•about 1 hour ago•CVE-2025-48940
7.2MyBB Upgrade Module Local File Inclusion
A high-severity Local File Inclusion (LFI) vulnerability has been identified in the upgrade component of MyBB, a popular open-source forum software. The flaw resides in the `install/upgrade.php` script, where insufficient input validation on the `action` parameter allows attackers to traverse directories and include arbitrary PHP files. This vulnerability affects all MyBB versions prior to 1.8.39. Successful exploitation can lead to Remote Code Execution (RCE) if the attacker can upload or control a file on the disk, or significant information disclosure depending on the server configuration.
3 views•5 min read
•about 1 hour ago•CVE-2025-47916
10.0CVE-2025-47916: Unauthenticated RCE in Invision Community via SSTI
A critical remote code execution vulnerability exists in Invision Community versions 5.0.0 through 5.0.6. The flaw resides in the 'themeeditor' controller, where improper access control allows unauthenticated users to invoke the 'customCss' method. This method passes user-supplied input directly to the internal template engine without sanitization. By injecting malicious template directives, attackers can execute arbitrary PHP code on the underlying server. The vulnerability carries a CVSS score of 10.0 and has been patched in version 5.0.7.
4 views•4 min read
•about 13 hours ago•CVE-2026-28268
9.8Vikunja Password Reset Mechanism Logic Errors Allowing Persistent Account Takeover
A critical authentication bypass vulnerability exists in Vikunja, an open-source task management platform, affecting versions prior to 2.1.0. The vulnerability stems from two concurrent logic errors in the password reset workflow: a failure to invalidate reset tokens upon successful use and a malformed background cleanup process that failed to purge expired tokens. These flaws allow an attacker who obtains a password reset token—via interception, logs, or history—to reuse it indefinitely to reset the target user's password, facilitating persistent account takeover. The issue is addressed in version 2.1.0 by correcting the token deletion logic and fixing the expiration query.
4 views•6 min read
•about 13 hours ago•GHSA-72HV-8253-57QQ
7.5Unchecked Numeric Lengths in Jackson Async Parser
A significant oversight in the FasterXML jackson-core library's non-blocking (asynchronous) JSON parser allows for the bypass of `StreamReadConstraints`, specifically regarding numeric value lengths. While the standard blocking parser correctly enforces these limits to prevent Denial of Service (DoS) attacks, the async implementation fails to validate the length of incoming integer and floating-point values against the configured maximums. This discrepancy exposes applications using reactive stacks—such as Spring WebFlux, Vert.x, or Micronaut—to resource exhaustion attacks where specially crafted JSON payloads can trigger excessive memory allocation or CPU consumption.
1 views•6 min read
•about 14 hours ago•GHSA-FPG4-JHQR-589C
7.5SvelteKit Binary Form Logical Expansion Denial of Service
A resource exhaustion vulnerability exists in SvelteKit's experimental binary form handling mechanism. The deserialization logic for remote functions fails to validate that file metadata entries correspond to unique, non-overlapping byte ranges in the request body. This allows an attacker to craft a small HTTP request that expands into a massive logical payload when processed, consuming excessive server memory and CPU cycles.
1 views•7 min read
•about 14 hours ago•CVE-2026-28279
7.3osctrl-admin Enrollment Script Command Injection
A critical command injection vulnerability exists in the osctrl-admin component of the osctrl osquery management platform. The vulnerability allows authenticated administrators to inject arbitrary shell commands into generated enrollment scripts via the environment hostname parameter. When these scripts are executed on endpoints to install the osquery agent, the injected commands run with high privileges (typically root or SYSTEM), allowing for potential fleet-wide compromise.
12 views•5 min read
•about 15 hours ago•CVE-2026-28351
6.9CVE-2026-28351: Uncontrolled Resource Consumption in pypdf RunLengthDecode
A resource exhaustion vulnerability exists in the pypdf library versions prior to 6.7.4, specifically within the RunLengthDecode filter implementation. The flaw allows attackers to trigger an infinite loop or excessive memory allocation via crafted PDF streams, leading to Denial of Service (DoS) through Out-Of-Memory (OOM) conditions. This issue affects automated PDF processing pipelines where untrusted files are parsed without strict resource limits.
10 views•6 min read
•about 15 hours ago•CVE-2026-2880
8.2Authorization Bypass via URL Canonicalization Drift in @fastify/middie
A high-severity authentication bypass vulnerability exists in @fastify/middie, the middleware engine for the Fastify web framework. The flaw stems from a discrepancy in URL path normalization between the middleware matching engine and Fastify's core router. By crafting malicious HTTP requests with specific path anomalies—such as duplicate slashes or semicolon delimiters—an attacker can bypass path-scoped middleware (e.g., authentication or validation layers) while still reaching the intended route handler. This effectively neutralizes security controls applied to specific route prefixes.
2 views•6 min read
•about 16 hours ago•GHSA-J8CJ-HW74-64JV
8.1Critical Unsoundness in Rust 'hivex' Crate Leading to Double-Free and Use-After-Free
A critical memory safety vulnerability exists in the `hivex` Rust crate (version 0.2.0), a binding for the Windows Registry hive extraction library. The vulnerability stems from incorrect implementation of the `Drop` trait and the exposure of raw handle creation APIs as safe functions. These implementation flaws allow safe Rust code to trigger Double-Free (CWE-415) and Use-After-Free (CWE-416) conditions. Specifically, the `close()` method frees the underlying C resource without preventing the destructor from running, and the `from_handle()` function allows the creation of multiple owning references to the same underlying pointer. Successful exploitation results in undefined behavior, memory corruption, and potential arbitrary code execution.
5 views•6 min read
•about 18 hours ago•CVE-2026-28338
6.8PMD Static Analyzer Stored XSS in HTML Reports
A Stored Cross-Site Scripting (XSS) vulnerability exists in the HTML report generation components of PMD, a popular extensible multilanguage static code analyzer. The flaw allows attackers to inject malicious JavaScript into source code comments or string literals, which are subsequently rendered unescaped in PMD's HTML reports. This affects the 'vbhtml' and 'yahtml' renderers, as well as the suppression reporting in the standard 'html' renderer. Successful exploitation executes arbitrary code in the context of the user viewing the report, potentially compromising CI/CD dashboard sessions.
9 views•5 min read
•about 18 hours ago•CVE-2026-28407
6.9Malcontent Logic Error: Nested Archive Deletion Allows Detection Bypass
A logic vulnerability in the `malcontent` supply chain security tool allows attackers to bypass detection engines. The issue resides in the handling of nested archives (e.g., a `.tar` inside a `.zip`). When the scanner attempts to extract a nested archive and fails due to malformed headers or corruption, it unconditionally deletes the source archive file. This removal occurs before the content scanning phase, effectively hiding the malicious payload from analysis. Attackers can exploit this by crafting archives that fail extraction but contain malicious signatures in their raw bytes.
8 views•5 min read
•about 19 hours ago•GHSA-5C6J-R48X-RMVQ
9.8Remote Code Execution via Improper Serialization in serialize-javascript
A critical Remote Code Execution (RCE) vulnerability exists in the `serialize-javascript` npm package due to improper sanitization of `RegExp` and `Date` object properties during serialization. When processing untrusted objects that mimic these types, the library constructs an executable string without sufficient validation of the `flags` property or `toISOString()` output. This allows an attacker to inject arbitrary JavaScript code that executes upon deserialization (typically via `eval()`).
9 views•6 min read