๐จ CVE-2026-3455
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
๐@cveNotify
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
๐@cveNotify
Gist
Cross-Site Scripting (XSS) in mailparser
Cross-Site Scripting (XSS) in mailparser. GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2025-15595
Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.
๐@cveNotify
Privilege escalation via dll hijacking in Inno Setup 6.2.1 and ealier versions.
๐@cveNotify
๐จ CVE-2026-30240
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables โ JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
๐@cveNotify
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (POST /api/pwa/process-zip) allows an authenticated user with builder privileges to read arbitrary files from the server filesystem, including /proc/1/environ which contains all environment variables โ JWT secrets, database credentials, encryption keys, and API tokens. The server reads attacker-specified files via unsanitized path.join() with user-controlled input from icons.json inside the uploaded ZIP, then uploads the file contents to the object store (MinIO/S3) where they can be retrieved through signed URLs. This results in complete platform compromise as all cryptographic secrets and service credentials are exfiltrated in a single request.
๐@cveNotify
GitHub
PWA ZIP Upload Path Traversal Allows Reading Arbitrary Server Files Including All Environment Secrets
### Summary
A path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (`POST /api/pwa/process-zip`) allows an authenticated user with builder privileges to read arbit...
A path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint (`POST /api/pwa/process-zip`) allows an authenticated user with builder privileges to read arbit...
๐จ CVE-2026-31816
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
๐@cveNotify
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() middleware immediately calls return next(), skipping all authentication, authorization, role checks, and CSRF protection. This means a completely unauthenticated, remote attacker can access any server-side API endpoint by simply appending ?/webhooks/trigger (or any webhook pattern variant) to the URL.
๐@cveNotify
GitHub
Universal Auth Bypass via Webhook Query Param Injection
### Summary
The Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of a...
The Budibase server's authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of a...
๐จ CVE-2026-26982
Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.
๐@cveNotify
Ghostty is a cross-platform terminal emulator. Ghostty allows control characters such as 0x03 (Ctrl+C) in pasted and dropped text. These can be used to execute arbitrary commands in some shell environments. This attack requires an attacker to convince the user to copy and paste or drag and drop malicious text. The attack requires user interaction to be triggered, but the dangerous characters are invisible in most GUI environments so it isn't trivially detected, especially if the string contents are complex. Fixed in Ghostty v1.3.0.
๐@cveNotify
GitHub
input: paste encoding replaces unsafe control characters with spaces โฆ ยท ghostty-org/ghostty@fe7427e
โฆ(#10746)
For a hardcoded set of control characters, replace them with spaces when
encoding pasted text. This is to prevent unsafe control characters from
being pasted which could trick a user int...
For a hardcoded set of control characters, replace them with spaces when
encoding pasted text. This is to prevent unsafe control characters from
being pasted which could trick a user int...
๐จ CVE-2026-25179
Improper validation of specified type of input in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Improper validation of specified type of input in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-25180
Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to disclose information locally.
๐@cveNotify
Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to disclose information locally.
๐@cveNotify
๐จ CVE-2026-25181
Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network.
๐@cveNotify
Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network.
๐@cveNotify
๐จ CVE-2026-31877
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
๐@cveNotify
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
๐@cveNotify
GitHub
Possibility of SQL Injection due to improper field sanitization
### Impact
A specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to.
### Workarou...
A specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to.
### Workarou...
๐จ CVE-2026-31878
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
๐@cveNotify
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
๐@cveNotify
GitHub
Possible SSRF by any authenticated user
### Impact
A malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice.
### Workarounds
Upgrading is...
A malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice.
### Workarounds
Upgrading is...
๐จ CVE-2026-31879
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.
๐@cveNotify
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.
๐@cveNotify
GitHub
Workspace modification and stored XSS due to improper resource ownership checks
### Impact
Due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here.
### Work...
Due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here.
### Work...
๐จ CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
๐@cveNotify
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
๐@cveNotify
GitHub
feat: csrf prevention (#1187) ยท mercurius-js/mercurius@962d402
* feat: csrf prevention
* test: coverage
* doc: csrf update
* chore: types
* chore: cleanup
* test: coverage
* doc: csrf update
* chore: types
* chore: cleanup
๐จ CVE-2026-25048
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
๐@cveNotify
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
๐@cveNotify
GitHub
Release v0.1.32 ยท mlc-ai/xgrammar
What's Changed
Third-party rust support integration by @eugenebokhan in #531
feat: support crossing-grammar cache. by @Seven-Streams in #526
refactor: refactor the structure of structural_tag...
Third-party rust support integration by @eugenebokhan in #531
feat: support crossing-grammar cache. by @Seven-Streams in #526
refactor: refactor the structure of structural_tag...
๐จ CVE-2026-25174
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-25175
Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-25176
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-25177
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
๐@cveNotify
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
๐@cveNotify
๐จ CVE-2026-30831
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
GitHub
2FA bypass and login of deactivated users via EE ddp-streamer
### 2FA bypass and login of deactivated users via EE ddp-streamer (`GHSL-2026-008`)
Authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The `Account.login`...
Authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The `Account.login`...
๐จ CVE-2026-30833
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
GitHub
NoSQL injection in the EE ddp-streamer-service
### Issue 2: NoSQL injection in the EE ddp-streamer-service (`GHSL-2026-005`)
A NoSQL injection vulnerability exists in Rocket.Chat's account service used in the `ddp-streamer` micro servic...
A NoSQL injection vulnerability exists in Rocket.Chat's account service used in the `ddp-streamer` micro servic...
๐จ CVE-2026-29789
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
๐@cveNotify
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
๐@cveNotify
GitHub
Fix missing authorization in workflow site creation (#1036) ยท vitodeploy/vito@0fdcfe5
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
๐จ CVE-2026-29790
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
๐@cveNotify
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
๐@cveNotify
GitHub
Fix tar path traversal using commonpath instead of commonprefix (#353) ยท dbt-labs/dbt-common@e547954
* Fix tar path traversal using commonpath instead of commonprefix
* lint
* fix test
* lint
* fix test