i-Educar Endpoint educar_servidor_curso_lst.php cross site scripting in i-Educar. Patch commands and verification.
CVE-2026-4356: itsourcecode University Management System add_result.php cross site scripting in University Management System. Patch commands
CVE-2026-43570 is a unix symbolic link (symlink) following in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fi
CVE-2026-43572 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43573 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43574 is a permissive list of allowed inputs in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-43576 url redirection to untrusted site ('open redirect') in OpenClaw. Runnable upgrade commands and verification steps for sysadmi
CVE-2026-43579 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4358: Memory safety issues in slot-based execution hash table spill in MongoDB Server. Patch commands and verification.
CVE-2026-43580 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43582 time-of-check time-of-use (toctou) race condition in OpenClaw. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-43583 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43616 is a relative path traversal in DIE-engine. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43617 is a vulnerability in rsync. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-43618 is a vulnerability in rsync. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4362 missing authorization in ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor. Runnable upgrade co
CVE-2026-43620 is an out-of-bounds read in rsync. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-43638 is a missing authorization in server. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4364: bundle sibling of CVE-2026-1342. Same patched build closes both.
CVE-2026-43644 is a cross-site scripting (XSS) in podinfo. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-43653 is a uncontrolled resource consumption in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the f
CVE-2026-43659 concurrent execution using shared resource with improper synchronization ('race in iOS and iPadOS. Runnable upgrade commands
CVE-2026-4366 is a server-side request forgery (ssrf) in Red Hat Build of Keycloak. CVSS 5.8 Medium. Patch commands, mitigations, and verifi
CVE-2026-43666 is a out-of-bounds write in iOS and iPadOS. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4379: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LightPress Lightbox. Patch commands a
CVE-2026-43826 insertion of sensitive information into log file in Apache Airflow Providers OpenSearch. Runnable upgrade commands and verifi
CVE-2026-43868 memory allocation with excessive size value in Apache Thrift. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-43875 use of get request method with sensitive query strings in AVideo. Runnable upgrade commands and verification steps for sysadm
CVE-2026-43876 improper neutralization of input during web page generation ('cross-site scripti in AVideo. Runnable upgrade commands and ver
CVE-2026-43877 is a cross-site request forgery (csrf) in AVideo. Patched version, runnable upgrade commands, and how to verify the fix lande
CVE-2026-43878 improper neutralization of input during web page generation ('cross-site scripti in AVideo. Runnable upgrade commands and ver
CVE-2026-43879 is a server-side request forgery (ssrf) in AVideo. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-43880 improper verification of source of a communication channel in AVideo. Runnable upgrade commands and verification steps for sy
CVE-2026-43881 is a missing authentication for critical function in AVideo. Patched version, runnable upgrade commands, and how to verify th
CVE-2026-43882 improper neutralization of crlf sequences ('crlf injection') in AVideo. Runnable upgrade commands and verification steps for
CVE-2026-43883 authorization bypass through user-controlled key in AVideo. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-43889 is a incorrect authorization in outline. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4389: a vulnerability in DSGVO snippet for Leaflet Map and its Ex. Patched version and vendor advisory inside.
CVE-2026-43894 is a integer overflow or wraparound in jq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43895 is a improper input validation in jq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43896 is a uncontrolled recursion in jq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-43901 improper limitation of a pathname to a restricted directory ('path traversal') in Wireshark-MCP. Runnable upgrade commands an
CVE-2026-43911 is a insufficient session expiration in vaultwarden. Patched version, runnable upgrade commands, and how to verify the fix la
CVE-2026-4394: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gravity Forms. Patch commands and ver
CVE-2026-43942 exposure of sensitive information to an unauthorized actor in electerm. Runnable upgrade commands and verification steps for
CVE-2026-43968 improper neutralization of crlf sequences ('crlf injection') in cowlib. Runnable upgrade commands and verification steps for
CVE-2026-43975 improper limitation of a pathname to a restricted directory ('path traversal') in Apache Wicket. Runnable upgrade commands an
CVE-2026-43995 is a server-side request forgery (ssrf) in Flowise. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-43996 is an out-of-bounds read in OpenImageIO. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-44000 is an authentication bypass in vm2. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44002 is a vulnerability in vm2. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44003 is an authentication bypass in vm2. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4401 is a cross-site request forgery (csrf) in Wpchill Download Monitor. CVSS 5.4 Medium. Patch commands, mitigations, and verifica
CVE-2026-44029 is a absolute path traversal in Nix. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44054 is a vulnerability in Netatalk. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44056 is a stack-based buffer overflow in Netatalk. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-44058 is an authentication bypass in Netatalk. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4406: Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter in Gravity Forms. Patch commands and verifi
CVE-2026-44061 is a vulnerability in Netatalk. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44063 is a vulnerability in Netatalk. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44073 is an arbitrary file read in Netatalk. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44076 is an OS command injection in Netatalk. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-4409 exposure of sensitive information to an unauthorized actor in Subscribe To Comments Reloaded. Runnable upgrade commands and ve
CVE-2026-44116 is a server-side request forgery (ssrf) in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix la
CVE-2026-44117 is a server-side request forgery (ssrf) in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix la
CVE-2026-44166 is an authentication bypass in pocketbase. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-44195 is a vulnerability in core. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44197 improper handling of insufficient permissions or privileges in wagtail. Runnable upgrade commands and verification steps for
CVE-2026-44198 improper handling of insufficient permissions or privileges in wagtail. Runnable upgrade commands and verification steps for
CVE-2026-44199 improper handling of insufficient permissions or privileges in wagtail. Runnable upgrade commands and verification steps for
CVE-2026-4420 is a stored xss via page creating functionality in bludit in Bludit. CVSS 5.1 Medium. Patch commands, mitigations, and verific
CVE-2026-44200 improper handling of insufficient permissions or privileges in wagtail. Runnable upgrade commands and verification steps for
CVE-2026-44201 improper handling of insufficient permissions or privileges in wagtail. Runnable upgrade commands and verification steps for
CVE-2026-44204 is a improper input validation in shelf.nu. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44215 is a out-of-bounds write in NanaZip. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44216 is a denial of service in wasmtime. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44217 improper neutralization of crlf sequences ('crlf injection') in sse-channel. Runnable upgrade commands and verification steps
CVE-2026-44222 is a improper validation of array index in vllm. Patched version, runnable upgrade commands, and how to verify the fix landed
CVE-2026-44223 is a incorrect calculation of buffer size in vllm. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-44226 generation of error message containing sensitive information in pyload. Runnable upgrade commands and verification steps for
CVE-2026-44245 improper neutralization of input during web page generation ('cross-site scripti in kyverno. Runnable upgrade commands and ve
CVE-2026-44248 is a vulnerability in netty. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44259 improper neutralization of script-related html tags in a web page (basic xss) in efw4.X. Runnable upgrade commands and verifi
CVE-2026-4426: Libarchive: libarchive: denial of service via malformed iso file processing in Red Hat Hardened Images. Patch commands and ve
CVE-2026-44263 is a observable discrepancy in weblate. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44264 improper neutralization of script-related html tags in a web page (basic xss) in weblate. Runnable upgrade commands and verif
CVE-2026-44279 is a improper access control in FortiTokenAndroid. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-44284 is a server-side request forgery (ssrf) in FastGPT. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-44288 is a vulnerability in protobuf.js. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4429 is a cross-site scripting in OSM – OpenStreetMap. This page lists verified fix commands and short-term mitigations you can run
CVE-2026-44292 is a vulnerability in protobuf.js. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44294 is an improper input validation in protobuf.js. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-44298 improper limitation of a pathname to a restricted directory ('path traversal') in kimai. Runnable upgrade commands and verifi
CVE-2026-4430 is a out-of-bounds write in LibreOffice. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44301 improper limitation of a pathname to a restricted directory ('path traversal') in hugo. Runnable upgrade commands and verific
CVE-2026-44305 is a improper certificate validation in lemur. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44306 is a observable response discrepancy in cms. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44308 is a vulnerability in spring-cloud-aws. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-44309 is an authentication bypass in gitsign. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-44310 is a vulnerability in gitsign. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44312 is a local privilege escalation in css_parser. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4432 is a missing authorization in YITH WooCommerce Wishlist. This page lists verified fix commands and short-term mitigations you
CVE-2026-44337 is a improper input validation in PraisonAI. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44341 is a improper access control in gojobs. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44347 is a cross-site request forgery (csrf) in warpgate. Patched version, runnable upgrade commands, and how to verify the fix lan
CVE-2026-44352 is a improper access control in flowsint. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44363 is an authentication bypass in misp-modules. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-44366 is a cross-site scripting (XSS) in Vvveb. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44368 is a vulnerability in pyquorum. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44371 is a cross-site scripting (XSS) in ondemand. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-44372 is an open redirect in nitro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44373 is a path traversal in nitro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44374: an access control bypass in plugin-catalog-backend-module-unprocesse. Patched version and vendor advisory inside.
CVE-2026-44376 is a cross-site scripting (XSS) in v6. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44379 is an improper input validation in MISP. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4438: gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames in glibc. Patch commands and verification.
CVE-2026-44390 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44392 is a missing authorization in Movable Type. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-44406 is a uncontrolled search path element in ZXCLOUD iRAI. Patched version, runnable upgrade commands, and how to verify the fix
CVE-2026-44407 use of externally-controlled format string in ZXCLOUD iRAI. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-44408 is an information disclosure in MU5250. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-44409 is an information disclosure in MU5250. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-44423: an insecure direct object reference (IDOR) in shellhub. Patched version and vendor advisory inside.
CVE-2026-44424: an insecure direct object reference (IDOR) in shellhub. Patched version and vendor advisory inside.
CVE-2026-44425 is an improper input validation in shellhub. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-44426: an insecure direct object reference (IDOR) in shellhub. Patched version and vendor advisory inside.
CVE-2026-44429 is a cross-site scripting (XSS) in registry. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-44430 is a server-side request forgery (SSRF) in registry. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-44437 is a path traversal in angular-cli. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44439: a server-side request forgery (SSRF) in PlaywrightCapture. Patched version and vendor advisory inside.
CVE-2026-44440 is a path traversal in erpnext. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44441 is a server-side request forgery (SSRF) in erpnext. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-44445 is a XML external entity (XXE) in erpnext. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-44448 is a missing authorization in erpnext. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44455 is a vulnerability in hono. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44456 is a vulnerability in hono. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44457 is a vulnerability in hono. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44458 is a vulnerability in hono. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44479 is an information disclosure in vercel. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-44500 allocation of resources without limits or throttling in zebra. Runnable upgrade commands and verification steps for sysadmins
CVE-2026-44501 is an unsafe deserialization in datahub. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-44514 is a vulnerability in kubetail. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44520 is an open redirect in docling-graph. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4453 is a integer overflow in Google Chrome. CVSS 4.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-44544: an insecure direct object reference (IDOR) in gittuf. Patched version and vendor advisory inside.
CVE-2026-44550 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44557 is an access control bypass in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-44558 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44559 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44560 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44561 is an access control bypass in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-44562 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44563 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44564 is an access control bypass in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-44568 is a cross-site scripting (XSS) in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-44571 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44576 is an interpretation conflict in next.js. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-44577 is a denial of service in next.js. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44580 is a cross-site scripting (XSS) in next.js. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-44581 is a cross-site scripting (XSS) in next.js. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-44608 is a vulnerability in Unbound. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4465 is a d-link dir-513 formsyscmd os command injection in D-link DIR-513. CVSS 5.3 Medium. Patch commands, mitigations, and verif
CVE-2026-44656 improper neutralization of special elements used in an os command ('os command i in vim. Runnable upgrade commands and verifi
CVE-2026-44659 user interface (ui) misrepresentation of critical information in desktop. Runnable upgrade commands and verification steps fo
CVE-2026-4466 is a comfast cf-ac100 mbox-config command injection in Comfast CF-AC100. CVSS 5.1 Medium. Patch commands, mitigations, and ver
CVE-2026-44661: a server-side request forgery (SSRF) in python-utcp. Patched version and vendor advisory inside.
CVE-2026-44662 is a path traversal in rust-openssl. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44664 is a vulnerability in fast-xml-builder. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-44665 is a vulnerability in fast-xml-builder. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-4467 is a comfast cf-ac100 mbox-config command injection in Comfast CF-AC100. CVSS 5.1 Medium. Patch commands, mitigations, and ver
CVE-2026-44679 is a denial of service in tuist. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4468 is a comfast cf-ac100 mbox-config command injection in Comfast CF-AC100. CVSS 5.1 Medium. Patch commands, mitigations, and ver
CVE-2026-4469 is a sql injection in Itsourcecode Online Frozen Foods Ordering System. CVSS 5.1 Medium. Patch commands, mitigations, and veri
CVE-2026-44695 is a cross-site request forgery (csrf) in outline. Patched version, runnable upgrade commands, and how to verify the fix land
CVE-2026-4470 is a sql injection in Itsourcecode Online Frozen Foods Ordering System. CVSS 5.1 Medium. Patch commands, mitigations, and veri
CVE-2026-4471 is a sql injection in Itsourcecode Online Frozen Foods Ordering System. CVSS 5.1 Medium. Patch commands, mitigations, and veri
CVE-2026-44718: an insecure direct object reference (IDOR) in mathesar. Patched version and vendor advisory inside.
CVE-2026-44719 is a missing authorization in mathesar. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-4472 is a sql injection in Itsourcecode Online Frozen Foods Ordering System. CVSS 5.3 Medium. Patch commands, mitigations, and veri
CVE-2026-4473 is a sql injection in Itsourcecode Online Doctor Appointment System. CVSS 5.1 Medium. Patch commands, mitigations, and verific
CVE-2026-44737 improper neutralization of input during web page generation ('cross-site scripti in grav-plugin-admin. Runnable upgrade comma
CVE-2026-4474 is a cross site scripting in Itsourcecode University Management System. CVSS 4.8 Medium. Patch commands, mitigations, and veri
CVE-2026-4476: Yi Technology YI Home Camera CGI Endpoint ipc missing authentication in YI Home Camera. Patch commands and verification.
CVE-2026-44774 is an access control bypass in traefik. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-44777 is a uncontrolled recursion in jq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4479 is a cross-site scripting in WholeSale Products Dynamic Pricing Management WooCommerce. This page lists verified fix commands
CVE-2026-4482 is an incorrect permission assignment in Insight Agent. This page lists verified fix commands and short-term mitigations you c
CVE-2026-4485: itsourcecode College Management System search_student.php sql injection in College Management System. Patch commands and veri
CVE-2026-44873 insufficient session expiration in HPE Aruba Networking Wireless Operating System (AOS). Runnable upgrade commands and verifi
CVE-2026-44874 improper access control in HPE Aruba Networking Wireless Operating System (AOS). Runnable upgrade commands and verification s
CVE-2026-44919 is a vulnerability in Ironic. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-44931 is a denial of service in malcontent. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4494: atjiu pybbs TopicApiController.java create cross site scripting in pybbs. Patch commands and verification.
CVE-2026-4495: atjiu pybbs CommentApiController.java create cross site scripting in pybbs. Patch commands and verification.
CVE-2026-4496: sigmade Git-MCP-Server gitUtils.ts child_process.exec os command injection in Git-MCP-Server. Patch commands and verification
CVE-2026-4497: Totolink WA300 cstecgi.cgi recvUpgradeNewFw os command injection in WA300. Patch commands and verification.
CVE-2026-4499: D-Link DIR-820LW SSDP ssdpcgi_main os command injection in DIR-820LW. Patch commands and verification.
CVE-2026-44992 unintended proxy or intermediary ('confused deputy') in OpenClaw. Runnable upgrade commands and verification steps for sysadm
CVE-2026-44994 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-44995 inclusion of functionality from untrusted control sphere in OpenClaw. Runnable upgrade commands and verification steps for sy
CVE-2026-44996 improper limitation of a pathname to a restricted directory ('path traversal') in OpenClaw. Runnable upgrade commands and ver
CVE-2026-44999 insufficient verification of data authenticity in OpenClaw. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-4500: bagofwords1 bagofwords code_execution.py generate_df injection in bagofwords. Patch commands and verification.
CVE-2026-45001 is a missing authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-45002 is a incorrect authorization in OpenClaw. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-45003 unintended proxy or intermediary ('confused deputy') in OpenClaw. Runnable upgrade commands and verification steps for sysadm
CVE-2026-45005 operation on a resource after expiration or release in OpenClaw. Runnable upgrade commands and verification steps for sysadmi
CVE-2026-45007 is a missing authorization in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-45008 is a path traversal in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45009 is an access control bypass in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4502 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Langflow Desktop. Runnable patch co
CVE-2026-45025 improper neutralization of input during web page generation ('cross-site scripti in WeGIA. Runnable upgrade commands and veri
CVE-2026-45026 improper neutralization of input during web page generation ('cross-site scripti in WeGIA. Runnable upgrade commands and veri
CVE-2026-4504: eosphoros-ai db-gpt Incomplete Fix editor sql injection in db-gpt. Patch commands and verification.
CVE-2026-4505 is a unrestricted upload in Eosphoros-ai DB-GPT. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-45054 is a SQL injection in v6. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4506: Mindinventory MindSQL mindsql_core.py ask_db code injection in MindSQL. Patch commands and verification.
CVE-2026-4507: Mindinventory MindSQL mindsql_core.py ask_db sql injection in MindSQL. Patch commands and verification.
CVE-2026-4508: PbootCMS Member Login MemberController.php checkUsername sql injection in PbootCMS. Patch commands and verification.
CVE-2026-4509 is a vulnerability in PbootCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4510 is a vulnerability in PbootCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4511 is a vulnerability in vanna. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4513 is a SQL injection in vanna. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45130 is a heap-based buffer overflow in vim. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4514 is an access control bypass in PbootCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-45147 is an access control bypass in siyuan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45148 is an access control bypass in siyuan. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4515 is a code injection in MetaGPT. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4516 is a vulnerability in MetaGPT. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45179 cleartext transmission of sensitive information in Plack::Middleware::Statsd. Runnable upgrade commands and verification step
CVE-2026-45181 improper neutralization of argument delimiters in a command ('argument injection in IDA. Runnable upgrade commands and verifi
CVE-2026-45184 inclusion of functionality from untrusted control sphere in Kdenlive. Runnable upgrade commands and verification steps for sy
CVE-2026-45190 improper validation of unsafe equivalence in input in Net::CIDR::Lite. Runnable upgrade commands and verification steps for s
CVE-2026-45191 improper validation of unsafe equivalence in input in Net::CIDR::Lite. Runnable upgrade commands and verification steps for s
CVE-2026-45210 is a missing authorization in Broadstreet Ads. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-45212 missing authorization in Asset CleanUp: Page Speed Booster. Runnable upgrade commands and verification steps for sysadmins.
CVE-2026-45215 insertion of sensitive information into sent data in WP EasyPay. Runnable upgrade commands and verification steps for sysadmi
CVE-2026-45222 incorrect permission assignment for critical resource in summarize. Runnable upgrade commands and verification steps for sysa
CVE-2026-45224 improper limitation of a pathname to a restricted directory ('path traversal') in crabbox. Runnable upgrade commands and veri
CVE-2026-45228 is a cross-site scripting (XSS) in quark-auto-save. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-45231 is a cross-site scripting (XSS) in DumbAssets. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4524 is an authentication bypass in GitLab. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45243 is a missing authorization in summarize. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-45245 is a server-side request forgery (SSRF) in summarize. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-45246 is an arbitrary file read in summarize. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-45248 is an authentication bypass in guardian. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4527 is a cross-site request forgery (CSRF) in GitLab. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4528 is a vulnerability in ApiFlow. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45299 is a cross-site scripting (XSS) in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4530 is a SQL injection in Aix-DB. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4531 is a vulnerability in Free5GC. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45317 is an improper input validation in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-45318 is a cross-site scripting (XSS) in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4532 is a vulnerability in Simple Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4533 is a SQL injection in Simple Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-45339 is an access control bypass in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-45345 is an access control bypass in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-45346 is a cross-site scripting (XSS) in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-45347: a server-side request forgery (SSRF) in open-webui. Patched version and vendor advisory inside.
CVE-2026-45351 is an information disclosure in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4536: an unrestricted file upload in Environmental Monitoring Cloud Platform. Patched version and vendor advisory inside.
CVE-2026-45365 is an access control bypass in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4537 is an OS command injection in TR1200. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4538 is an unsafe deserialization in PyTorch. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-45385: an insecure direct object reference (IDOR) in open-webui. Patched version and vendor advisory inside.
CVE-2026-45386: an insecure direct object reference (IDOR) in open-webui. Patched version and vendor advisory inside.
CVE-2026-45387 is an information disclosure in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4539 is a vulnerability in pygments. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45396 is a vulnerability in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45397 is an authentication bypass in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4540 is a SQL injection in Online Notes Sharing System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4542 is a path traversal in SSCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4543 is an OS command injection in WL-WN578W2. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4544 is a vulnerability in WL-WN578W2. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45442 is a missing authorization in Presto Player. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-45443: a missing authorization in PDF for Elementor Forms + Drag And Drop . Patched version and vendor advisory inside.
CVE-2026-45448 is an open redirect in ntopng. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4547 is a vulnerability in next-saas-stripe-starter. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4548: an access control bypass in next-saas-stripe-starter. Patched version and vendor advisory inside.
CVE-2026-45492: an improper input validation in Microsoft Edge (Chromium-based). Patched version and vendor advisory inside.
CVE-2026-45494: a cross-site scripting (XSS) in Microsoft Edge (Chromium-based). Patched version and vendor advisory inside.
CVE-2026-4550 is a SQL injection in Simple Gym Management System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4554 is an OS command injection in F453. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45557 is a vulnerability in DNS Server. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4557 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-45585: an OS command injection in Windows 11 Version 24H2. Patched version and vendor advisory inside.
CVE-2026-45616 is a cross-site scripting (XSS) in Vvveb. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-4562 is an authentication bypass in MacCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45622 is a cross-site scripting (XSS) in Vvveb. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-4563 is a vulnerability in MacCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4564 is a code injection in RuoYi. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-45666: an insecure direct object reference (IDOR) in open-webui. Patched version and vendor advisory inside.
CVE-2026-45667 is a missing authorization in open-webui. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-4568 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4569 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4570 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4571 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4572 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4573 is a SQL injection in Simple E-learning System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-45736 is a vulnerability in ws. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4574 is a SQL injection in Simple E-learning System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-45740 is a vulnerability in protobuf.js. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4575 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4576 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4577 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-45773 is a cross-site request forgery (CSRF) in turborepo. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-4578 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4579 is a SQL injection in Simple Laundry System. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4580 is a SQL injection in Simple Laundry System. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4581 is a SQL injection in Simple Laundry System. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4586 is an unrestricted file upload in Chat2DB. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-4587 is a code injection in HybridAuth. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4588 is a hard-coded credentials in kodbox. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4589 is a vulnerability in kodbox. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4591 is an OS command injection in kodbox. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4592 is an authentication bypass in kodbox. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4593 is a vulnerability in erupt. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4594 is a vulnerability in erupt. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4595 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4596 is a vulnerability in Lawyer Management System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4597 is a SQL injection in wvp-GB28181-pro. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4603 is a vulnerability in jsrsasign. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4607: a missing authorization in ProfileGrid – User Profiles. Patched version and vendor advisory inside.
CVE-2026-4608 is a SQL injection in ProfileGrid – User Profiles. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4612 is a SQL injection in Free Hotel Reservation System. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-4613 is a SQL injection in E-Commerce Site. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4614 is a SQL injection in sanitize or validate this input. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-4615 is a SQL injection in Online Catering Reservation. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4616 is a vulnerability in bolo-blog. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4617: an access control bypass in Patients Waiting Area Queue Management S. Patched version and vendor advisory inside.
CVE-2026-4619 is a path traversal in Aterm WX3600HP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4621 is a vulnerability in Aterm W1200EX(-MS). Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4623: a vulnerability in Jeson-Customer-Relationship-Management-S. Patched version and vendor advisory inside.
CVE-2026-4624: a SQL injection in Online Library Management System. Patched version and vendor advisory inside.
CVE-2026-4625 is a SQL injection in Online Admission System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4626 is a vulnerability in Lawyer Management System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4628: an access control bypass in Red Hat Build of Keycloak. Patched version and vendor advisory inside.
CVE-2026-4630: an insecure direct object reference (IDOR) in Red Hat build of Keycloak 26.4. Patched version and vendor advisory inside.
CVE-2026-4632 is a SQL injection in Online Enrollment System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4635 is a race condition in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-46356 is an authentication bypass in fleet. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-46360 is a cross-site scripting (XSS) in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-46361 is a cross-site scripting (XSS) in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-46362 is an access control bypass in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-46363 is a cross-site scripting (XSS) in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-46365 is a missing authorization in phpmyfaq. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-46383 is a path traversal in apm. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4646 is an authentication bypass in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix land
CVE-2026-46469 is a vulnerability in Good Plug-ins. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4647 is a path traversal in Red Hat Enterprise Linux 10. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-46470 is a vulnerability in Good Plug-ins. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4649 is an authentication bypass in KNIME Business Hub. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4650 - CWE-862 Missing Authorization in FundPress – WordPress Donation Plugin. Runnable patch commands, mitigation, and verificatio
CVE-2026-4654: Authorization Bypass Through User-Controlled Key in Awesome Support – WordPress HelpDesk & Support Plugin. Patch commands and
CVE-2026-4655: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Element Pack – Widgets, Templates & A
CVE-2026-4658 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gutenberg Essential Blocks –
CVE-2026-4664 is an authentication bypass in Customer Reviews for WooCommerce. This page lists verified fix commands and short-term mitigati
CVE-2026-4665 improper neutralization of input during web page generation ('cross-site scripti in Carousel, Slider, Photo Gallery with Light
CVE-2026-4666 is a missing authorization in wpForo Forum. This page lists verified fix commands and short-term mitigations you can run today
CVE-2026-4668: Amelia <= 2.1.2 - Authenticated (Manager+) SQL Injection via 'sort' Parameter in Booking for Appointments and Events Calendar
CVE-2026-46721: a vulnerability in Extension "Frontend User Registration". Patched version and vendor advisory inside.
CVE-2026-46722: a XML external entity (XXE) in Extension "Faceted Search". Patched version and vendor advisory inside.
CVE-2026-46723 is a vulnerability in Extension "Faceted Search". Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-46724 is a path traversal in Extension "Faceted Search". Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4683: a missing authorization in Smartcat Translator for WPML. Patched version and vendor advisory inside.
CVE-2026-47091 is a path traversal in claude-hud. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4730 improper neutralization of input during web page generation ('cross-site scripti in Charts Ninja: Create Beautiful Graphs & Ch
CVE-2026-47307 is a denial of service in Walrus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-47308 is a denial of service in Walrus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-47309 is a vulnerability in Escargot. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-47312 is a vulnerability in Escargot. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-47313 is an OS command injection in Escargot. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-47315 is a denial of service in Escargot. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-47316 is a vulnerability in Escargot. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-47317 is a vulnerability in Escargot. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4733 is an information disclosure in ixray-1.6-stcop. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-4743 is a vulnerability in ncmdump. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4749 is a vulnerability in miraclecast. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4751 is a vulnerability in tmate. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4752 is an use-after-free in Echo-Mate. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4754 is a vulnerability in Android-ImageMagick7. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4766 is a vulnerability in Easy Image Gallery. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4777 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4778 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4779 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4780 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4781 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4782 is a path traversal in Avada (Fusion) Builder. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4783 is a SQL injection in College Management System. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-4784 is a SQL injection in Simple Laundry System. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4785: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in LatePoint – Calendar Booking Plugin f
CVE-2026-4790 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Premium Addons for Elementor
CVE-2026-4799: Open redirect vulnerability in Search Guard Kibana Plugin via manipulated requests in Search Guard FLX. Patch commands and ve
CVE-2026-4801 is a cross-site scripting in Page Builder Gutenberg Blocks – CoBlocks. This page lists verified fix commands and short-term mi
CVE-2026-4805 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Woostify. Runnable patch comm
CVE-2026-4807 missing authorization in Appointment Booking Calendar, Simply Schedule Appointments Booking Plugin. Runnable upgrade commands
CVE-2026-4811: a cross-site scripting (XSS) in WPB Floating Menu or Categories – Sticky. Patched version and vendor advisory inside.
CVE-2026-4812 is a missing authorization in Advanced Custom Fields (ACF®). This page lists verified fix commands and short-term mitigations
CVE-2026-4816 is a vulnerability in Support Board. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4817 is a SQL injection in MasterStudy LMS WordPress Plugin – for Online Courses and Education. This page lists verified fix comman
CVE-2026-4818 is a cwe-285 in Floragunn Search Guard FLX, fixed by the same patch as CVE-2026-4799.
CVE-2026-4819: bundle sibling of CVE-2026-4799. Same patched build closes both.
CVE-2026-4820: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Maximo Application Suite. Patch commands and verification.
CVE-2026-48213 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48214 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48215 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48216 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48217 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48218 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48219 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48220 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48221 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48222 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48223 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48224 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48225 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48226 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48227 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48228 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48229 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48230 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48243 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48244 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-48245 is a cross-site scripting (XSS) in Tickets. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4825 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4826 is a SQL injection in Sales and Inventory System. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4829 is a improper authentication in Devolutions Server, fixed by the same patch as CVE-2026-4828.
CVE-2026-4830 is an unrestricted file upload in kodbox. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4831 is an authentication bypass in kodbox. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4832 is a hard-coded credentials in Easergy MiCOM P14x. This page lists verified fix commands and short-term mitigations you can ru
CVE-2026-4833 is a vulnerability in discount. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4835 is a vulnerability in Accounting System. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-4836 is a SQL injection in Accounting System. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-4837 is a eval injection in rapid7 insight agent in Rapid7 Insight Agent. CVSS 6.6 Medium. Patch commands, mitigations, and verific
CVE-2026-4838 is a SQL injection in Malawi Online Market. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4839 is a SQL injection in Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4841 is a SQL injection in Online Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4842 is a SQL injection in Online Enrollment System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-4843 is a missing authorization in GSheet For Woo Importer. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-4844 is a SQL injection in Online Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4845 is a vulnerability in muucmf. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4846 is a vulnerability in muucmf. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4847 is a vulnerability in muucmf. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4848 is a vulnerability in muucmf. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4849 is a vulnerability in Simple Laundry System. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4850 is a SQL injection in Simple Laundry System. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4852 is a cross-site scripting in Image Source Control Lite – Show Image Credits and Captions. This page lists verified fix command
CVE-2026-4853 is a path traversal in JetBackup – Backup, Restore & Migrate. This page lists verified fix commands and short-term mitigations
CVE-2026-4859 improper neutralization of input during web page generation ('cross-site scripti in SP Blog Designer. Runnable upgrade command
CVE-2026-4860 is an unsafe deserialization in wvp-GB28181-pro. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-4871: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Sports Club Management. Patch command
CVE-2026-4875: an unrestricted file upload in Free Hotel Reservation System. Patched version and vendor advisory inside.
CVE-2026-4876 is a SQL injection in Free Hotel Reservation System. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-4877 is a vulnerability in Payroll Management System. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-4878 is a time-of-check time-of-use (toctou) race condition in Red Hat Discovery 2. This page lists verified fix commands and short
CVE-2026-4887 is a vulnerability in Red Hat Enterprise Linux 8. Verified patched version, official vendor advisory, and how to confirm the f
CVE-2026-4891 is a out-of-bounds read in dnsmasq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4893 is a improper authentication in dnsmasq. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-4895 is a cross-site scripting in Greenshift – animation and page builder blocks. This page lists verified fix commands and short-t
CVE-2026-4897: an OS command injection in Red Hat Enterprise Linux 10. Patched version and vendor advisory inside.
CVE-2026-4898 is a vulnerability in Online Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4899 is a vulnerability in Online Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4900 is a vulnerability in Online Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4901 is a cwe-532: insertion of sensitive information into in Control System. This page lists verified fix commands and short-term
CVE-2026-4907 is a vulnerability in Page Replica. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4908 is a SQL injection in Simple Laundry System. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-4909 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4910 is a SQL injection in Streamax Crocus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4911 - CWE-472 External Control of Assumed-Immutable Web Parameter in Booking Package. Runnable patch commands, mitigation, and ver
CVE-2026-4913 is a cwe-424: improper protection of alternate path in Neurons for ITSM (Cloud). This page lists verified fix commands and sho
CVE-2026-4914 is a cross-site scripting in Neurons for ITSM (Cloud). This page lists verified fix commands and short-term mitigations you ca
CVE-2026-4917 - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Guardium Data Protection. Runnable
CVE-2026-4918 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Guardium Data Protection. Run
CVE-2026-4919 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Guardium Data Protection. Run
CVE-2026-4920 improper neutralization of input during web page generation ('cross-site scripti in Next Date. Runnable upgrade commands and v
CVE-2026-4923 is a vulnerability in path-to-regexp. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4925 is a missing authorization in Devolutions Server, fixed by the same patch as CVE-2026-4828.
CVE-2026-4927 is a insertion of sensitive information into sent data in Devolutions Server, fixed by the same patch as CVE-2026-4828.
CVE-2026-4929: a cross-site scripting (XSS) in Simple Hierarchical Select (shs). Patched version and vendor advisory inside.
CVE-2026-4931 is a cve-2026-4931 in Marginal Smart Contract. CVSS 6.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-4948 is a vulnerability in Red Hat Enterprise Linux 10. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-4949 is a missing authorization in Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
CVE-2026-4953 is a vulnerability in MCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4954 is a SQL injection in MCMS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4955 is a SQL injection in Streamax Crocus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4956 is a SQL injection in Streamax Crocus. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4957 is a vulnerability in XAgent. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4959 is an authentication bypass in XAgent. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4963 is a code injection in smolagents. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4964 is a vulnerability in letta. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4965 is a code injection in letta. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4966 is a SQL injection in Free Hotel Reservation System. Verified patched version, official vendor advisory, and how to confirm th
CVE-2026-4968 is a vulnerability in Diary App. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4969 is a vulnerability in Social Networking Site. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-4970 is a SQL injection in Social Networking Site. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-4971 is a vulnerability in Note Taking App. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4972 is a vulnerability in Online Reviewer System. Verified patched version, official vendor advisory, and how to confirm the fix l
CVE-2026-4973 is a vulnerability in Online Quiz System. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-4977 is a missing authorization in UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for W
CVE-2026-4979 is a server-side request forgery in UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin
CVE-2026-4980 is a XML external entity (XXE) in Inkscape. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-4985 is a vulnerability in CGIF. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4988 is a vulnerability in Open5GS. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4989 is a server-side request forgery (ssrf) in Devolutions Server, fixed by the same patch as CVE-2026-4828.
CVE-2026-4990 is an access control bypass in chatwoot. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-4991 is a vulnerability in Smart School Management System. Verified patched version, official vendor advisory, and how to confirm t
CVE-2026-4992 is a vulnerability in OpenUI. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4993 is a hard-coded credentials in OpenUI. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4994 is a vulnerability in OpenUI. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4995 is a vulnerability in OpenUI. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4996 is a SQL injection in PandasAI. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4997 is a path traversal in PandasAI. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4998 is a code injection in PandasAI. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-4999 is a path traversal in admin. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5000 is an authentication bypass in localGPT. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-5001 is an unrestricted file upload in localGPT. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-5002 is a vulnerability in localGPT. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5003 is an information disclosure in localGPT. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-5007 is an OS command injection in mcp-docs-rag. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-5010 is a vulnerability in Clickedu. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5011 is a code injection in elecV2P. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5012 is an OS command injection in elecV2P. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5013 is a path traversal in elecV2P. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5014 is a path traversal in elecV2P. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5015 is a vulnerability in elecV2P. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5016 is a vulnerability in elecV2P. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5017 is a SQL injection in Simple Food Order System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-5018 is a SQL injection in Simple Food Order System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-5019 is a SQL injection in Simple Food Order System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-5020 is an OS command injection in A3600R. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5022 is a vulnerability in langflow. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5023 is an OS command injection in codebase-mcp. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-5025 is a vulnerability in langflow. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5028 improper neutralization of special elements used in an sql command ('sql injecti in Eight Day Week Print Workflow. Runnable up
CVE-2026-5030 is an OS command injection in NR1800X. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5031 is a vulnerability in ISP Billing Software. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-5033 is a SQL injection in Accounting System. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-5034 is a SQL injection in Accounting System. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-5035 is a SQL injection in Accounting System. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-5037 is a stack-based buffer overflow in mxml. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-5039 - CWE-1394 Use of default cryptographic key in TL-WL841N v13. Runnable patch commands, mitigation, and verification on this pa
CVE-2026-5041: an OS command injection in Chamber of Commerce Membership Managemen. Patched version and vendor advisory inside.
CVE-2026-5052 is a server-side request forgery in Vault. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-5061 improper link resolution before file access (link following) in Tooling. Runnable upgrade commands and verification steps for
CVE-2026-5070 is a cross-site scripting in Vantage. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-5075: an information disclosure in All in One SEO – Powerful SEO Plugin to . Patched version and vendor advisory inside.
CVE-2026-5077 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Total. Runnable patch command
CVE-2026-5080 - CWE-340 Generation of Predictable Numbers or Identifiers in Dancer::Session::Abstract. Runnable patch commands, mitigation,
CVE-2026-5082: Generation of Predictable Numbers or Identifiers in Amon2::Plugin::Web::CSRFDefender. Patch commands and verification.
CVE-2026-5083: Ado::Sessions versions through 0.935 for Perl generates insecure session ids in Ado::Sessions. Patch commands and verificatio
CVE-2026-5084 generation of predictable numbers or identifiers in WebDyne::Session. Runnable upgrade commands and verification steps for sys
CVE-2026-5101 is an OS command injection in A3300R. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5102 is an OS command injection in A3300R. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5103 is an OS command injection in A3300R. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5104 is an OS command injection in A3300R. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5105 is an OS command injection in A3300R. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5106 is a vulnerability in Exam Form Submission. Verified patched version, official vendor advisory, and how to confirm the fix lan
CVE-2026-5119 is a vulnerability in Red Hat Enterprise Linux 10. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-5122 is an access control bypass in GoBGP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5123 is a vulnerability in GoBGP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5124 is an access control bypass in GoBGP. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5125 is an OS command injection in consult-llm-mcp. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-5126 is a vulnerability in RSS Feed Parser. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5131 is a server-side request forgery in GREENmod. This page lists verified fix commands and short-term mitigations you can run tod
CVE-2026-5146 is a missing authorization in Server. Patched version, runnable upgrade commands, and how to verify the fix landed.
CVE-2026-5147 is a SQL injection in yudao-cloud. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5148 is a SQL injection in yudao-cloud. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5150 is a SQL injection in Accounting System. Verified patched version, official vendor advisory, and how to confirm the fix landed
CVE-2026-5153 is an OS command injection in CH22. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5157 is a vulnerability in Online Food Ordering System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-5159 improper neutralization of input during web page generation ('cross-site scripti in Royal Addons for Elementor – Addons and Te
CVE-2026-5160 is a cross-site scripting in github.com/yuin/goldmark/renderer/html. This page lists verified fix commands and short-term miti
CVE-2026-5162 is a cross-site scripting in Royal Addons for Elementor – Addons and Templates Kit for Elementor. This page lists verified fix
CVE-2026-5163 is a missing authorization in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix lande
CVE-2026-5164 is a vulnerability in Red Hat Enterprise Linux 10. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-5165 is a path traversal in Red Hat Enterprise Linux 10. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-5167: Authorization Bypass Through User-Controlled Key in Masteriyo LMS – Online Course Builder for eLearning, LMS & Education. Pat
CVE-2026-5169: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Inquiry form to posts or pages. Patch
CVE-2026-5170 is a vulnerability in MongoDB Server. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5175 is a missing authorization in Devolutions Server, fixed by the same patch as CVE-2026-4828.
CVE-2026-5176: Totolink A3300R cstecgi.cgi setSyslogCfg command injection in A3300R. Patch commands and verification.
CVE-2026-5177 is a totolink a3300r cstecgi.cgi setwifibasiccfg command injection in Totolink A3300R, fixed by the same patch as CVE-2026-517
CVE-2026-5178 is a totolink a3300r cstecgi.cgi setiptvcfg command injection in Totolink A3300R, fixed by the same patch as CVE-2026-5176.
CVE-2026-5179: SourceCodester Simple Doctors Appointment System login.php sql injection in Simple Doctors Appointment System. Patch commands
CVE-2026-5180: bundle sibling of CVE-2026-5179. Same patched build closes both.
CVE-2026-5181: bundle sibling of CVE-2026-5179. Same patched build closes both.
CVE-2026-5182: SourceCodester Teacher Record System Parameter sql injection in Teacher Record System. Patch commands and verification.
CVE-2026-5183: TRENDnet TEW-713RE addRouting sub_421494 command injection in TEW-713RE. Patch commands and verification.
CVE-2026-5184 is a trendnet tew-713re setsysadm command injection in Trendnet TEW-713RE. CVSS 5.3 Medium. Patch commands, mitigations, and v
CVE-2026-5185 is a heap-based buffer overflow in Nothings stb_image. CVSS 4.8 Medium. Patch commands, mitigations, and verification.
CVE-2026-5186: Nothings stb Multi-frame GIF File stb_image.h stbi__load_gif_main double free in stb. Patch commands and verification.
CVE-2026-5193: a local privilege escalation in Essential Addons for Elementor – Popular. Patched version and vendor advisory inside.
CVE-2026-5195: code-projects Student Membership System User Registration sql injection in Student Membership System. Patch commands and veri
CVE-2026-5196: bundle sibling of CVE-2026-5195. Same patched build closes both.
CVE-2026-5197: bundle sibling of CVE-2026-5195. Same patched build closes both.
CVE-2026-5198 is a SQL injection in Student Membership System. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-5203 is a path traversal in CMS Made Simple. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5205 is a vulnerability in chatwoot. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5206 is a SQL injection in Simple Gym Management System. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-5207 is a SQL injection in LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes. This page lists verified fix commands and s
CVE-2026-5209 is a vulnerability in Leave Application System. Verified patched version, official vendor advisory, and how to confirm the fix
CVE-2026-5210 is an arbitrary file read in Leave Application System. Verified patched version, official vendor advisory, and how to confirm
CVE-2026-5215 is an access control bypass in DNS-120. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5226 is a cross-site scripting in Optimole – Optimize Images in Real Time. This page lists verified fix commands and short-term mit
CVE-2026-5234 is an authorization bypass through user-controlled key in LatePoint – Calendar Booking Plugin for Appointments and Events. Thi
CVE-2026-5235 is a path traversal in Bento4. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5236 is a path traversal in Bento4. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5237 is a SQL injection in Payroll Management System. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-5238 is a SQL injection in Payroll Management System. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-5240 is a vulnerability in BloodBank Managing System. Verified patched version, official vendor advisory, and how to confirm the fi
CVE-2026-5243: a cross-site scripting (XSS) in The Plus Addons for Elementor – Addons f. Patched version and vendor advisory inside.
CVE-2026-5244: Cesanta Mongoose TLS 1.3 mongoose.c mg_tls_recv_cert heap-based overflow in Mongoose. Patch commands and verification.
CVE-2026-5245: bundle sibling of CVE-2026-5244. Same patched build closes both.
CVE-2026-5246: bundle sibling of CVE-2026-5244. Same patched build closes both.
CVE-2026-5247 improper neutralization of input during web page generation ('cross-site scripti in Schedule Post Changes With PublishPress Fu
CVE-2026-5248: gougucms User Registration Login.php reg_submit dynamically-determined object attributes in gougucms. Patch commands and veri
CVE-2026-5249: gougucms Record Endpoint record.html cross site scripting in gougucms. Patch commands and verification.
CVE-2026-5251: z-9527 admin User Update Endpoint user.js dynamically-determined object attributes in admin. Patch commands and verification.
CVE-2026-5252: z-9527 admin Message Create Endpoint message.js cross site scripting in admin. Patch commands and verification.
CVE-2026-5253: bufanyun HotGo editNotice Endpoint MessageList.vue cross site scripting in HotGo. Patch commands and verification.
CVE-2026-5254: welovemedia FFmate Webhook AppJsonTreeView.vue cross site scripting in FFmate. Patch commands and verification.
CVE-2026-5255: code-projects Simple Laundry System Parameter delstaffinfo.php cross site scripting in Simple Laundry System. Patch commands
CVE-2026-5256: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5257: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5258: Sanster IOPaint File Manager file_manager.py _get_file path traversal in IOPaint. Patch commands and verification.
CVE-2026-5259: AutohomeCorp frostmourne Alarm Preview AlarmController.java server-side request forgery in frostmourne. Patch commands and ve
CVE-2026-5261: Shandong Hoteam InforCenter PLM BaseHandler.ashx uploadFileToIIS unrestricted upload in InforCenter PLM. Patch commands and v
CVE-2026-5265 - Improper Handling of Length Parameter Inconsistency in Fast Datapath for Red Hat Enterprise Linux 8. Runnable patch commands
CVE-2026-5271: Possible to hijack modules in current working directory in pymanager. Patch commands and verification.
CVE-2026-5273 is a use after free in Google Chrome, fixed by the same patch as CVE-2026-5272.
CVE-2026-5276 is a insufficient policy enforcement in Google Chrome, fixed by the same patch as CVE-2026-5272.
CVE-2026-5283 is a inappropriate implementation in Google Chrome, fixed by the same patch as CVE-2026-5272.
CVE-2026-5291 is a inappropriate implementation in Google Chrome, fixed by the same patch as CVE-2026-5272.
CVE-2026-5293 is a cross-site scripting (XSS) in 診断ジェネレータ作成プラグイン. Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-5295 is a stack buffer overflow in wolfSSL. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-5299 - CWE-674: Uncontrolled Recursion in Wireshark. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-5300 is a missing authentication for critical function in coolercontrold in coolercontrold, fixed by the same patch as CVE-2026-520
CVE-2026-5302 is a permissive cross-domain policy with untrusted domains in coolercontrold in coolercontrold, fixed by the same patch as CVE
CVE-2026-5306 - CWE-79 Cross-Site Scripting (XSS) in Check & Log Email. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-5308 is a vulnerability in Mattermost. Verified patched version, official vendor advisory, and how to confirm the fix landed.
CVE-2026-5311: D-Link DNS-1550-04 file_center.cgi Webdav_Access_List access control in DNS-120. Patch commands and verification.
CVE-2026-5312: D-Link DNS-1550-04 dsk_mgr.cgi Get_current_raidtype access control in DNS-120. Patch commands and verification.
CVE-2026-5313 is a nothings stb gif decoder stb_image.h stbi__gif_load_next denial of service in Nothings stb, fixed by the same patch as CV
CVE-2026-5314 is a nothings stb ttf file stb_truetype.h stbtt_initfont_internal out-of-bounds in Nothings stb, fixed by the same patch as CV
CVE-2026-5315 is a nothings stb ttf file stb_truetype.h stbtt__buf_get8 out-of-bounds in Nothings stb, fixed by the same patch as CVE-2026-5
CVE-2026-5316 is a nothings stb stb_vorbis.c setup_free allocation of resources in Nothings stb, fixed by the same patch as CVE-2026-5186.
CVE-2026-5317 is a nothings stb stb_vorbis.c start_decoder out-of-bounds write in Nothings stb, fixed by the same patch as CVE-2026-5186.
CVE-2026-5318: LibRaw JPEG DHT losslessjpeg.cpp initval out-of-bounds write in LibRaw. Patch commands and verification.
CVE-2026-5319: itsourcecode Payroll Management System navbar.php cross site scripting in Payroll Management System. Patch commands and verif
CVE-2026-5320: vanna-ai vanna Chat API Endpoint v2 missing authentication in vanna. Patch commands and verification.
CVE-2026-5321: vanna-ai vanna FastAPI/Flask Server cross-domain policy in vanna. Patch commands and verification.
CVE-2026-5322: AlejandroArciniegas mcp-data-vis MCP server.js request sql injection in mcp-data-vis. Patch commands and verification.
CVE-2026-5323: priyankark a11y-mcp index.js A11yServer server-side request forgery in a11y-mcp. Patch commands and verification.
CVE-2026-5325: Cross Site Scripting in Simple Customer Relationship Management System. Patch commands and verification.
CVE-2026-5326: SourceCodester Leave Application System User Information index.php authorization in Leave Application System. Patch commands
CVE-2026-5327: efforthye fast-filesystem-mcp index.ts handleGetDiskUsage command injection in fast-filesystem-mcp. Patch commands and verifi
CVE-2026-5328 is a sql injection in Shsuishang modulithshop. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-5330: Improper Access Controls in Best Courier Management System. Patch commands and verification.
CVE-2026-5331: OpenCart Extension Installer installer.php path traversal in OpenCart. Patch commands and verification.
CVE-2026-5332 is a xiaopi panel waf firewall demo.php cross site scripting in Xiaopi Panel. CVSS 5.1 Medium. Patch commands, mitigations, an
CVE-2026-5333: DefaultFuction Content-Management-System tools.php command injection in Content-Management-System. Patch commands and verific
CVE-2026-5334: itsourcecode Online Enrollment System Parameter index.php sql injection in Online Enrollment System. Patch commands and verif
CVE-2026-5335 files or directories accessible to external parties in Magic Export & Import. Runnable upgrade commands and verification steps
CVE-2026-5337 authorization bypass through user-controlled key in Frontend File Manager Plugin. Runnable upgrade commands and verification s
CVE-2026-5338: Tenda G103 Setting system.lua action_set_system_settings command injection in G103. Patch commands and verification.
CVE-2026-5339: Tenda G103 Setting gpon.lua action_set_net_settings command injection in G103. Patch commands and verification.
CVE-2026-5340 improper neutralization of input during web page generation ('cross-site scripti in Fancy Image Show. Runnable upgrade command
CVE-2026-5341 improper neutralization of input during web page generation ('cross-site scripti in NMR Strava activities. Runnable upgrade co
CVE-2026-5342: LibRaw TIFF/NEF decoders_libraw.cpp nikon_load_padded_packed_raw out-of-bounds in LibRaw. Patch commands and verification.
CVE-2026-5344: Textpattern XML-RPC TXP_RPCServer.php mt_uploadImage path traversal in Textpattern. Patch commands and verification.
CVE-2026-5346 is a server-side request forgery in Huimeicloud hm_editor. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-5347 - CWE-862 Missing Authorization in WP Books Gallery – Build Stunning Book shows & Libraries in Minutes. Runnable patch command
CVE-2026-5351 is a trendnet tew-657brm setup.cgi add_wps_client os command injection in Trendnet TEW-657BRM, fixed by the same patch as CVE-
CVE-2026-5352 is a trendnet tew-657brm setup.cgi edit os command injection in Trendnet TEW-657BRM, fixed by the same patch as CVE-2026-5349.
CVE-2026-5353 is a trendnet tew-657brm setup.cgi ping_test os command injection in Trendnet TEW-657BRM, fixed by the same patch as CVE-2026-
CVE-2026-5354 is a trendnet tew-657brm setup.cgi vpn_connect os command injection in Trendnet TEW-657BRM, fixed by the same patch as CVE-202
CVE-2026-5355 is a trendnet tew-657brm setup.cgi vpn_drop os command injection in Trendnet TEW-657BRM, fixed by the same patch as CVE-2026-5
CVE-2026-5357 is a cross-site scripting in Download Manager. This page lists verified fix commands and short-term mitigations you can run to
CVE-2026-5360 is a free5gc aper type confusion in the vendor Free5GC. CVSS 6.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-5361: a cross-site scripting (XSS) in Envira Gallery – Image Photo Gallery. Patched version and vendor advisory inside.
CVE-2026-5362 - CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in pimcore. Runnable patc
CVE-2026-5363 is a cwe-326: inadequate encryption strength in Archer C7 v5 and v5.8. This page lists verified fix commands and short-term mi
CVE-2026-5365: a cross-site request forgery (CSRF) in LatePoint – Calendar Booking Plugin for . Patched version and vendor advisory inside.
CVE-2026-5368: projectworlds Car Rental Project Parameter login.php sql injection in Car Rental Project. Patch commands and verification.
CVE-2026-5370: krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting in laravel-crm. Patch commands and
CVE-2026-5372 is a runzero platform sql injection in saved queries in Runzero Platform. CVSS 6.4 Medium. Patch commands, mitigations, and ve
CVE-2026-5374 is a runzero platform mcp information leak in Runzero Platform, fixed by the same patch as CVE-2026-5372.
CVE-2026-5376 is a runzero platform session timeout failure in Runzero Platform, fixed by the same patch as CVE-2026-5372.
CVE-2026-5377 - CWE-863: Incorrect Authorization in GitLab. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-5378 is a runzero platform user creation leak in Runzero Platform, fixed by the same patch as CVE-2026-5372.
CVE-2026-5380 is a runzero platform cleartext secret exposure in Runzero Platform, fixed by the same patch as CVE-2026-5372.
CVE-2026-5383 is a runzero explorer missing authorization check in Runzero Explorer. CVSS 4.4 Medium. Patch commands, mitigations, and verif
CVE-2026-5384 is a runzero platform incorrect credential scope in Runzero Platform, fixed by the same patch as CVE-2026-5372.
CVE-2026-5393 is an out-of-bounds read in wolfSSL. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-5401 - CWE-674: Uncontrolled Recursion in Wireshark. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-5404 - CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in Wireshark. Runnable patch commands, mitig
CVE-2026-5406 - CWE-674: Uncontrolled Recursion in Wireshark. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-5407 - CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark. Runnable patch commands, mitigation, and verif
CVE-2026-5408 - CWE-674: Uncontrolled Recursion in Wireshark. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-5409 - CWE-674: Uncontrolled Recursion in Wireshark. Runnable patch commands, mitigation, and verification on this page.
CVE-2026-5413: Newgen OmniDocs GetWebApiConfiguration information disclosure in OmniDocs. Patch commands and verification.
CVE-2026-5414: Newgen OmniDocs WebApiRequestRedirection resource injection in OmniDocs. Patch commands and verification.
CVE-2026-5417 is a server-side request forgery in Dataease SQLbot. CVSS 5.1 Medium. Patch commands, mitigations, and verification.
CVE-2026-5418 is a server-side request forgery in Appsmithorg appsmith. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-5427 is a missing authorization in Kubio AI Page Builder. This page lists verified fix commands and short-term mitigations you can
CVE-2026-5428 - CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Royal Addons for Elementor –
CVE-2026-5434 is a vulnerability in Control Network Module (CNM). Verified patched version, official vendor advisory, and how to confirm the
CVE-2026-5446 is a wolfssl aria-gcm tls 1.2/dtls 1.2 gcm nonce reuse in wolfSSL. CVSS 6 Medium. Patch commands, mitigations, and verificatio
CVE-2026-5447 is a heap buffer overflow in certfromx509() via authoritykeyidentifier in wolfSSL, fixed by the same patch as CVE-2026-5446.
CVE-2026-5451: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Extensions for Leaflet Map. Patch com
CVE-2026-5452: UCC CampusConnect App campusconnect.ucc BuildConfig.java hard-coded key in CampusConnect App. Patch commands and verification
CVE-2026-5453: Use of Hard-coded Cryptographic Key in só vantagem pra investir App. Patch commands and verification.
CVE-2026-5454: GRID Organiser App co.gridapp.organiser app.json hard-coded key in Organiser App. Patch commands and verification.
CVE-2026-5455: Dialogue App ca.diagram.dialogue config.json hard-coded key in Dialogue App. Patch commands and verification.
CVE-2026-5456: Use of Hard-coded Cryptographic Key in My Invisalign App. Patch commands and verification.
CVE-2026-5457: Use of Hard-coded Cryptographic Key in AgentNet Singapore App. Patch commands and verification.
CVE-2026-5458: Noelse Individuals & Pro App com.afone.noelse BuildConfig.java hard-coded key in Individuals & Pro App. Patch commands and ve
CVE-2026-5460 is a heap use-after-free in pqc hybrid keyshare error cleanup in wolfssl tls 1.3 in wolfSSL, fixed by the same patch as CVE-20
CVE-2026-5462: Wahoo Fitness SYSTM App com.WahooFitness.SYSTM BuildConfig.java hard-coded key in SYSTM App. Patch commands and verification.
CVE-2026-5467 is a casdoor oauth authorization request redirect in the vendor Casdoor. CVSS 5.3 Medium. Patch commands, mitigations, and ver
CVE-2026-5468 is a casdoor dangerouslysetinnerhtml cross site scripting in the vendor Casdoor, fixed by the same patch as CVE-2026-5467.
CVE-2026-5469 is a casdoor webhook url server-side request forgery in the vendor Casdoor, fixed by the same patch as CVE-2026-5467.
CVE-2026-5470 is a server-side request forgery in Mixelpixx Google-Research-MCP. CVSS 5.3 Medium. Patch commands, mitigations, and verificat
CVE-2026-5471 is a use of hard-coded cryptographic key in Investory Toy Planet Trouble App. CVSS 4.8 Medium. Patch commands, mitigations, an
CVE-2026-5472 is a unrestricted upload in Projectsandprograms School Management System. CVSS 5.3 Medium. Patch commands, mitigations, and ve
CVE-2026-5474: bundle sibling of CVE-2026-5473. Same patched build closes both.
CVE-2026-5475 is a nasa cfs ccsds header size cfe_sb_priv.c cfe_sb_transmitmsg memory corruption in Nasa cFS, fixed by the same patch as CVE
CVE-2026-5484 is a improper access controls in Bookstackapp BookStack. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-5486: a SQL injection in Unlimited Elements For Elementor. Patched version and vendor advisory inside.
CVE-2026-5488 - CWE-862 Missing Authorization in ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin). Runnable pa
CVE-2026-5502 is a missing authorization in Tutor LMS – eLearning and online course solution. This page lists verified fix commands and shor
CVE-2026-5503 is a out-of-bounds write in tlsx_echchangesni via attacker-controlled publicname in wolfSSL, fixed by the same patch as CVE-20
CVE-2026-5504 is a pkcs7 cbc padding oracle — plaintext recovery in wolfSSL, fixed by the same patch as CVE-2026-5446.
CVE-2026-5505 improper neutralization of input during web page generation ('cross-site scripti in WP-Clippy. Runnable upgrade commands and v
CVE-2026-5506: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Wavr. Patch commands and verification
CVE-2026-5507 is a session cache restore — arbitrary free via deserialized pointer in wolfSSL, fixed by the same patch as CVE-2026-5446.
CVE-2026-5508: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WowPress. Patch commands and verifica
CVE-2026-5511 is a vulnerability in Archer AX72 (SG) v1.0. Verified patched version, official vendor advisory, and how to confirm the fix la
CVE-2026-5512 is an insertion of sensitive information into sent in Enterprise Server. This page lists verified fix commands and short-term
CVE-2026-5525 is a stack buffer overflow in Notepad++. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-5526 is a tenda 4g03 pro httpd access control in Tenda 4G03 Pro. CVSS 6.9 Medium. Patch commands, mitigations, and verification.
CVE-2026-5527: Tenda 4G03 Pro ECDSA P-256 Private Key server.key hard-coded key in 4G03 Pro. Patch commands and verification.
CVE-2026-5528: MoussaabBadla code-screenshot-mcp HTTP os command injection in code-screenshot-mcp. Patch commands and verification.
CVE-2026-5529: Dromara lamp-cloud DefUserController pageUser improper authorization in lamp-cloud. Patch commands and verification.
CVE-2026-5530: Ollama Model Pull API download.go server-side request forgery in Ollama. Patch commands and verification.
CVE-2026-5531: Cleartext Storage in a File or on Disk in Student Result Management System. Patch commands and verification.
CVE-2026-5532 is a os command injection in Scrapegraphai scrapegraph-ai. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-5533: badlogic pi-mono SVG Artifact SvgArtifact.ts cross site scripting in pi-mono. Patch commands and verification.
CVE-2026-5534: itsourcecode Online Enrollment System Parameter index.php sql injection in Online Enrollment System. Patch commands and verif
CVE-2026-5535: FedML-AI FedML MQTT Message FileUtils.java path traversal in FedML. Patch commands and verification.
CVE-2026-5536: FedML-AI FedML gRPC server grpc_server.py sendMessage deserialization in FedML. Patch commands and verification.
CVE-2026-5537: halex CourseSEL HTTP GET Parameter IndexController.class.php check_sel sql injection in CourseSEL. Patch commands and verific
CVE-2026-5538 is a server-side request forgery in Qingdaou OnlineJudge. CVSS 5.3 Medium. Patch commands, mitigations, and verification.
CVE-2026-5539: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5540: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5541: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5542: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5543: SQL Injection in User Registration & Login and User Management System. Patch commands and verification.
CVE-2026-5546: Unrestricted Upload in Complete Online Learning Management System. Patch commands and verification.
CVE-2026-5547: Tenda AC10 httpd formAddMacfilterRule os command injection in AC10. Patch commands and verification.
CVE-2026-5549 is a tenda ac10 rsa 2048-bit private key privkeysrv.pem hard-coded key in Tenda AC10, fixed by the same patch as CVE-2026-5547
CVE-2026-5551: itsourcecode Free Hotel Reservation System Parameter login.php sql injection in Free Hotel Reservation System. Patch commands
CVE-2026-5552: PHPGurukul Online Shopping Portal Project Parameter sub-category.php sql injection in Online Shopping Portal Project. Patch c
CVE-2026-5553: itsourcecode Online Cellphone System Parameter available.php sql injection in Online Cellphone System. Patch commands and ver
CVE-2026-5554 is a sql injection in Code-projects Concert Ticket Reservation System. CVSS 6.9 Medium. Patch commands, mitigations, and verif
CVE-2026-5555: code-projects Concert Ticket Reservation System Parameter login.php sql injection in Concert Ticket Reservation System. Patch
CVE-2026-5556 is a badlogic pi-mono loader.ts discoverandloadextensions code injection in Badlogic pi-mono, fixed by the same patch as CVE-2
CVE-2026-5557 is a badlogic pi-mono pi-mom slack bot slack.ts authentication bypass in Badlogic pi-mono, fixed by the same patch as CVE-2026
CVE-2026-5558 is a sql injection in PHPGurukul Online Shopping Portal Project. CVSS 5.3 Medium. Patch commands, mitigations, and verificatio
CVE-2026-5559: Improper Neutralization of Special Elements Used in a Template Engine in PyBlade. Patch commands and verification.
CVE-2026-5560: bundle sibling of CVE-2026-5552. Same patched build closes both.
CVE-2026-5561 is a injection in Campcodes Complete POS Management and Inventory System. CVSS 5.3 Medium. Patch commands, mitigations, and ve
CVE-2026-5562: provectus kafka-ui Endpoint testexecutions validateAccess code injection in kafka-ui. Patch commands and verification.
CVE-2026-5563: AutohomeCorp frostmourne Alarm Preview previewData httpTest sql injection in frostmourne. Patch commands and verification.
CVE-2026-5564: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5565: bundle sibling of CVE-2026-5255. Same patched build closes both.
CVE-2026-5568 is a akaunting invoice/billing cross site scripting in the vendor Akaunting. CVSS 5.1 Medium. Patch commands, mitigations, and
CVE-2026-5569: Technostrobe HI-LED-WR120-G2 Endpoint access control in HI-LED-WR120-G2. Patch commands and verification.
CVE-2026-5570: bundle sibling of CVE-2026-5569. Same patched build closes both.
CVE-2026-5571: bundle sibling of CVE-2026-5569. Same patched build closes both.
CVE-2026-5572 is a technostrobe hi-led-wr120-g2 cross-site request forgery in Technostrobe HI-LED-WR120-G2, fixed by the same patch as CVE-2
CVE-2026-5573 is a technostrobe hi-led-wr120-g2 fs unrestricted upload in Technostrobe HI-LED-WR120-G2, fixed by the same patch as CVE-2026-
CVE-2026-5574: bundle sibling of CVE-2026-5569. Same patched build closes both.
CVE-2026-5575: SourceCodester/jkev Record Management System Login index.php sql injection in Record Management System. Patch commands and ve
CVE-2026-5576 is a unrestricted upload in Sourcecodester Record Management System. CVSS 5.1 Medium. Patch commands, mitigations, and verific
CVE-2026-5577: Song-Li cross_browser details Endpoint uniquemachine_app.py sql injection in cross_browser. Patch commands and verification.
CVE-2026-5578: CodeAstro Online Classroom Parameter addassessment.php sql injection in Online Classroom. Patch commands and verification.
CVE-2026-5579: bundle sibling of CVE-2026-5578. Same patched build closes both.
CVE-2026-5580: bundle sibling of CVE-2026-5578. Same patched build closes both.
CVE-2026-5583: bundle sibling of CVE-2026-5552. Same patched build closes both.
CVE-2026-5584: Fosowl agenticSeek query Endpoint PyInterpreter.py PyInterpreter.execute code injection in agenticSeek. Patch commands and ve
CVE-2026-5585: Tencent AI-Infra-Guard Task Detail Endpoint task_manager.go information disclosure in AI-Infra-Guard. Patch commands and veri
CVE-2026-5586: zhongyu09 openchatbi Multi-stage Text2SQL Workflow sql injection in openchatbi. Patch commands and verification.
CVE-2026-5587: wbbeyourself MAC-SQL Refiner Agent agents.py _execute_sql sql injection in MAC-SQL. Patch commands and verification.
CVE-2026-5588 is an use of a broken or risky in BC-JAVA. This page lists verified fix commands and short-term mitigations you can run today.
CVE-2026-5590: net: ip/tcp: Null pointer dereference can be triggered by a race condition in Zephyr. Patch commands and verification.
CVE-2026-5594 is a premai-io premsql followup.py eval code injection in Premai-io premsql. CVSS 5.3 Medium. Patch commands, mitigations, and
CVE-2026-5595: griptape-ai griptape FileManagerTool save_memory_artifacts_to_disk path traversal in griptape. Patch commands and verificatio
CVE-2026-5596 is a griptape-ai griptape sqltool tool.py sql injection in Griptape-ai griptape, fixed by the same patch as CVE-2026-5595.
CVE-2026-5597 is a griptape-ai griptape computertool tool.py path traversal in Griptape-ai griptape, fixed by the same patch as CVE-2026-559
CVE-2026-5600 is a improper isolation or compartmentalization in pretix. CVSS 5.5 Medium. Patch commands, mitigations, and verification.
CVE-2026-5601: Acrel Electrical Prepaid Cloud Platform Backup File bin.rar information disclosure in Prepaid Cloud Platform. Patch commands
CVE-2026-5602: Nor2-io heim-mcp new_heim_application tools.ts registerTools os command injection in heim-mcp. Patch commands and verificatio
CVE-2026-5603: elgentos magento2-dev-mcp index.ts executeMagerun2Command os command injection in magento2-dev-mcp. Patch commands and verifi
CVE-2026-5606: bundle sibling of CVE-2026-5552. Same patched build closes both.
CVE-2026-5607 is a server-side request forgery in Imprvhub mcp-browser-agent. CVSS 5.3 Medium. Patch commands, mitigations, and verification
CVE-2026-5615: givanz Vvvebjs File Upload Endpoint upload.php cross site scripting in Vvvebjs. Patch commands and verification.
CVE-2026-5616: JeecgBoot AI Chat JeecgBizToolsProvider.java missing authentication in JeecgBoot. Patch commands and verification.
CVE-2026-5618: kalcaddle kodbox shareMake/shareCheck server-side request forgery in kodbox. Patch commands and verification.
CVE-2026-5619: Braffolk mcp-summarization-functions summarize_command mcp-server.ts os command injection in mcp-summarization-functions. Pat
CVE-2026-5620 is a sql injection in Itsourcecode Construction Management System. CVSS 5.3 Medium. Patch commands, mitigations, and verificat
CVE-2026-5621: ChrisChinchilla Vale-MCP HTTP index.ts os command injection in Vale-MCP. Patch commands and verification.
CVE-2026-5622: hcengineering Huly Platform JWT Token token.ts hard-coded key in Huly Platform. Patch commands and verification.
CVE-2026-5623: hcengineering Huly Platform Import Endpoint index.ts server-side request forgery in Huly Platform. Patch commands and verific
CVE-2026-5624: ProjectSend upload.php cross-site request forgery in ProjectSend. Patch commands and verification.
CVE-2026-5625: assafelovic gpt-researcher WebSocket researcher.py cross site scripting in gpt-researcher. Patch commands and verification.
CVE-2026-5630: bundle sibling of CVE-2026-5625. Same patched build closes both.
CVE-2026-5631 is a code injection in Assafelovic gpt-researcher, fixed by the same patch as CVE-2026-5625.
CVE-2026-5632: bundle sibling of CVE-2026-5625. Same patched build closes both.
CVE-2026-5633: bundle sibling of CVE-2026-5625. Same patched build closes both.
CVE-2026-5634: projectworlds Car Rental Project Parameter book_car.php sql injection in Car Rental Project. Patch commands and verification.
CVE-2026-5635 is a sql injection in Phpgurukul Online Shopping Portal Project, fixed by the same patch as CVE-2026-5552.
CVE-2026-5636: bundle sibling of CVE-2026-5552. Same patched build closes both.
CVE-2026-5637: projectworlds Car Rental System Parameter message_admin.php sql injection in Car Rental System. Patch commands and verificati
CVE-2026-5638 is a heriklyma cppwebframework path traversal in Heriklyma CPPWebFramework. CVSS 6.9 Medium. Patch commands, mitigations, and
CVE-2026-5639: bundle sibling of CVE-2026-5552. Same patched build closes both.
CVE-2026-5640: bundle sibling of CVE-2026-5552. Same patched build closes both.
CVE-2026-5641: bundle sibling of CVE-2026-5552. Same patched build closes both.
CVE-2026-5642: Cyber-III Student-Management-System HTTP POST Request update.php improper authorization in Student-Management-System. Patch c
CVE-2026-5643: bundle sibling of CVE-2026-5642. Same patched build closes both.
CVE-2026-5644: bundle sibling of CVE-2026-5642. Same patched build closes both.
CVE-2026-5645: projectworlds Car Rental System Parameter pay.php sql injection in Car Rental System. Patch commands and verification.