Threat Intelligence Feed

CVE-2026-40199 Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pa CVE-2026-40198 Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ CVE-2026-33119 User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized CVE-2026-33118 Microsoft Edge (Chromium-based) Spoofing Vulnerability CVE-2026-5724 The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper CVE-2026-40252 FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any CVE-2026-40242 Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/template CVE-2026-40194 phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_pa CVE-2026-40191 ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta CVE-2026-40190 LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScri CVE-2026-40189 goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/ba CVE-2026-40188 goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the CVE-2026-40185 TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo m CVE-2026-40184 TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. Th CVE-2026-40180 Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2. CVE-2026-40178 ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was a CVE-2026-40177 ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was a CVE-2026-40175 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a CVE-2026-40168 Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Al CVE-2026-39922 GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the servic CVE-2026-39921 GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows a CVE-2026-32252 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create c CVE-2026-30232 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create c CVE-2026-3446 When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded CVE-2026-33737 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() CVE-2026-33736 Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can en CVE-2026-33710 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time CVE-2026-33708 Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns CVE-2026-33707 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism gener CVE-2026-33706 Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify the CVE-2026-33705 Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ CVE-2026-33704 Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arb CVE-2026-33703 Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerabili CVE-2026-33702 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Ob CVE-2026-33698 Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code fr CVE-2026-33618 Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray CVE-2026-27460 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a c CVE-2026-5483 A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Ha CVE-2026-40163 Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, t CVE-2026-40162 Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugs CVE-2026-40199 Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass. _pa CVE-2026-40198 Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. _pack_ CVE-2026-33119 User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized CVE-2026-33118 Microsoft Edge (Chromium-based) Spoofing Vulnerability CVE-2026-5724 The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper CVE-2026-40252 FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any CVE-2026-40242 Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/template CVE-2026-40194 phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\Net\SSH2::get_binary_pa CVE-2026-40191 ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta CVE-2026-40190 LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScri CVE-2026-40189 goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/ba CVE-2026-40188 goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the CVE-2026-40185 TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo m CVE-2026-40184 TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. Th CVE-2026-40180 Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2. CVE-2026-40178 ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was a CVE-2026-40177 ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was a CVE-2026-40175 Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a CVE-2026-40168 Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Al CVE-2026-39922 GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the servic CVE-2026-39921 GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows a CVE-2026-32252 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create c CVE-2026-30232 Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create c CVE-2026-3446 When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded CVE-2026-33737 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() CVE-2026-33736 Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can en CVE-2026-33710 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time CVE-2026-33708 Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns CVE-2026-33707 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism gener CVE-2026-33706 Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify the CVE-2026-33705 Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ CVE-2026-33704 Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arb CVE-2026-33703 Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerabili CVE-2026-33702 Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Ob CVE-2026-33698 Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code fr CVE-2026-33618 Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray CVE-2026-27460 Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a c CVE-2026-5483 A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Ha CVE-2026-40163 Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, t CVE-2026-40162 Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugs