π¨ CVE-2026-57532
Malicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in the
browser. This could allow one backend user to inject JavaScript into
the browser context of another backend user. Due to requirements of the
PDF rendering and editing libraries used, this is one of the few pages
in our backend that do not have a strong Content-Security-Policy that
would render this capability useless for most scenarios.
π@cveNotify
Malicious HTML content contained in the layout specification of a PDF
ticket or badge layout was executed when the PDF editor is opened in the
browser. This could allow one backend user to inject JavaScript into
the browser context of another backend user. Due to requirements of the
PDF rendering and editing libraries used, this is one of the few pages
in our backend that do not have a strong Content-Security-Policy that
would render this capability useless for most scenarios.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-57533
Malicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
Content-Security-Policy, this can mainly be used for phishing purposes.
π@cveNotify
Malicious HTML content could be injected into the page pretix shows when
redirection to an untrusted page occurs. Since this page has a
Content-Security-Policy, this can mainly be used for phishing purposes.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-57534
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.
π@cveNotify
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-57535
Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
attribute of these images pointed to an URL, the PDF rendering engine
would download the image from that place and display it, thereby leaking
information about the rendering server and possibly creating an SSRF
vector in the local network.
π@cveNotify
Content injected to PDF rendering contexts could, in many places, include HTML content including <img> tags. If the src
attribute of these images pointed to an URL, the PDF rendering engine
would download the image from that place and display it, thereby leaking
information about the rendering server and possibly creating an SSRF
vector in the local network.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-57536
Our payment integration with Mollie did not properly validate payment
status responses. An attacker could use a successful payment status
response from one payment and supply it to the system for a different
payment, gaining access to multiple valid tickets with only one payment.
π@cveNotify
Our payment integration with Mollie did not properly validate payment
status responses. An attacker could use a successful payment status
response from one payment and supply it to the system for a different
payment, gaining access to multiple valid tickets with only one payment.
π@cveNotify
pretix.eu
Security release 2026.5.2 of pretix and multiple plugins
Today, we are releasing pretix 2026.6.1 as well as updates for multiple plugins to fix security-relevant bugs, including ones with high severity.
Please make sure to update your pretix installation as soon as possible.
Please make sure to update your pretix installation as soon as possible.
π¨ CVE-2026-57587
A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
π¨ CVE-2026-57588
A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
π¨ CVE-2026-6432
Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.
π@cveNotify
Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.
π@cveNotify
GitHub
GitHub - SiliconLabsSoftware/sisdk-release: Simplicity GA release repo
Simplicity GA release repo. Contribute to SiliconLabsSoftware/sisdk-release development by creating an account on GitHub.
π¨ CVE-2026-12844
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function.
pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer.
Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.
π@cveNotify
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function.
pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer.
Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.
π@cveNotify
π¨ CVE-2026-48940
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
π@cveNotify
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48942
K2 β€ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
π@cveNotify
K2 β€ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48943
K2 β€ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table β none of which are exposed by the K2 frontend profile-edit form.
π@cveNotify
K2 β€ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table β none of which are exposed by the K2 frontend profile-edit form.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48944
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user β including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
π@cveNotify
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user β including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48945
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names β non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
π@cveNotify
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names β non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48946
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
π@cveNotify
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-4522
Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception.
This issue affects HYPR Passwordless: before 11.1.1.
π@cveNotify
Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception.
This issue affects HYPR Passwordless: before 11.1.1.
π@cveNotify
Hypr
HYPR Security Advisories | HYPR
HYPR software routinely undergoes security assessments in order to identify any potential security risks. You can find here a list of risks identified.
π¨ CVE-2026-54036
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false β all without requiring any TOTP or backup code verification. An attacker with a valid session token can completely take over a victim's 2FA, locking the legitimate user out of their own two-factor authentication. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false β all without requiring any TOTP or backup code verification. An attacker with a valid session token can completely take over a victim's 2FA, locking the legitimate user out of their own two-factor authentication. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
GitHub
2FA Re-enrollment Allows Full Account 2FA Takeover Without OTP Verification
### Summary
The `GET /api/auth/2fa/enable` endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint ...
The `GET /api/auth/2fa/enable` endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint ...
π¨ CVE-2026-55477
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
π@cveNotify
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
π@cveNotify
GitHub
Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation
# Summary
An authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This...
An authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This...
π¨ CVE-2026-55693
Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
π@cveNotify
Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
π@cveNotify
GitHub
patch 9.2.0653: [security]: out-of-bounds write in tree_count_words() Β· vim/vim@a80874d
Problem: [security]: a crafted spell file can drive tree_count_words()
past the end of its MAXWLEN-sized depth arrays; the descent
loop has no depth bound.
Solution: only desce...
past the end of its MAXWLEN-sized depth arrays; the descent
loop has no depth bound.
Solution: only desce...
π¨ CVE-2026-55892
Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
π@cveNotify
Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
π@cveNotify
GitHub
patch 9.2.0662: [security] Stack out-of-bounds write in dump_prefixes() Β· vim/vim@8325b19
Problem: [security]: a crafted spell file with a self-referential
BY_INDEX node in the prefix tree can drive dump_prefixes()
past the end of its MAXWLEN-sized depth arrays on :...
BY_INDEX node in the prefix tree can drive dump_prefixes()
past the end of its MAXWLEN-sized depth arrays on :...
π¨ CVE-2026-55895
Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
π@cveNotify
Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.
π@cveNotify
GitHub
patch 9.2.0663: [security]: runtime(netrw): code injection in local f⦠· vim/vim@55bc757
β¦ile deletion
Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in
the file name before passing it to :execute, so a name
containing "|" i...
Problem: [security]: s:NetrwLocalRmFile() escapes only the backslash in
the file name before passing it to :execute, so a name
containing "|" i...