•about 5 hours ago•CVE-2026-6553
7.3CVE-2026-6553: Cleartext Password Exposure in TYPO3 CMS Backend User Settings
CVE-2026-6553 is a high-severity sensitive data exposure vulnerability (CWE-312) in TYPO3 CMS version 14.2.0. The vulnerability allows plaintext backend user passwords to be stored within serialized configuration fields in the database. The flaw occurs when users update their profile via the 'User Settings' module, exposing credentials to any actor with database read access.
6 views•6 min read
•about 6 hours ago•GHSA-RRJR-V56M-WW88
5.3GHSA-RRJR-V56M-WW88: Stack Exhaustion Denial of Service in ParquetSharp DecimalConverter
ParquetSharp versions between 18.1.0 and 23.0.0.0 are vulnerable to a stack exhaustion Denial of Service (DoS) flaw. The vulnerability resides in the DecimalConverter class, where uncontrolled metadata values dictate unbounded stack allocation size.
6 views•5 min read
•about 10 hours ago•CVE-2026-41325
7.1CVE-2026-41325: Authorization Bypass via Blueprint Injection in Kirby CMS
Kirby CMS versions prior to 4.9.0 and 5.4.0 suffer from an incorrect authorization vulnerability (CWE-863) allowing authenticated users to bypass resource creation restrictions. By injecting a malicious blueprint payload during model creation, attackers can override access controls and provision unauthorized pages, files, or users.
6 views•5 min read
•about 10 hours ago•CVE-2026-41485
7.7CVE-2026-41485: Denial of Service in Kyverno via Unchecked Type Assertion in Mutation Engine
Kyverno policy engine versions prior to 1.16.4 and 1.17.0-rc1 through 1.17.1 are vulnerable to a Denial of Service. An unchecked Go type assertion in the legacy mutation engine triggers a runtime panic when processing missing JMESPath variables.
5 views•7 min read
•about 11 hours ago•GHSA-39H7-PWV7-RC3X
7.5GHSA-39H7-PWV7-RC3X: DOM-based XSS in Excalidraw via Mermaid Diagram Rendering
Excalidraw suffers from a DOM-based Cross-Site Scripting (XSS) vulnerability caused by an upstream flaw in the Mermaid diagramming library. The issue occurs during the dimension calculation of KaTeX-rendered labels, leading to arbitrary JavaScript execution when a malicious diagram is rendered in the browser.
6 views•4 min read
•about 12 hours ago•GHSA-H829-5CG7-6HFF
5.3GHSA-H829-5CG7-6HFF: Improper Tag Signature Verification in Gitverify
The gitverify tool contains a logic inversion vulnerability in its signature verification routines. This flaw allows unsigned annotated Git tags to bypass security policies intended to enforce cryptographic signatures.
7 views•5 min read
•about 12 hours ago•GHSA-GX2M-MCC2-R4P3
N/AGHSA-GX2M-MCC2-R4P3: Cross-Site Scripting via Unescaped HTML Output in Weblate CLI
The Weblate Command Line Interface (wlc) package contains a Cross-Site Scripting (XSS) vulnerability due to insufficient sanitization during HTML report generation. The `print_html` function fails to encode API-retrieved data before embedding it into HTML output, allowing malicious payloads to execute when the generated report is viewed in a web browser.
6 views•6 min read
•about 15 hours ago•GHSA-WPQR-6V78-JR5G
9.8GHSA-WPQR-6V78-JR5G: Remote Code Execution in Google Gemini CLI via Workspace Settings Bypass
The Google Gemini CLI (prior to v0.17.2) is vulnerable to unauthenticated remote code execution due to an insecure default workspace trust configuration. By crafting a malicious `.gemini/settings.json` file, attackers can execute arbitrary OS commands when a user initializes the CLI application within the compromised repository.
11 views•6 min read
•about 19 hours ago•GHSA-XHJ4-G6W8-2XJW
7.5CVE-2026-33524: Unbounded Memory Allocation in go-zserio
The `go-zserio` library suffers from an Unbounded Memory Allocation vulnerability (CWE-770) during the deserialization of structured data. An unauthenticated remote attacker can trigger an immediate Out-of-Memory (OOM) crash by sending a crafted payload with a forged length field, resulting in a Denial of Service (DoS).
6 views•6 min read
•about 19 hours ago•GHSA-F5C8-M5VW-RMGQ
7.1GHSA-F5C8-M5VW-RMGQ: Improper Authorization in almirhodzic/nova-toggle-5
The `almirhodzic/nova-toggle-5` package for Laravel Nova fails to properly enforce authorization checks on its API toggle endpoint. This allows any authenticated user to arbitrarily modify boolean fields on any database model exposed through the Nova administration panel, leading to severe broken access control and potential privilege escalation.
6 views•6 min read
•1 day ago•CVE-2025-62373
9.8CVE-2025-62373: Remote Code Execution via Insecure Deserialization in Pipecat LivekitFrameSerializer
CVE-2025-62373 is a critical remote code execution (RCE) vulnerability in Pipecat, an open-source Python framework for building real-time voice and multimodal conversational agents. The flaw originates from the unsafe deserialization of untrusted data using Python's pickle module within the LivekitFrameSerializer class.
8 views•6 min read
•1 day ago•CVE-2026-32870
6.9CVE-2026-32870: XML Injection via Unsafe CDATA Handling in Kirby CMS Toolkit
Kirby CMS versions prior to 4.9.0 and 5.0.0 through 5.3.x are vulnerable to XML Injection (CWE-91). An insecure heuristic within the Toolkit's XML handling methods permits an attacker to bypass entity encoding by prepending a CDATA identifier. This allows the injection of arbitrary XML elements into documents generated by the CMS or custom plugins.
5 views•6 min read