🚨 CVE-2026-58167
Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.
🎖@cveNotify
Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.
🎖@cveNotify
GitHub
fix: redact datasource secrets for non-admin users (#3175) · ccfos/nightingale@762819f
Nightingale is to monitoring and alerting what Grafana is to visualization. - fix: redact datasource secrets for non-admin users (#3175) · ccfos/nightingale@762819f
🚨 CVE-2026-58373
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
🎖@cveNotify
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
🎖@cveNotify
GitHub
Fix handling of `GET /api/quality/reports` with inaccessible `parent_… · cvat-ai/cvat@27953f1
…id`s (#10807)
Currently this either returns 200 and an empty list (if the parent
quality report is in an accessible organization or a personal
workspace), or 500 (if the parent is in an inaccessi...
Currently this either returns 200 and an empty list (if the parent
quality report is in an accessible organization or a personal
workspace), or 500 (if the parent is in an inaccessi...
🚨 CVE-2026-58376
Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.
🎖@cveNotify
Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. The affected endpoints in api_setup.class.php and api_multicurrencies.class.php validate sqlfilters only for balanced parentheses and rewrite matched triplets, allowing text placed outside the expected shape such as an appended UNION SELECT to be concatenated into the SQL WHERE clause unmodified, enabling retrieval of sensitive data including password hashes and API keys.
🎖@cveNotify
GitHub
Fix sql injection in sqlfilters API param - reported by sangkilp (#38… · Dolibarr/dolibarr@14db36e
…794)
Switch four list endpoints that still used the legacy DolibarrApi::_checkFilters
+ bare preg_replace_callback path to the hardened forgeSQLFromUniversalSearchCriteria()
already used by the r...
Switch four list endpoints that still used the legacy DolibarrApi::_checkFilters
+ bare preg_replace_callback path to the hardened forgeSQLFromUniversalSearchCriteria()
already used by the r...
🚨 CVE-2026-11546
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.
🎖@cveNotify
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server Liberty is affected by a server-side request forgery vulnerability (CVE-2026…
IBM WebSphere Application Server Liberty is affected by a server-side request forgery vulnerability with the adminCenter-1.0 feature enabled.
🚨 CVE-2026-11595
IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.
🎖@cveNotify
IBM WebSphere Application Server 9.0, and 8.5 could allow a remote attacker to obtain sensitive information from the administrative console's integrated help system.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server is affected by multiple vulnerabilities (CVE-2026-11712, CVE-2026-11595, CVE…
IBM WebSphere Application Server is affected by cross-sight scripting and path traversal vulnerabilities.
🚨 CVE-2026-11708
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.
🎖@cveNotify
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server is affected by multiple vulnerabilities (CVE-2026-11712, CVE-2026-11595, CVE…
IBM WebSphere Application Server is affected by cross-sight scripting and path traversal vulnerabilities.
🚨 CVE-2026-11712
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.
🎖@cveNotify
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server is affected by multiple vulnerabilities (CVE-2026-11712, CVE-2026-11595, CVE…
IBM WebSphere Application Server is affected by cross-sight scripting and path traversal vulnerabilities.
🚨 CVE-2026-11714
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.
🎖@cveNotify
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerability (CVE-2026-11714)
IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerability with the apiDiscovery-1.0 feature enabled.
🚨 CVE-2026-11806
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.
🎖@cveNotify
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server Liberty is affected by a an arbitrary file read vulnerability (CVE-2026-11806)
IBM WebSphere Application Server Liberty is affected by an arbitrary file read vulnerability with the restConnector-2.0 feature enabled.
🚨 CVE-2026-3602
IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.
🎖@cveNotify
IBM App Connect Enterprise 13.0.1.0 through 13.0.7.2, and 12.0.1.0 through 12.0.12.26 and IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.7 is vulnerable to SQL injection. A remote attacker could socially engineer a user into accidentally creating files they may not be aware of.
🎖@cveNotify
Ibm
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection (CVE-2026…
IBM App Connect Enterprise and IBM Integration Bus for z/OS toolkit is vulnerable to an sql injection.
🚨 CVE-2026-7663
IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
🎖@cveNotify
IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
🎖@cveNotify
Ibm
Security Bulletin: Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass
An improper authorization vulnerability in Streamable MCP transport endpoint (/api/v1/mcp/project/{project_id}/streamable) allows unauthenticated attackers to bypass project ownership controls and execute Model Context Protocol (MCP) operations against OAuth…
🚨 CVE-2026-11594
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console.
🎖@cveNotify
IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server is affected by multiple cross-site scripting vulnerabilities (CVE-2026-11594…
IBM WebSphere Application Server is affected by multiple cross-site scripting vulnerabilities in the administrative console.
🚨 CVE-2026-11541
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.
🎖@cveNotify
IBM WebSphere Application Server 9.0, and 8.5 and IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.6 are affected by an HTTP request smuggling vulnerability.
🎖@cveNotify
Ibm
Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by HTTP request smuggling…
IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by remote code execution and HTTP request smuggling.
🚨 CVE-2026-37106
An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the intentional behavior when the product is configured for self-registration (a non-default feature).
🎖@cveNotify
An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the intentional behavior when the product is configured for self-registration (a non-default feature).
🎖@cveNotify
Gist
CVE-2026-37106: DokuWiki Unauthorized User Registration Vulnerability
CVE-2026-37106: DokuWiki Unauthorized User Registration Vulnerability - cve-2026-37106.md
🚨 CVE-2026-58447
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
🎖@cveNotify
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
🎖@cveNotify
GitHub
fix: security issue playlist deletion cross user (#5790) · iv-org/invidious@77ad416
fixes #5777
🚨 CVE-2026-13986
Inappropriate implementation in Media UI in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
🎖@cveNotify
Inappropriate implementation in Media UI in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)
🎖@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...
🚨 CVE-2026-14062
Inappropriate implementation in Views in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)
🎖@cveNotify
Inappropriate implementation in Views in Google Chrome on ChromeOS prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low)
🎖@cveNotify
Chrome Releases
Stable Channel Update for Desktop
The Stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac and 150.0.7871.46 for Linux, which will roll out over the comi...
🚨 CVE-2026-54696
Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an
attacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.
🎖@cveNotify
Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an
attacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.
🎖@cveNotify
GitHub
Release v2.19.9 · ruby/json
Fix buffer overflow that could lead to a crash when writing JSON directly into an IO
with JSON.generate(object, io). [CVE-2026-54696].
Full Changelog: v2.19.8...v2.19.9
with JSON.generate(object, io). [CVE-2026-54696].
Full Changelog: v2.19.8...v2.19.9
🚨 CVE-2026-55223
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
🎖@cveNotify
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties — triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
🎖@cveNotify
GitHub
Generate BeanInfo classes for c3p0's DataSource and ConnectionPoolDat… · swaldman/c3p0@7b022c4
…aSource implemetations that forbid treating connection / pooledConnection as bean properties.
🚨 CVE-2026-56399
Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.
🎖@cveNotify
Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticated users to bypass SSRF protections. Attackers can manipulate URL parameters with location redirect headers to access internal services and potentially execute commands via instance secrets.
🎖@cveNotify
GitHub
feat/security: Add SSRF protection with configurable blocklist · open-webui/open-webui@02238d3
Co-Authored-By: Classic298 <27028174+Classic298@users.noreply.github.com>
🚨 CVE-2026-8387
A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting `.zip` archives using the `ZipFile.extractall()` method in `StorageManager._extract_to_cache()`. This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.
🎖@cveNotify
A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting `.zip` archives using the `ZipFile.extractall()` method in `StorageManager._extract_to_cache()`. This issue arises due to the lack of path traversal validation, enabling an attacker to write arbitrary files to the filesystem. Attack vectors include dataset downloads, artifact downloads, model downloads, and offline session imports. The vulnerability can lead to remote code execution through methods such as cron job injection, SSH key overwrite, or web shell deployment. The issue is resolved in version 2.1.6.
🎖@cveNotify
GitHub
Merge pull request #1610 from spirit-technologies-oy/refactor/clearml… · clearml/clearml@4fd611c
…-storage-archive-update
Refactor/clearml storage archive update
Refactor/clearml storage archive update