CVE-2025-69169 - WordPress Easy Media Download plugin <= 1.1.11 - CSS Injection vulnerability
CVE ID : CVE-2025-69169
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 5 minutes ago
Description : Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-69169
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 5 minutes ago
Description : Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-0674 - WordPress Campaign Monitor for WordPress plugin <= 2.9.0 - Broken Access Control vulnerability
CVE ID : CVE-2026-0674
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 5 minutes ago
Description : Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-0674
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 5 minutes ago
Description : Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-0675 - WordPress NextGEN Download Gallery plugin <= 1.6.2 - Sensitive Data Exposure vulnerability
CVE ID : CVE-2026-0675
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webaware NextGEN Download Gallery nextgen-download-gallery allows Retrieve Embedded Sensitive Data.This issue affects NextGEN Download Gallery: from n/a through <= 1.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-0675
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webaware NextGEN Download Gallery nextgen-download-gallery allows Retrieve Embedded Sensitive Data.This issue affects NextGEN Download Gallery: from n/a through <= 1.6.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-0676 - WordPress Zorka theme <= 1.5.7 - Broken Access Control vulnerability
CVE ID : CVE-2026-0676
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-0676
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21871 - NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()
CVE ID : CVE-2026-21871
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21871
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21872 - NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links
CVE ID : CVE-2026-21872
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21872
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21873 - Zero-click XSS in all NiceGUI apps which uses `ui.sub_pages`
CVE ID : CVE-2026-21873
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21873
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21874 - NiceGUI has Redis connection leak via tab storage causes service degradation
CVE ID : CVE-2026-21874
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21874
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21894 - n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
CVE ID : CVE-2026-21894
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21894
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22242 - CoreShop Vulnerable to SQL Injection via Admin Reports
CVE ID : CVE-2026-22242
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22242
Published : Jan. 8, 2026, 10:15 a.m. | 2 hours, 4 minutes ago
Description : CoreShop is a Pimcore enhanced eCommerce solution. Prior to version 4.1.8, a blind SQL injection vulnerability exists in the application that allows an authenticated administrator-level user to extract database contents using boolean-based or time-based techniques. The database account used by the application is read-only and non-DBA, limiting impact to confidential data disclosure only. No data modification or service disruption is possible. This issue has been patched in version 4.1.8.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-66001 - NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)
CVE ID : CVE-2025-66001
Published : Jan. 8, 2026, 11:15 a.m. | 1 hour, 5 minutes ago
Description : NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-66001
Published : Jan. 8, 2026, 11:15 a.m. | 1 hour, 5 minutes ago
Description : NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14025 - Ansible-automation-platform/aap-gateway: aap-gateway: read-only personal access token (pat) bypasses write restrictions
CVE ID : CVE-2025-14025
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14025
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows read-only tokens to perform write operations on backend services (e.g., Controller, Hub, EDA). If this flaw were exploited, an attacker‘s capabilities would only be limited by role based access controls (RBAC).
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8306 - Improper Access Control in Asseco Infomedica Plus
CVE ID : CVE-2025-8306
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control. Chained exploitation of this vulnerability and CVE-2025-8307 allows an attacker to escalate privileges. This vulnerability has been fixed in versions 4.50.1 and 5.38.0
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8306
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. A low privileged user is able to obtain encoded passwords of all other accounts (including main administrator) due to lack of granularity in access control. Chained exploitation of this vulnerability and CVE-2025-8307 allows an attacker to escalate privileges. This vulnerability has been fixed in versions 4.50.1 and 5.38.0
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8307 - Recoverable passwords in Asseco Infomedica Plus
CVE ID : CVE-2025-8307
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. Passwords of all users are stored in a database in an encoded format. An attacker in possession of these encoded passwords is able to decode them by using an algorithm embedded in the client-side part of the software. This vulnerability has been fixed in versions 4.50.1 and 5.38.0
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8307
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Asseco InfoMedica is a comprehensive solution used to manage both administrative and medical tasks in the healthcare sector. Passwords of all users are stored in a database in an encoded format. An attacker in possession of these encoded passwords is able to decode them by using an algorithm embedded in the client-side part of the software. This vulnerability has been fixed in versions 4.50.1 and 5.38.0
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21876 - OWASP CRS has multipart bypass using multiple content-type parts
CVE ID : CVE-2026-21876
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21876
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21885 - Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources
CVE ID : CVE-2026-21885
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21885
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. Version 2.2.16 fixes the issue.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21891 - ZimaOS has Authentication Bypass via System-Level Username
CVE ID : CVE-2026-21891
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21891
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21892 - Parsl Monitoring Visualization Vulnerable to SQL Injection
CVE ID : CVE-2026-21892
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21892
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21895 - rsa crate has potential panic on a prime being equal to 1
CVE ID : CVE-2026-21895
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21895
Published : Jan. 8, 2026, 2:15 p.m. | 2 hours, 5 minutes ago
Description : The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22244 - OpenMetadata Server-Side Template Injection (SSTI) in FreeMarker email templates that leads to RCE
CVE ID : CVE-2026-22244
Published : Jan. 8, 2026, 3:12 p.m. | 1 hour, 9 minutes ago
Description : OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22244
Published : Jan. 8, 2026, 3:12 p.m. | 1 hour, 9 minutes ago
Description : OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4596 - Information disclosure via IDOR in Asseco AMDX
CVE ID : CVE-2025-4596
Published : Jan. 8, 2026, 3:15 p.m. | 1 hour, 6 minutes ago
Description : Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4596
Published : Jan. 8, 2026, 3:15 p.m. | 1 hour, 6 minutes ago
Description : Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...