๐จ CVE-2026-25181
Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network.
๐@cveNotify
Out-of-bounds read in Windows GDI+ allows an unauthorized attacker to disclose information over a network.
๐@cveNotify
๐จ CVE-2026-31877
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
๐@cveNotify
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
๐@cveNotify
GitHub
Possibility of SQL Injection due to improper field sanitization
### Impact
A specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to.
### Workarou...
A specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to.
### Workarou...
๐จ CVE-2026-31878
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
๐@cveNotify
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
๐@cveNotify
GitHub
Possible SSRF by any authenticated user
### Impact
A malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice.
### Workarounds
Upgrading is...
A malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice.
### Workarounds
Upgrading is...
๐จ CVE-2026-31879
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.
๐@cveNotify
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100.2, 15.101.0, and 16.10.0.
๐@cveNotify
GitHub
Workspace modification and stored XSS due to improper resource ownership checks
### Impact
Due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here.
### Work...
Due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here.
### Work...
๐จ CVE-2025-64166
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
๐@cveNotify
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
๐@cveNotify
GitHub
feat: csrf prevention (#1187) ยท mercurius-js/mercurius@962d402
* feat: csrf prevention
* test: coverage
* doc: csrf update
* chore: types
* chore: cleanup
* test: coverage
* doc: csrf update
* chore: types
* chore: cleanup
๐จ CVE-2026-25048
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
๐@cveNotify
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
๐@cveNotify
GitHub
Release v0.1.32 ยท mlc-ai/xgrammar
What's Changed
Third-party rust support integration by @eugenebokhan in #531
feat: support crossing-grammar cache. by @Seven-Streams in #526
refactor: refactor the structure of structural_tag...
Third-party rust support integration by @eugenebokhan in #531
feat: support crossing-grammar cache. by @Seven-Streams in #526
refactor: refactor the structure of structural_tag...
๐จ CVE-2026-25174
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Out-of-bounds read in Windows Extensible File Allocation allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-25175
Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-25176
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-25177
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
๐@cveNotify
Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
๐@cveNotify
๐จ CVE-2026-30831
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
GitHub
2FA bypass and login of deactivated users via EE ddp-streamer
### 2FA bypass and login of deactivated users via EE ddp-streamer (`GHSL-2026-008`)
Authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The `Account.login`...
Authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The `Account.login`...
๐จ CVE-2026-30833
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
๐@cveNotify
GitHub
NoSQL injection in the EE ddp-streamer-service
### Issue 2: NoSQL injection in the EE ddp-streamer-service (`GHSL-2026-005`)
A NoSQL injection vulnerability exists in Rocket.Chat's account service used in the `ddp-streamer` micro servic...
A NoSQL injection vulnerability exists in Rocket.Chat's account service used in the `ddp-streamer` micro servic...
๐จ CVE-2026-29789
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
๐@cveNotify
Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage sites on servers belonging to other projects by supplying a foreign server_id. This issue has been patched in version 3.20.3.
๐@cveNotify
GitHub
Fix missing authorization in workflow site creation (#1036) ยท vitodeploy/vito@0fdcfe5
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
๐จ CVE-2026-29790
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
๐@cveNotify
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
๐@cveNotify
GitHub
Fix tar path traversal using commonpath instead of commonprefix (#353) ยท dbt-labs/dbt-common@e547954
* Fix tar path traversal using commonpath instead of commonprefix
* lint
* fix test
* lint
* fix test
๐จ CVE-2026-23673
Out-of-bounds read in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Out-of-bounds read in Windows Resilient File System (ReFS) allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2026-23674
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
๐@cveNotify
Improper resolution of path equivalence in Windows MapUrlToZone allows an unauthorized attacker to bypass a security feature over a network.
๐@cveNotify
๐จ CVE-2023-0410
Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.
๐@cveNotify
Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.
๐@cveNotify
GitHub
fix: cleanse ssr attribute name and class value (#2475) ยท QwikDev/qwik@4b2f89d
Co-Authored-By: OhB00 <43827372+ohb00@users.noreply.github.com>
๐จ CVE-2023-27651
An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges via the update_info field of the _default_.xml file.
๐@cveNotify
An issue found in Ego Studio SuperClean v.1.1.9 and v.1.1.5 allows an attacker to gain privileges via the update_info field of the _default_.xml file.
๐@cveNotify
๐จ CVE-2023-2307
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
๐@cveNotify
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
๐@cveNotify
GitHub
fix: relative protocol urls by adamdbradley ยท Pull Request #3862 ยท QwikDev/qwik
Instant-loading web apps, without effort. Contribute to QwikDev/qwik development by creating an account on GitHub.
๐จ CVE-2025-54236
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
๐@cveNotify
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
๐@cveNotify
Adobe
Adobe Security Bulletin
Security Updates Available for Adobe Commerce | APSB25-88