π¨ CVE-2026-56367
ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB (PSD v2) RLE decoding path (ReadPSDChannelRLE in coders/psd.c) that causes a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file can lead to information disclosure or a crash.
π@cveNotify
ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB (PSD v2) RLE decoding path (ReadPSDChannelRLE in coders/psd.c) that causes a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file can lead to information disclosure or a crash.
π@cveNotify
GitHub
PSB RLE sizes OOB read on 32-bit
An integer overflow in the PSB (PSD v2) RLE decoding path causes a heap out-of-bounds read on 32-bit builds. This can lead to information disclosure or a crash when processing crafted PSB files.
...
...
π¨ CVE-2026-56378
ImageMagick before 7.1.2-15 (and 6.x before 6.9.13-40) contains a heap out-of-bounds read in the PCD coder's DecodeImage loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read during image decoding, resulting in denial of service and potential disclosure of an adjacent heap byte.
π@cveNotify
ImageMagick before 7.1.2-15 (and 6.x before 6.9.13-40) contains a heap out-of-bounds read in the PCD coder's DecodeImage loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read during image decoding, resulting in denial of service and potential disclosure of an adjacent heap byte.
π@cveNotify
GitHub
PCD one byte heap out-of-bounds read
The PCD coderβs DecodeImage loop allows a crafted PCD file to trigger a 1βbyte heap out-of-bounds read when decoding an image (Denial of service) and potential disclosure of adjacent heap byte.
π¨ CVE-2026-56381
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
π@cveNotify
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
π@cveNotify
GitHub
Stored XSS via User Group Name in User Permissions Page
## Summary
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute ...
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute ...
π¨ CVE-2026-56382
Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
π@cveNotify
Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
π@cveNotify
GitHub
RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview
The `actionRenderCardPreview()` method in `FieldsController` passes the `fieldLayoutConfig` POST parameter directly to `Fields::createLayout()` without calling `Component::cleanseConfig()`. This al...
π¨ CVE-2026-56383
Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
π@cveNotify
Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
π@cveNotify
GitHub
Encode from _getInputHtml() Β· craftcms/cms@7b372de
Build bespoke content experiences with Craft. Contribute to craftcms/cms development by creating an account on GitHub.
π¨ CVE-2026-56384
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
π@cveNotify
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
π@cveNotify
GitHub
Fixed GHSA-5pgf-h923-m958 Β· craftcms/cms@d30df31
Build bespoke content experiences with Craft. Contribute to craftcms/cms development by creating an account on GitHub.
π¨ CVE-2026-56393
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
π@cveNotify
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
π@cveNotify
GitHub
Merge commit from fork Β· craftcms/cms@67780a7
Advisory fix 1
π¨ CVE-2026-56394
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
π@cveNotify
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
π@cveNotify
GitHub
Fixed GHSA-472v-j2g4-g9h2 Β· craftcms/cms@30f5f1a
Build bespoke content experiences with Craft. Contribute to craftcms/cms development by creating an account on GitHub.
π¨ CVE-2026-56395
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
π@cveNotify
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
π@cveNotify
GitHub
Remote Code Execution via Malicious Bazaar Package β Marketplace XSS
# Remote Code Execution via Malicious Bazaar Package β Marketplace XSS
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
π¨ CVE-2026-56396
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.
π@cveNotify
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.
π@cveNotify
GitHub
phpMyFAQ 4.1.3: incomplete fix for GHSA-xvp4-phqj-cjr3 β editUser() and updateUserRights() lack authorization guards
## Advisory / Disclosure
# phpMyFAQ 4.1.3 β incomplete fix for the admin-API IDOR/privilege-escalation class
**Target:** thorsten/phpMyFAQ (composer: `thorsten/phpmyfaq`, `phpmyfaq/phpmyfaq`)...
# phpMyFAQ 4.1.3 β incomplete fix for the admin-API IDOR/privilege-escalation class
**Target:** thorsten/phpMyFAQ (composer: `thorsten/phpmyfaq`, `phpmyfaq/phpmyfaq`)...
π¨ CVE-2026-56397
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
π@cveNotify
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
π@cveNotify
GitHub
Remote Code Execution via Malicious Bazaar Package β Marketplace XSS
# Remote Code Execution via Malicious Bazaar Package β Marketplace XSS
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
π¨ CVE-2026-56406
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
π@cveNotify
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
π@cveNotify
GitHub
lib: Copy overflow check from `XML_Parse` to `XML_ParseBuffer` by hartwork Β· Pull Request #1255 Β· libexpat/libexpat
CC @Phlegmelm @Smattr
π¨ CVE-2026-56407
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
π@cveNotify
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
π@cveNotify
GitHub
Cap entity textLen against signed integer overflow by netliomax25-code Β· Pull Request #1262 Β· libexpat/libexpat
Hit this while fuzzing internal entity declarations. storeEntityValue stashes
the replacement text length with (int)poolLength(...), but the entity value
pool can grow past INT_MAX, so a huge &...
the replacement text length with (int)poolLength(...), but the entity value
pool can grow past INT_MAX, so a huge &...
π¨ CVE-2026-56409
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
π@cveNotify
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
π@cveNotify
GitHub
xmlwf: Protect output path join from integer overflow by netliomax25-code Β· Pull Request #1259 Β· libexpat/libexpat
Noticed the -d outputDir branch in main() sizes the output filename with (tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char) and then tcscpy/tcscat the parts in, with neither the addition nor...
π¨ CVE-2026-56410
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
π@cveNotify
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
π@cveNotify
GitHub
xmlwf: protect resolveSystemId from integer overflow by netliomax25-code Β· Pull Request #1252 Β· libexpat/libexpat
resolveSystemId builds an absolute path by allocating (tcslen(base) + tcslen(systemId) + 2) * sizeof(XML_Char), then copies base and systemId in. systemId comes from an external entity SYSTEM ident...
π¨ CVE-2026-56411
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
π@cveNotify
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
π@cveNotify
GitHub
xmlwf: protect notation list allocation from integer overflow by netliomax25-code Β· Pull Request #1263 Β· libexpat/libexpat
endDoctypeDecl() counts NOTATION declarations from the DTD into a plain int and then mallocs notationCount * sizeof(NotationList *) with no overflow guard, so on 32-bit the multiply can wrap and un...
π¨ CVE-2026-56412
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
π@cveNotify
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
π@cveNotify
GitHub
[CVE-REQUESTED] lib: Guard `XML_TOK_DATA_CHARS` handler calls in `doCdataSection` by hextheshadow Β· Pull Request #1278 Β· libexpat/libexpat
Self-Diagnosis
This pull request fixes #ISSUE_NUMBER.
This pull request is related to [CVE-2026-50219] Introduce handler call depth tracking #1246.
This pull request is small, uncontroversial,...
This pull request fixes #ISSUE_NUMBER.
This pull request is related to [CVE-2026-50219] Introduce handler call depth tracking #1246.
This pull request is small, uncontroversial,...