Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-45013 |
|
Vulnerability in apostrophe (CVE-2026-45013)
vulnerability in apostrophe (CVE-2026-45013). Confidential information can be exposed externally. Exploitable via `POST /api/v1/login/reset-request`.
|
| CVE-2026-45012 |
|
SSRF (Server-Side Request Forgery) in apostrophe (CVE-2026-45012)
SSRF in apostrophe (CVE-2026-45012). Confidential information can be exposed externally. Exploitable via `POST /api/v1/`.
|
| CVE-2026-44990 |
|
Cross-Site Scripting (XSS) in sanitize-html (CVE-2026-44990)
cross-site scripting in sanitize-html (CVE-2026-44990). Confidential information can be exposed externally. Exploitable via ``xmp``. Mitigation: upgrade to `2.17.4` or later.
|
| CVE-2026-44520 |
|
Open Redirect in docling-graph (CVE-2026-44520)
vulnerability in docling-graph (CVE-2026-44520). Confidential information can be exposed externally. Exploitable via ``URLInputHandler``. Mitigation: upgrade to `1.5.1` or later.
|
| CVE-2026-42598 |
|
Path Traversal in c (CVE-2026-42598)
path traversal in c (CVE-2026-42598). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2.13.0` or later.
|
| CVE-2026-42572 |
|
Vulnerability in github.com/hatchet-dev/hatchet (CVE-2026-42572)
vulnerability in github.com/hatchet-dev/hatchet (CVE-2026-42572). Confidential information can be exposed externally. Exploitable via `GET /api/v1/stable/dags/tasks`. Mitigation: upgrade to `0.83.39` or later.
|
| CVE-2026-44348 |
|
Vulnerability in c (CVE-2026-44348)
vulnerability in c (CVE-2026-44348). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `1.0.4` or later.
|
| CVE-2026-44511 |
|
Vulnerability in katalyst-koi (CVE-2026-44511)
vulnerability in katalyst-koi (CVE-2026-44511). Confidential information can be exposed externally. Mitigation: upgrade to `5.6.0` or later.
|
| CVE-2026-42555 |
|
Code Injection in com.ritense.valtimo:document (CVE-2026-42555)
code injection in com.ritense.valtimo:document (CVE-2026-42555). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/management/v1/document-definition/migrate`. Mitigation: upgrade to `12.32.0` or later.
|
| CVE-2026-44899 |
|
Cross-Site Scripting (XSS) in mistune (CVE-2026-44899)
cross-site scripting in mistune (CVE-2026-44899). Risk of unauthorized operations or information disclosure. Exploitable via ``outline``. Mitigation: upgrade to `3.2.1` or later.
|
| CVE-2026-44898 |
|
Cross-Site Scripting (XSS) in mistune (CVE-2026-44898)
cross-site scripting in mistune (CVE-2026-44898). Risk of unauthorized operations or information disclosure. Exploitable via ``text``. Mitigation: upgrade to `3.2.1` or later.
|
| CVE-2026-45292 |
|
Vulnerability in io.opentelemetry:opentelemetry-api (CVE-2026-45292)
vulnerability in io.opentelemetry:opentelemetry-api (CVE-2026-45292). Risk of unauthorized operations or information disclosure. Exploitable via ``W3CBaggagePropagator``. Mitigation: upgrade to `1.62.0` or later.
|
| CVE-2026-44501 |
|
Unsafe Deserialization in react (CVE-2026-44501)
vulnerability in react (CVE-2026-44501). Risk of unauthorized operations or information disclosure. Exploitable via `GET /callback/oidc`. Mitigation: upgrade to `1.5.0.3` or later.
|
| CVE-2026-44503 |
|
Open Redirect in com.microsoft.kiota:microsoft-kiota-abstractions (CVE-2026-44503)
vulnerability in com.microsoft.kiota:microsoft-kiota-abstractions (CVE-2026-44503). Risk of unauthorized operations or information disclosure. Exploitable via `Authorization header`. Mitigation: upgrade to `1.9.1` or later.
|
| CVE-2026-42594 |
|
Vulnerability in github.com/gotenberg/gotenberg/v8 (CVE-2026-42594)
vulnerability in github.com/gotenberg/gotenberg/v8 (CVE-2026-42594). Risk of unauthorized operations or information disclosure. Exploitable via `GET /version`. Mitigation: upgrade to `8.32.0` or later.
|
| CVE-2026-42853 |
|
OS Command Injection in @apostrophecms/cli (CVE-2026-42853)
OS command injection in @apostrophecms/cli (CVE-2026-42853). Successful exploitation can lead to full system takeover.
|
| CVE-2026-41937 |
|
Vulnerability in CVE-2026-41937 (CVE-2026-41937)
vulnerability in CVE-2026-41937 (CVE-2026-41937). Successful exploitation can lead to full system takeover.
|
| CVE-2026-41935 |
|
Vulnerability in dos (CVE-2026-41935)
vulnerability in dos (CVE-2026-41935). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-1630 |
|
Cross-Site Scripting (XSS) in CVE-2026-1630 (CVE-2026-1630)
cross-site scripting in CVE-2026-1630 (CVE-2026-1630). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-44482 |
|
Vulnerability in CVE-2026-44482 (CVE-2026-44482)
vulnerability in CVE-2026-44482 (CVE-2026-44482). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `0.1.8` or later.
|
| CVE-2026-44371 |
|
Cross-Site Scripting (XSS) in CVE-2026-44371 (CVE-2026-44371)
cross-site scripting in CVE-2026-44371 (CVE-2026-44371). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `4.0.11` or later.
|
| CVE-2026-46442 |
|
Code Injection in flowise (CVE-2026-46442)
code injection in flowise (CVE-2026-46442). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/v1/node-custom-function`. Mitigation: upgrade to `3.1.2` or later.
|
| CVE-2026-4031 |
|
Vulnerability in wordpress (CVE-2026-4031)
vulnerability in wordpress (CVE-2026-4031). Confidential information can be exposed externally.
|
| CVE-2026-22707 |
|
Unrestricted File Upload in @strapi/upload (CVE-2026-22707)
vulnerability in @strapi/upload (CVE-2026-22707). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/upload`. Mitigation: upgrade to `5.33.3` or later.
|
| CVE-2026-7377 |
|
Cross-Site Scripting (XSS) in gitlab (CVE-2026-7377)
cross-site scripting in gitlab (CVE-2026-7377). Confidential information can be exposed externally. Mitigation: upgrade to `18.9.7, 18.10.6, 18.11.3` or later.
|
| CVE-2026-7481 |
|
Cross-Site Scripting (XSS) in gitlab (CVE-2026-7481)
cross-site scripting in gitlab (CVE-2026-7481). Confidential information can be exposed externally. Mitigation: upgrade to `18.9.7, 18.10.6, 18.11.3` or later.
|
| CVE-2026-6073 |
|
Cross-Site Scripting (XSS) in gitlab (CVE-2026-6073)
cross-site scripting in gitlab (CVE-2026-6073). Confidential information can be exposed externally. Mitigation: upgrade to `18.9.7, 18.10.6, 18.11.3` or later.
|
| CVE-2025-12669 |
|
Code Injection in gitlab (CVE-2025-12669)
code injection in gitlab (CVE-2025-12669). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `18.9.7, 18.10.6, 18.11.3` or later.
|
| CVE-2026-5361 |
|
Cross-Site Scripting (XSS) in wordpress (CVE-2026-5361)
cross-site scripting in wordpress (CVE-2026-5361). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-46419 |
|
Vulnerability in CVE-2026-46419 (CVE-2026-46419)
vulnerability in CVE-2026-46419 (CVE-2026-46419). Successful exploitation can lead to full system takeover.
|
| CVE-2026-44471 |
|
Vulnerability in gix-fs (CVE-2026-44471)
vulnerability in gix-fs (CVE-2026-44471). Successful exploitation can lead to full system takeover. Exploitable via ``payload``. Mitigation: upgrade to `0.21.1` or later.
|
| CVE-2026-44369 |
|
Vulnerability in CVE-2026-44369 (CVE-2026-44369)
vulnerability in CVE-2026-44369 (CVE-2026-44369). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2.64.0` or later.
|
| CVE-2026-44194 |
|
OS Command Injection in opnsense (CVE-2026-44194)
OS command injection in opnsense (CVE-2026-44194). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `26.1.8` or later.
|
| CVE-2026-45228 |
|
Cross-Site Scripting (XSS) in vue (CVE-2026-45228)
cross-site scripting in vue (CVE-2026-45228). Risk of unauthorized operations or information disclosure. Exploitable via `POST /update`.
|
| CVE-2025-27852 |
|
Cross-Site Scripting (XSS) in garmin (CVE-2025-27852)
cross-site scripting in garmin (CVE-2025-27852). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-45708 |
|
Code Injection in CVE-2026-45708 (CVE-2026-45708)
code injection in CVE-2026-45708 (CVE-2026-45708). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `6.7.3` or later.
|
| CVE-2026-45055 |
|
Vulnerability in CVE-2026-45055 (CVE-2026-45055)
vulnerability in CVE-2026-45055 (CVE-2026-45055). Confidential information can be exposed externally. Exploitable via `POST /index.php`. Mitigation: upgrade to `6.7.2` or later.
|
| CVE-2026-45054 |
|
SQL Injection in CVE-2026-45054 (CVE-2026-45054)
SQL injection in CVE-2026-45054 (CVE-2026-45054). Confidential information can be exposed externally. Mitigation: upgrade to `6.7.0` or later.
|
| CVE-2026-45053 |
|
Unrestricted File Upload in CVE-2026-45053 (CVE-2026-45053)
vulnerability in CVE-2026-45053 (CVE-2026-45053). Successful exploitation can lead to full system takeover. Exploitable via `POST /api/v1/files`. Mitigation: upgrade to `6.7.0` or later.
|
| CVE-2026-44377 |
|
Code Injection in CVE-2026-44377 (CVE-2026-44377)
code injection in CVE-2026-44377 (CVE-2026-44377). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `6.7.0` or later.
|
| CVE-2026-44376 |
|
Cross-Site Scripting (XSS) in CVE-2026-44376 (CVE-2026-44376)
cross-site scripting in CVE-2026-44376 (CVE-2026-44376). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `6.7.0` or later.
|
| CVE-2026-42561 |
|
Vulnerability in python-multipart (CVE-2026-42561)
vulnerability in python-multipart (CVE-2026-42561). Risk of unauthorized operations or information disclosure. Exploitable via ``MultipartParser``. Mitigation: upgrade to `0.0.27` or later.
|
| CVE-2026-42304 |
|
Vulnerability in Twisted (CVE-2026-42304)
vulnerability in Twisted (CVE-2026-42304). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `26.4.0rc2` or later.
|
| CVE-2026-39428 |
|
Cross-Site Scripting (XSS) in CVE-2026-39428 (CVE-2026-39428)
cross-site scripting in CVE-2026-39428 (CVE-2026-39428). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `6.6.0` or later.
|
| CVE-2026-42552 |
|
Vulnerability in flightphp/core (CVE-2026-42552)
vulnerability in flightphp/core (CVE-2026-42552). Confidential information can be exposed externally. Exploitable via ``flight.debug``. Mitigation: upgrade to `3.18.1` or later.
|
| CVE-2026-42551 |
|
Vulnerability in flightphp/core (CVE-2026-42551)
vulnerability in flightphp/core (CVE-2026-42551). Data can be tampered with by attackers. Exploitable via `GET /item/42`. Mitigation: upgrade to `3.18.1` or later.
|
| CVE-2026-42550 |
|
SQL Injection in flightphp/core (CVE-2026-42550)
SQL injection in flightphp/core (CVE-2026-42550). Successful exploitation can lead to full system takeover. Exploitable via ``UPDATE``. Mitigation: upgrade to `3.18.1` or later.
|
| CVE-2026-42548 |
|
Cross-Site Scripting (XSS) in flightphp/core (CVE-2026-42548)
cross-site scripting in flightphp/core (CVE-2026-42548). Risk of unauthorized operations or information disclosure. Exploitable via `GET /api`. Mitigation: upgrade to `3.18.1` or later.
|
| CVE-2026-42549 |
|
Path Traversal in flightphp/core (CVE-2026-42549)
path traversal in flightphp/core (CVE-2026-42549). Risk of unauthorized operations or information disclosure. Exploitable via ``b8dd23a``. Mitigation: upgrade to `3.18.1` or later.
|
| CVE-2026-8496 |
|
Vulnerability in CVE-2026-8496 (CVE-2026-8496)
vulnerability in CVE-2026-8496 (CVE-2026-8496). Risk of unauthorized operations or information disclosure.
|