Threat Intelligence Feed

CVE-2026-5921 A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker t CVE-2026-5845 An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server CVE-2026-5512 An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacke CVE-2026-4872 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2026-4821 An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an CVE-2026-4296 An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp CVE-2026-41063 WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSa CVE-2026-41062 WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in comm CVE-2026-41061 WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/vide CVE-2026-41060 WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/fun CVE-2026-41058 WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `del CVE-2026-41057 WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e CVE-2026-41056 WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in CVE-2026-41055 WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks p CVE-2026-40935 WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA l CVE-2026-40929 WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mu CVE-2026-40928 WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/ CVE-2026-40926 WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/cat CVE-2026-3307 An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin acc CVE-2026-6832 Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic CVE-2026-6830 nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear envi CVE-2026-6829 nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or chan CVE-2026-6799 A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of CVE-2026-41527 KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there i CVE-2026-40946 Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets CVE-2026-40945 Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token CVE-2026-40944 Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configurati CVE-2026-40943 Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing CVE-2026-40942 The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Pr CVE-2026-40939 The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Pr CVE-2026-40933 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe s CVE-2026-40931 Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 rel CVE-2026-40706 In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that al CVE-2026-1354 Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bl CVE-2026-6823 HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha CVE-2026-6797 A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function Zip CVE-2026-6796 A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file cor CVE-2026-40938 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, CVE-2026-40927 Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, CVE-2026-40925 WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also r CVE-2026-5921 A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker t CVE-2026-5845 An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server CVE-2026-5512 An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacke CVE-2026-4872 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2026-4821 An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an CVE-2026-4296 An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp CVE-2026-41063 WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSa CVE-2026-41062 WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in comm CVE-2026-41061 WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/vide CVE-2026-41060 WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/fun CVE-2026-41058 WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `del CVE-2026-41057 WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e CVE-2026-41056 WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in CVE-2026-41055 WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks p CVE-2026-40935 WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA l CVE-2026-40929 WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mu CVE-2026-40928 WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/ CVE-2026-40926 WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/cat CVE-2026-3307 An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin acc CVE-2026-6832 Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic CVE-2026-6830 nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear envi CVE-2026-6829 nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or chan CVE-2026-6799 A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of CVE-2026-41527 KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there i CVE-2026-40946 Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets CVE-2026-40945 Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token CVE-2026-40944 Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configurati CVE-2026-40943 Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing CVE-2026-40942 The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Pr CVE-2026-40939 The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Pr CVE-2026-40933 Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe s CVE-2026-40931 Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 rel CVE-2026-40706 In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that al CVE-2026-1354 Zero Motorcycles firmware versions 44 and prior enable an attacker to forcibly pair a device with the motorcycle via Bl CVE-2026-6823 HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha CVE-2026-6797 A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function Zip CVE-2026-6796 A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file cor CVE-2026-40938 Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0, CVE-2026-40927 Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, CVE-2026-40925 WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also r