{
"Source": "CVE FEED",
"Title": "CVE-2026-41887 - Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)",
"Content": "CVE ID :CVE-2026-41887
Published : May 8, 2026, 5:16 p.m. | 20 minutes ago
Description :Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41887 - Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)",
"Content": "CVE ID :CVE-2026-41887
Published : May 8, 2026, 5:16 p.m. | 20 minutes ago
Description :Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-44499 - ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning",
"Content": "CVE ID :CVE-2026-44499
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems ā all exercisable from a single TCP connection ā to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-44499 - ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning",
"Content": "CVE ID :CVE-2026-44499
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems ā all exercisable from a single TCP connection ā to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-42353 - Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters",
"Content": "CVE ID :CVE-2026-42353
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, ā¦) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-42353 - Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters",
"Content": "CVE ID :CVE-2026-42353
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, ā¦) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-42793 - Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
"Content": "CVE ID :CVE-2026-42793
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed ā for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-42793 - Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe",
"Content": "CVE ID :CVE-2026-42793
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL.
Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node.
Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed ā for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents.
This issue affects absinthe: from 1.5.0 before 1.10.2.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-42794 - Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug",
"Content": "CVE ID :CVE-2026-42794
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.
'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.
This issue affects absinthe_plug: from 1.2.0.
Severity: 2.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-42794 - Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug",
"Content": "CVE ID :CVE-2026-42794
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface.
'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser.
This issue affects absinthe_plug: from 1.2.0.
Severity: 2.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-43967 - Quadratic fragment-name uniqueness check causes denial of service in absinthe",
"Content": "CVE ID :CVE-2026-43967
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) ā a full linear scan of the fragment list. The result is O(NĀ²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 Ć 10ā¹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-43967 - Quadratic fragment-name uniqueness check causes denial of service in absinthe",
"Content": "CVE ID :CVE-2026-43967
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) ā a full linear scan of the fragment list. The result is O(NĀ²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 Ć 10ā¹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41886 - locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor",
"Content": "CVE ID :CVE-2026-41886
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", ā¦) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, ā¦) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" ā that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host ā an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down ā could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41886 - locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor",
"Content": "CVE ID :CVE-2026-41886
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", ā¦) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, ā¦) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" ā that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host ā an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down ā could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41591 - Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping",
"Content": "CVE ID :CVE-2026-41591
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a , , etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41591 - Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping",
"Content": "CVE ID :CVE-2026-41591
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a , , etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41070 - openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access",
"Content": "CVE ID :CVE-2026-41070
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41070 - openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access",
"Content": "CVE ID :CVE-2026-41070
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41683 - HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header",
"Content": "CVE ID :CVE-2026-41683
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41683 - HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header",
"Content": "CVE ID :CVE-2026-41683
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41690 - Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters",
"Content": "CVE ID :CVE-2026-41690
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41690 - Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters",
"Content": "CVE ID :CVE-2026-41690
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41693 - i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite",
"Content": "CVE ID :CVE-2026-41693
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value ā containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string ā allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41693 - i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite",
"Content": "CVE ID :CVE-2026-41693
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value ā containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string ā allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41883 - OmniFaces: EL injection via crafted resource name in wildcard CDN mapping",
"Content": "CVE ID :CVE-2026-41883
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41883 - OmniFaces: EL injection via crafted resource name in wildcard CDN mapping",
"Content": "CVE ID :CVE-2026-41883
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41885 - Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend",
"Content": "CVE ID :CVE-2026-41885
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites ā _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41885 - Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend",
"Content": "CVE ID :CVE-2026-41885
Published : May 8, 2026, 4:16 p.m. | 1 hour, 20 minutes ago
Description :i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites ā _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-42185 - People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation",
"Content": "CVE ID :CVE-2026-42185
Published : May 8, 2026, 7:23 p.m. | 15 minutes ago
Description :People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-42185 - People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation",
"Content": "CVE ID :CVE-2026-42185
Published : May 8, 2026, 7:23 p.m. | 15 minutes ago
Description :People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-42176 - Scoold: Persistent Admin Takeover by Overwriting the admins Configuration Setting via Forged JWT (missing `jti` validation)",
"Content": "CVE ID :CVE-2026-42176
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-42176 - Scoold: Persistent Admin Takeover by Overwriting the admins Configuration Setting via Forged JWT (missing `jti` validation)",
"Content": "CVE ID :CVE-2026-42176
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-41511 - OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle",
"Content": "CVE ID :CVE-2026-41511
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-41511 - OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle",
"Content": "CVE ID :CVE-2026-41511
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.
Severity: 6.2 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-8178 - Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver",
"Content": "CVE ID :CVE-2026-8178
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath.
To mitigate this issue, users should upgrade to version 2.2.2 or later.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-8178 - Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver",
"Content": "CVE ID :CVE-2026-8178
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath.
To mitigate this issue, users should upgrade to version 2.2.2 or later.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-29202 - Apache Struts Perl Code Execution Vulnerability",
"Content": "CVE ID :CVE-2026-29202
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-29202 - Apache Struts Perl Code Execution Vulnerability",
"Content": "CVE ID :CVE-2026-29202
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-29203 - cPanel Nova Symlink Privilege Escalation",
"Content": "CVE ID :CVE-2026-29203
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-29203 - cPanel Nova Symlink Privilege Escalation",
"Content": "CVE ID :CVE-2026-29203
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
{
"Source": "CVE FEED",
"Title": "CVE-2026-29201 - Apache Feature File File Inclusion Vulnerability",
"Content": "CVE ID :CVE-2026-29201
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹
"Source": "CVE FEED",
"Title": "CVE-2026-29201 - Apache Feature File File Inclusion Vulnerability",
"Content": "CVE ID :CVE-2026-29201
Published : May 8, 2026, 7:16 p.m. | 21 minutes ago
Description :Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 May 2026",
"Type": "Vulnerability"
}
š¹ t.me/cvedetector š¹