🚨 CVE-2026-55884
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
🎖@cveNotify
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
🎖@cveNotify
GitHub
fix: secure mutating and sensitive requests to HUD server (#6776) · tilt-dev/tilt@47393fb
Discourage use of `--host` for anything other than the default.
Signed-off-by: Nick Sieger <nick@nicksieger.com>
Squashed commit of the following:
commit 6b6220c1f6ef0310ab7197f605...
Signed-off-by: Nick Sieger <nick@nicksieger.com>
Squashed commit of the following:
commit 6b6220c1f6ef0310ab7197f605...
🚨 CVE-2026-57584
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same construct is produced by the /:params placeholder and the CLI router. Phalcon\Mvc\Router::handle() matches this pattern against the attacker-controlled request URI on every request, so a crafted path such as one containing repeated slashes followed by decoded newlines can trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. This issue is fixed in version 5.15.0.
🎖@cveNotify
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same construct is produced by the /:params placeholder and the CLI router. Phalcon\Mvc\Router::handle() matches this pattern against the attacker-controlled request URI on every request, so a crafted path such as one containing repeated slashes followed by decoded newlines can trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. This issue is fixed in version 5.15.0.
🎖@cveNotify
GitHub
fixed catastrophic backtracking in the default router :params route · phalcon/cphalcon@14ba22d
The :params placeholder and the built-in default MVC/CLI routes compiled to the nested quantifier (/.*)*, whose overlapping body backtracks catastrophically when the trailing anchor cannot match. B...
🚨 CVE-2026-58503
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.
🎖@cveNotify
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.
🎖@cveNotify
GitHub
Merge pull request #38625 from frappe/mergify/bp/version-15-hotfix/pr… · frappe/frappe@1ff64d4
…-38588
fix: enhance password reset flow (backport #38588)
fix: enhance password reset flow (backport #38588)
🚨 CVE-2026-58587
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Drupal.org
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-065
The Canvas AI submodule allows you to upload image files via a custom API to use within the AI web chat. These file uploads are insufficiently validated before being written to Drupal's temporary directory. In some cases, this may lead to cross-site scripting…
🚨 CVE-2026-58588
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting (XSS). This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1.
🎖@cveNotify
Drupal.org
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066
The Canvas module allow you to upload image files via a custom API. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations…
🚨 CVE-2026-58589
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Drupal.org
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution (incurring LLM spend and tool…
🚨 CVE-2026-58590
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0.
🎖@cveNotify
Drupal.org
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows…
🚨 CVE-2026-58591
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0.
🎖@cveNotify
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox allows Cross-Site Scripting (XSS). This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0.
🎖@cveNotify
Drupal.org
Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page. The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios. This vulnerability is mitigated…
🚨 CVE-2026-59155
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.
🎖@cveNotify
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.
🎖@cveNotify
GitHub
fix(api): redact third-party credentials in ddns/notification list · nezhahq/nezha@39d3980
GET /api/v1/ddns and /api/v1/notification returned full objects with
plaintext credentials (Cloudflare/TencentCloud secrets, webhook URLs
with embedded bot tokens, Authorization headers). Redact th...
plaintext credentials (Cloudflare/TencentCloud secrets, webhook URLs
with embedded bot tokens, Authorization headers). Redact th...
🚨 CVE-2026-31927
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes.
🎖@cveNotify
Anviz CX7 Firmware is vulnerable to an authenticated CSV upload which allows path traversal to overwrite arbitrary files (e.g., /etc/shadow), enabling unauthorized SSH access when combined with debug‑setting changes.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-106-03.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-40066
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.
🎖@cveNotify
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The device unpacks and executes a script resulting in unauthenticated remote code execution.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-106-03.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-11913
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
🎖@cveNotify
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
🎖@cveNotify
Drupal.org
Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-11914
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
🎖@cveNotify
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
🎖@cveNotify
Drupal.org
Composer - Critical - Unsupported - SA-CONTRIB-2026-046
The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s…
🚨 CVE-2026-11915
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
🎖@cveNotify
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
🎖@cveNotify
Drupal.org
Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-14480
OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
🎖@cveNotify
OpenPLC Runtime v3 contains an authenticated arbitrary file write
vulnerability in the legacy web UI program‑upload workflow. The
application stores an attacker‑supplied filename (prog_file) directly
into the Programs.File database field and later uses this value as the
destination path for an uploaded file without validating or restricting
the path. Because Python os.path.join() honors attacker‑controlled
absolute paths, an authenticated user can write arbitrary files anywhere
writable by the OpenPLC webserver process. In the default build
pipeline, all C++ source files within the OpenPLC runtime core directory
are automatically compiled into the executable runtime binary. By
writing a malicious .cpp file into this directory, an authenticated
attacker can escalate the arbitrary file write into arbitrary native
code execution when the operator triggers a normal program compilation
and runtime start.
🎖@cveNotify
🚨 CVE-2026-15086
vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
🎖@cveNotify
vulnerability in Drupal Raw Formatter [Meta Tag Formatter] allows . This issue affects Raw Formatter [Meta Tag Formatter] versions: *.*.
🎖@cveNotify
Drupal.org
Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-15087
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
🎖@cveNotify
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions: *.*.
🎖@cveNotify
Drupal.org
Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-15089
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
🎖@cveNotify
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions: *.*.
🎖@cveNotify
Drupal.org
Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner…
🚨 CVE-2026-20744
The charging station websocket endpoint accepts connections without
proper authentication, which could lead to privilege escalation.
🎖@cveNotify
The charging station websocket endpoint accepts connections without
proper authentication, which could lead to privilege escalation.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-188-01.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-42952
Previously, there was no throttling on repeated authentication attempts
to the charging station backend, which could allow an attacker to
execute a denial-of-service attack.
🎖@cveNotify
Previously, there was no throttling on repeated authentication attempts
to the charging station backend, which could allow an attacker to
execute a denial-of-service attack.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-188-01.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.
🚨 CVE-2026-44383
Multiple connections to the backend using the same charging station ID
are allowed, which could allow an attacker to deploy multiple instances
of malicious OCPP clients to overwhelm the backend.
🎖@cveNotify
Multiple connections to the backend using the same charging station ID
are allowed, which could allow an attacker to deploy multiple instances
of malicious OCPP clients to overwhelm the backend.
🎖@cveNotify
GitHub
CSAF/csaf_files/OT/white/2026/icsa-26-188-01.json at develop · cisagov/CSAF
CISA CSAF Security Advisories. Contribute to cisagov/CSAF development by creating an account on GitHub.