π¨ CVE-2026-24695
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into OpenSSL argument fields within requests
sent to the utility route, leading to remote code execution.
π@cveNotify
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into OpenSSL argument fields within requests
sent to the utility route, leading to remote code execution.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2026-25085
A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in
which an unexpected return value from the authentication routine is
later on processed as a legitimate value, resulting in an authentication
bypass.
π@cveNotify
A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in
which an unexpected return value from the authentication routine is
later on processed as a legitimate value, resulting in an authentication
bypass.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2026-25109
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field when accessing the get
setup route, leading to remote code execution.
π@cveNotify
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field when accessing the get
setup route, leading to remote code execution.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2026-25111
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into requests sent to the restore route.
π@cveNotify
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into requests sent to the restore route.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2026-25195
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
supplying a crafted firmware update file via the firmware update route.
π@cveNotify
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
supplying a crafted firmware update file via the firmware update route.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2025-59903
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromised resource.
π@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts within SVG files as visual content, which are then stored on the server and executed in the context of any user accessing the compromised resource.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Kubysoft
INCIBE has coordinated the publication of three medium-severity vulnerabilities affecting Kubysoft, a
π¨ CVE-2026-24517
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into requests sent to the firmware update
route.
π@cveNotify
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into requests sent to the firmware update
route.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2026-24663
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an unauthenticated attacker to achieve remote code
execution on the system by sending a crafted request to the libraries
installation route and injecting malicious input into the request body.
π@cveNotify
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an unauthenticated attacker to achieve remote code
execution on the system by sending a crafted request to the libraries
installation route and injecting malicious input into the request body.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2026-24689
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field of the firmware update
apply action.
π@cveNotify
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field of the firmware update
apply action.
π@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-057-10.json at develop Β· cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
π¨ CVE-2026-28288
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.
π@cveNotify
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.
π@cveNotify
GitHub
[Chore/Refactor] Standardize authentication error messages to prevent user enumeration Β· Issue #24323 Β· langgenius/dify
Self Checks I have read the Contributing Guide and Language Policy. This is only for refactoring, if you would like to ask a question, please head to Discussions. I have searched for existing issue...
π¨ CVE-2025-70237
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetPortTr.
π@cveNotify
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetPortTr.
π@cveNotify
GitHub
CVEreport/D-link/CVE-2025-70237 at main Β· akuma-QAQ/CVEreport
Contribute to akuma-QAQ/CVEreport development by creating an account on GitHub.
π¨ CVE-2025-70241
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWANType_Wizard5.
π@cveNotify
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWANType_Wizard5.
π@cveNotify
GitHub
CVEreport/D-link/CVE-2025-70241 at main Β· akuma-QAQ/CVEreport
Contribute to akuma-QAQ/CVEreport development by creating an account on GitHub.
π¨ CVE-2025-70234
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetQoS.
π@cveNotify
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetQoS.
π@cveNotify
GitHub
CVEreport/D-link/CVE-2025-70234 at main Β· akuma-QAQ/CVEreport
Contribute to akuma-QAQ/CVEreport development by creating an account on GitHub.
π¨ CVE-2025-70239
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard55.
π@cveNotify
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard55.
π@cveNotify
GitHub
CVEreport/D-link/CVE-2025-70239 at main Β· akuma-QAQ/CVEreport
Contribute to akuma-QAQ/CVEreport development by creating an account on GitHub.
π¨ CVE-2025-70240
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard51.
π@cveNotify
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWAN_Wizard51.
π@cveNotify
GitHub
CVEreport/D-link/CVE-2025-70240 at main Β· akuma-QAQ/CVEreport
Contribute to akuma-QAQ/CVEreport development by creating an account on GitHub.
π¨ CVE-2025-59904
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource.
π@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Kubysoft
INCIBE has coordinated the publication of three medium-severity vulnerabilities affecting Kubysoft, a
π¨ CVE-2025-59905
Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint β/node/kudaby/nodeFN/procedureβ. This flaw allows the injection of arbitrary client-side scripts, which are immediately reflected in the HTTP response and executed in the victim's browser.
π@cveNotify
Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint β/node/kudaby/nodeFN/procedureβ. This flaw allows the injection of arbitrary client-side scripts, which are immediately reflected in the HTTP response and executed in the victim's browser.
π@cveNotify
π¨ CVE-2026-27829
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed β the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue.
π@cveNotify
Astro is a web framework. In versions 9.0.0 through 9.5.3, a bug in Astro's image pipeline allows bypassing `image.domains` / `image.remotePatterns` restrictions, enabling the server to fetch content from unauthorized remote hosts. Astro provides an `inferSize` option that fetches remote images at render time to determine their dimensions. Remote image fetches are intended to be restricted to domains the site developer has manually authorized (using the `image.domains` or `image.remotePatterns` options). However, when `inferSize` is used, no domain validation is performed β the image is fetched from any host regardless of the configured restrictions. An attacker who can influence the image URL (e.g., via CMS content or user-supplied data) can cause the server to fetch from arbitrary hosts. This allows bypassing `image.domains` / `image.remotePatterns` restrictions to make server-side requests to unauthorized hosts. This includes the risk of server-side request forgery (SSRF) against internal network services and cloud metadata endpoints. Version 9.5.4 fixes the issue.
π@cveNotify
GitHub
Respect remote image allowlists (#15569) Β· withastro/astro@e01e98b
* Respect remote image allowlists
* Fix inferRemoteSize virtual module import
* Fix inferRemoteSize virtual module import
π¨ CVE-2026-2751
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24.
π@cveNotify
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24.
π@cveNotify
π¨ CVE-2026-28222
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
π@cveNotify
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
π@cveNotify
GitHub
Correctly escape `class`, `rowspan` and `colspan` attributes in Table⦠· wagtail/wagtail@0375094
β¦Block HTML output
Fixes GHSA-p5cm-246w-84jm
Fixes GHSA-p5cm-246w-84jm
π¨ CVE-2026-28223
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
π@cveNotify
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
π@cveNotify
GitHub
Enforce HTML escaping of all confirmation / warning / error messages Β· wagtail/wagtail@1c6f2ef
Fixes GHSA-p4v8-rw59-93cq
Ensure that all messages are handled through `wagtail.admin.messages` (which uses a template that correctly escapes messages and outputs a safe string) rather than `djang...
Ensure that all messages are handled through `wagtail.admin.messages` (which uses a template that correctly escapes messages and outputs a safe string) rather than `djang...