π¨ CVE-2026-54353
Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.
π@cveNotify
Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9.
π@cveNotify
GitHub
Potential SSRF DNS rebinding bypass in outbound fetch validation
Summary
Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding.
The outbound fetch flow validates a hostname against the blacklist befo...
Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding.
The outbound fetch flow validates a hostname against the blacklist befo...
π¨ CVE-2026-46461
Dell Server Hardware Manager, versions prior to 3.2.2, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
π@cveNotify
Dell Server Hardware Manager, versions prior to 3.2.2, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
π@cveNotify
π¨ CVE-2026-42895
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
π@cveNotify
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
π@cveNotify
π¨ CVE-2026-47645
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
π@cveNotify
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
π@cveNotify
π¨ CVE-2026-54268
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
π@cveNotify
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
π@cveNotify
GitHub
fix(common): Limits date format string length Β· angular/angular@eeb03f4
Introduces a maximum length of 256 characters for date format strings.
This prevents potential Denial of Service (DoS) attacks by throwing an
`INVALID_DATE_FORMAT` error if an excessively long for...
This prevents potential Denial of Service (DoS) attacks by throwing an
`INVALID_DATE_FORMAT` error if an excessively long for...
π¨ CVE-2026-7664
IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
π@cveNotify
IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
π@cveNotify
Ibm
Security Bulletin: Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS
Langflow OSS POST /api/v1/webhook/{flow_id} executes any user's flow without authentication by default. Setting WEBHOOK_AUTH_ENABLE defaults to False in auth configuration. When False, webhook handler calls get_user_by_flow_id_or_endpoint_name() and trustsβ¦
π¨ CVE-2026-8059
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
π@cveNotify
IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
π@cveNotify
Ibm
Security Bulletin: Multiple Vulnerabilities in IBM Datacap
Multiple vulnerabilities were addressed in IBM Datacap version 9.1.9 Interim Fix 008.
π¨ CVE-2026-56368
ImageMagick before 7.1.2-15 contains a memory leak vulnerability in multiple coders that write raw pixel data where allocated objects are not properly freed. Attackers can trigger this leak by processing specially crafted images, causing memory exhaustion and denial of service.
π@cveNotify
ImageMagick before 7.1.2-15 contains a memory leak vulnerability in multiple coders that write raw pixel data where allocated objects are not properly freed. Attackers can trigger this leak by processing specially crafted images, causing memory exhaustion and denial of service.
π@cveNotify
GitHub
Memory Leak in multiple coders that write raw pixel data
A memory leak vulnerability exists in multiple coders that write raw pixel data where an object is not freed.
```
Direct leak of 160 byte(s) in 1 object(s) allocated from:
```
```
Direct leak of 160 byte(s) in 1 object(s) allocated from:
```
π¨ CVE-2026-56370
ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.
π@cveNotify
ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage() when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of service or potential code execution.
π@cveNotify
GitHub
Out-of-bounds access in `ConnectedComponentsImage()` via CLI-controlled `connected-components:*` artifacts
When the `connected-components:*` define specifies an invalid index and out of bound operation will result in an access violation.
π¨ CVE-2026-4367
A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file's end, leading to application crashes and Denial of Service conditions.
π@cveNotify
A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an internal pointer to read beyond the file's end, leading to application crashes and Denial of Service conditions.
π@cveNotify
π¨ CVE-2026-11834
A command
injection vulnerability has been identified in the DHCP option processing logic
in multiple TP-Link router models, due to insufficient validation of externally
supplied DHCP option data. An adjacent attacker may exploit this
vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized
command execution during device initialization or provisioning workflows. This
typically occurs when the device is in a factory-default or unconfigured state.
Successful
exploitation may allow an adjacent, unauthenticated attacker to execute
arbitrary commands with elevated privileges, potentially leading to full
compromise of the affected device and unauthorized administrative control.
π@cveNotify
A command
injection vulnerability has been identified in the DHCP option processing logic
in multiple TP-Link router models, due to insufficient validation of externally
supplied DHCP option data. An adjacent attacker may exploit this
vulnerability by supplying crafted DHCP responses, potentially resulting in unauthorized
command execution during device initialization or provisioning workflows. This
typically occurs when the device is in a factory-default or unconfigured state.
Successful
exploitation may allow an adjacent, unauthenticated attacker to execute
arbitrary commands with elevated privileges, potentially leading to full
compromise of the affected device and unauthorized administrative control.
π@cveNotify
mattg.systems
TP-Link DHCP Option 66 Unauthenticated RCE (CVE-2026-11834) | mattg.systems
TP-Link DHCP Option 66 command injection (CVE-2026-11834) allows an unauthenticated attacker on the local network to execute commands as root by racing a malicious DHCP response.
π¨ CVE-2026-36478
An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components
π@cveNotify
An issue in Technitium DNS Server v.14.3 and before allows a remote attacker to cause a denial of service via the DnsServerApp.exe, DnsServerApp.dll, TechnitiumLibrary.Net/Dns/DnsClient.cs components
π@cveNotify
Technitium
Technitium | Push The Limits
Technitium provides software for privacy over the Internet. Technitium MAC Address Changer (TMAC) is a freeware utility to instantly change or spoof MAC Address of any network card (NIC). Technitium Bit Chat is a secure, peer-to-peer, open source instantβ¦
π¨ CVE-2026-36907
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
GitHub
Crash when opening crafted MP4 (Bento4 issues still reproducible) Β· Issue #1005 Β· Aleksoid1978/MPC-BE
edited the numeber of issue 641 ->614 Summary crash in functions of Bento4 with existing crafted PoC tested on 1.8.8.27 dev (latest master branch) compile by following compilation.txt (debug, x6...
π¨ CVE-2026-36908
A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
A stack overflow in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
π@cveNotify
GitHub
Crash when opening crafted MP4 (Bento4 issues still reproducible) Β· Issue #1005 Β· Aleksoid1978/MPC-BE
edited the numeber of issue 641 ->614 Summary crash in functions of Bento4 with existing crafted PoC tested on 1.8.8.27 dev (latest master branch) compile by following compilation.txt (debug, x6...
π¨ CVE-2026-38571
Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.
π@cveNotify
Cleartext storage and exposure of WPA2 credentials, and missing authentication on the rr/wr memory read/write commands, in the unauthenticated UART debug console of the Tenda N300 F3 (V603) allow a physically proximate attacker to obtain stored WPA2 credentials in cleartext and to read or write arbitrary memory via the serial console.
π@cveNotify
GitHub
Vulnerability-research/CVE-2026-38571 at main Β· ZEssaidi-CS/Vulnerability-research
Contribute to ZEssaidi-CS/Vulnerability-research development by creating an account on GitHub.
π¨ CVE-2026-45807
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only inspects the literal URI.toString(), so a URL-encoded .. written as %2E%2E slips through. The downstream code then calls URI.getPath(), which decodes %2E%2E back to .., and the resulting path is handed to Paths.get(...) without normalization. The OS resolves the .. segments at open(2) time, so an authenticated user with a single execution can read any file the Kestra process has access to on the host filesystem (/etc/passwd, mounted secrets, other tenants' execution outputs, etc.). This vulnerability is fixed in 1.0.43 and 1.3.19.
π@cveNotify
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only inspects the literal URI.toString(), so a URL-encoded .. written as %2E%2E slips through. The downstream code then calls URI.getPath(), which decodes %2E%2E back to .., and the resulting path is handed to Paths.get(...) without normalization. The OS resolves the .. segments at open(2) time, so an authenticated user with a single execution can read any file the Kestra process has access to on the host filesystem (/etc/passwd, mounted secrets, other tenants' execution outputs, etc.). This vulnerability is fixed in 1.0.43 and 1.3.19.
π@cveNotify
GitHub
Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints allows arbitrary file read
### Summary
Several Kestra API endpoints accept a `kestra://` URI from the client and pass it through `StorageInterface.parentTraversalGuard` before reading the underlying file from the local st...
Several Kestra API endpoints accept a `kestra://` URI from the client and pass it through `StorageInterface.parentTraversalGuard` before reading the underlying file from the local st...
π¨ CVE-2026-49869
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.
π@cveNotify
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.
π@cveNotify
GitHub
Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`
## Summary
`AuthenticationFilter` in Kestra OSS uses `request.getPath().endsWith("/configs")` to whitelist the public configuration endpoint from Basic Auth. Because the check is a **s...
`AuthenticationFilter` in Kestra OSS uses `request.getPath().endsWith("/configs")` to whitelist the public configuration endpoint from Basic Auth. Because the check is a **s...
π¨ CVE-2026-49984
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past the guard using backslashes (..\..\..\); the guard sees a harmless string, and the path is only rewritten to ../../../ after validation, immediately before the file is opened. Any authenticated user who can view an execution (the lowest-privilege role) can call GET /api/v1/{tenant}/executions/{executionId}/file?path=β¦ and read any file on the server filesystem readable by the Kestra process, outside the storage sandbox and across every tenant and namespace. This includes the embedded H2 database (all flows, all users, all stored secrets), internal storage of every other tenant/namespace, mounted secret files, and the process environment (/proc/self/environ) which contains configured database and secret-backend credentials. It is a complete breach of Kestra's storage isolation and multi-tenancy boundary. This vulnerability is fixed in 1.0.45 and 1.3.23.
π@cveNotify
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past the guard using backslashes (..\..\..\); the guard sees a harmless string, and the path is only rewritten to ../../../ after validation, immediately before the file is opened. Any authenticated user who can view an execution (the lowest-privilege role) can call GET /api/v1/{tenant}/executions/{executionId}/file?path=β¦ and read any file on the server filesystem readable by the Kestra process, outside the storage sandbox and across every tenant and namespace. This includes the embedded H2 database (all flows, all users, all stored secrets), internal storage of every other tenant/namespace, mounted secret files, and the process environment (/proc/self/environ) which contains configured database and secret-backend credentials. It is a complete breach of Kestra's storage isolation and multi-tenancy boundary. This vulnerability is fixed in 1.0.45 and 1.3.23.
π@cveNotify
GitHub
Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download APIβ¦
## Summary
The local internal-storage backend validates user-supplied paths for `..` traversal **before** it converts Windows-style backslashes to forward slashes. An attacker can therefore smug...
The local internal-storage backend validates user-supplied paths for `..` traversal **before** it converts Windows-style backslashes to forward slashes. An attacker can therefore smug...
π¨ CVE-2026-50765
Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)
π@cveNotify
Cross-Site Scripting (XSS) vulnerability in the patron restriction type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label (display_text field)
π@cveNotify
Kalamazoo Optimist Hockey Association
Home
π¨ CVE-2026-50766
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
π@cveNotify
A stored cross-site scripting (XSS) vulnerability in the OPAC item detail page of Koha Library Management System through 25.11 allows an authenticated remote attacker with edit_items permission to inject arbitrary web scripts via the item public notes field (items.itemnotes).
π@cveNotify
Kalamazoo Optimist Hockey Association
Home
π¨ CVE-2026-50767
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)
π@cveNotify
A stored cross-site scripting (XSS) vulnerability in the item type administration page of Koha Library Management System through 25.11 allows an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field (checkinmsg)
π@cveNotify
Kalamazoo Optimist Hockey Association
Home