๐จ CVE-2026-40753
Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions.
๐@cveNotify
Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions.
๐@cveNotify
Patchstack
PHP Object Injection in WordPress EasyMeals Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-41280
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
๐@cveNotify
Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
๐@cveNotify
๐จ CVE-2026-42357
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
๐@cveNotify
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
๐@cveNotify
๐จ CVE-2026-42385
Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.
๐@cveNotify
Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Profile Builder Pro Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-47277
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.
๐@cveNotify
Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only the lexical path before Node reads the file, so a Git app store that contains metadata/logo.jpg as a symbolic link can cause Runtipi to read and return the symlink target. Because the endpoint is public and the symlink target may point outside the cloned repository, this can expose local files from the Runtipi container such as /data/.env, /data/state/seed, logs, or application files. This can disclose JWT secrets, service credentials, local configuration, and operational logs depending on the instance. The issue has been fixed in version 4.10.0.
๐@cveNotify
GitHub
Release v4.10.0 ยท runtipi/runtipi
Release notes
New features
Start all and stop all apps CLI commands
Improvements
Tighten filesystem type checks to not follow symlinks when serving public data
How to update
From the root folde...
New features
Start all and stop all apps CLI commands
Improvements
Tighten filesystem type checks to not follow symlinks when serving public data
How to update
From the root folde...
๐จ CVE-2026-47340
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
๐@cveNotify
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
๐@cveNotify
๐จ CVE-2026-48782
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
๐@cveNotify
Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678, did not decode, exposing cloud IAM short-term credentials. The previous remediation decoded only IPv4-mapped IPv6, 6to4, and the NAT64 well-known prefix, so the metadata guarantee did not hold for the remaining transition forms: IPv4-compatible IPv6 (::a.b.c.d), the NAT64 RFC 8215 local-use prefix (64:ff9b:1::/48), operator-chosen NAT64 prefixes, and ISATAP. The IPv6 wrapper is then delivered to the underlying IPv4 metadata endpoint. This occurs when an application using Pydantic AI opts a URL into force_download='allow-local' (which disables the default block on private/internal IPs) and runs on a network that actually routes the affected IPv6 transition forms: NAT64-configured networks (IPv6-only or dual-stack-with-NAT64 deployments, including some Kubernetes setups) for the NAT64 variants, or networks with an ISATAP tunnel for ISATAP. A standard dual-stack cloud VM or container does not route these forms and is not affected in practice. The IPv4-compatible and Teredo variants are deprecated and addressed as defense-in-depth. This is an incomplete fix of GHSA-cqp8-fcvh-x7r3 / CVE-2026-46678 (itself a follow-up to CVE-2026-25580). This issue has been fixed in version 2.0.0b3.
๐@cveNotify
GitHub
fix: expand IPv6 transition-form handling in URL validation (#5596) ยท pydantic/pydantic-ai@1add061
AI Agent Framework, the Pydantic way. Contribute to pydantic/pydantic-ai development by creating an account on GitHub.
๐จ CVE-2026-49071
Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
๐@cveNotify
Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions.
๐@cveNotify
Patchstack
Broken Authentication in WordPress WooCommerce Dropshipping Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-49081
Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.
๐@cveNotify
Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.
๐@cveNotify
Patchstack
Broken Access Control in WordPress User Registration Stripe Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-50203
A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required โ the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.
๐@cveNotify
A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required โ the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.
๐@cveNotify
GitHub
Validate downloaded paths stay within the destination directory in SFTPHook.retrieve_directory by potiuk ยท Pull Request #67985โฆ
SFTPHook.retrieve_directory and retrieve_directory_concurrently build each
local destination path by joining the local directory with a path derived from
directory-entry names returned by the remot...
local destination path by joining the local directory with a path derived from
directory-entry names returned by the remot...
๐จ CVE-2026-52698
Subscriber Sensitive Data Exposure in PushEngage โ Web Push Notifications, eCommerce Automation & Chat Widget <= 4.2.3 versions.
๐@cveNotify
Subscriber Sensitive Data Exposure in PushEngage โ Web Push Notifications, eCommerce Automation & Chat Widget <= 4.2.3 versions.
๐@cveNotify
Patchstack
Sensitive Data Exposure in WordPress PushEngage โ Web Push Notifications, eCommerce Automation & Chat Widget Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-53876
RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator.
๐@cveNotify
RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator.
๐@cveNotify
jvn.jp
JVN#20769211: OS command injection in RadiX AX6600 WiFi 6 Tri-Band Gaming Router
Japan Vulnerability Notes
๐จ CVE-2026-54802
Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.
๐@cveNotify
Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions.
๐@cveNotify
Patchstack
Broken Authentication in WordPress SMS Alert Order Notifications Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-54803
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
๐@cveNotify
Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions.
๐@cveNotify
Patchstack
Privilege Escalation in WordPress SMS Alert Order Notifications Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-55706
sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.
๐@cveNotify
sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.
๐@cveNotify
๐จ CVE-2025-15657
Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.
๐@cveNotify
Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.
๐@cveNotify
Patchstack
Insecure Direct Object References (IDOR) in WordPress School Management Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-60231
Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection.
This issue affects The Hospital: from n/a through 1.8.1.
๐@cveNotify
Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection.
This issue affects The Hospital: from n/a through 1.8.1.
๐@cveNotify
Patchstack
PHP Object Injection in WordPress The Hospital Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-60236
Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection.
This issue affects Creatify: from n/a through 1.5.
๐@cveNotify
Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection.
This issue affects Creatify: from n/a through 1.5.
๐@cveNotify
Patchstack
PHP Object Injection in WordPress Creatify Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2025-66391
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.
๐@cveNotify
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.
๐@cveNotify