•15 minutes ago•CVE-2026-31841
6.5CVE-2026-31841: Raw Database Statement Exposure in Hyperterse MCP Search Tool
Hyperterse versions 2.0.0 through 2.1.9 exhibit an information disclosure vulnerability (CWE-433) within the Model Context Protocol (MCP) server implementation. The search tool fails to sanitize internal tool representations before returning them to the client, leaking raw SQL database statements. This exposure provides attackers with deep insight into internal database schemas, table structures, and query logic, lowering the barrier for subsequent targeted attacks.
5 views•6 min read
•about 1 hour ago•CVE-2026-24125
6.3CVE-2026-24125: Authenticated Path Traversal in TinaCMS GraphQL Mutations
CVE-2026-24125 is a medium-severity path traversal vulnerability in the @tinacms/graphql package. Authenticated users can exploit improper path validation in GraphQL mutations to create, read, update, or delete arbitrary files on the host system.
3 views•5 min read
•about 4 hours ago•GHSA-725G-W329-G7QR
7.5GHSA-725G-W329-G7QR: Token-2022 Transfer Fee Bypass in Solana Kora Relayer
The kora-lib crate, which serves as the core library for the Solana Kora Relayer, contains a business logic vulnerability related to SPL Token-2022 transfer fee verification. The relayer fails to accurately account for on-chain transfer fees when verifying user payments, resulting in the relayer crediting users for pre-fee transaction amounts. This discrepancy allows attackers to systematically underpay the relayer for transaction sponsorship.
1 views•7 min read
•about 5 hours ago•CVE-2026-32112
6.8CVE-2026-32112: Cross-Site Scripting in Home Assistant MCP Server OAuth Flow
The Home Assistant MCP Server (ha-mcp) prior to version 7.0.0 contains a Cross-Site Scripting (XSS) vulnerability within its beta OAuth consent form. The application dynamically constructs HTML using Python f-strings without proper input sanitization, allowing attackers to execute arbitrary JavaScript in the context of the server operator's browser session.
8 views•5 min read
•about 6 hours ago•CVE-2026-21262
8.8CVE-2026-21262: Elevation of Privilege via Improper Access Control in Microsoft SQL Server
CVE-2026-21262 is a high-severity Elevation of Privilege (EoP) vulnerability affecting Microsoft SQL Server versions 2016 through 2025. It allows an authenticated, low-privileged attacker to escalate their permissions to the sysadmin role over a network connection. The flaw stems from improper access control in the SQL Server network layer protocol implementation, enabling attackers to take complete control of the database instance.
55 views•10 min read
•about 8 hours ago•CVE-2026-31833
6.7CVE-2026-31833: Stored XSS in Umbraco CMS UFM Rendering Pipeline via Permissive DOMPurify Configuration
Umbraco CMS versions 16.2.0 to 16.5.0 and 17.0.0 to 17.2.1 contain a stored Cross-Site Scripting (XSS) vulnerability in the Umbraco Flavored Markdown (UFM) rendering engine. An overly permissive DOMPurify configuration allows authenticated users with Settings access to inject arbitrary JavaScript event handlers into custom web components, leading to execution in the context of other backoffice users.
2 views•6 min read
•about 8 hours ago•CVE-2026-31834
7.2CVE-2026-31834: Vertical Privilege Escalation in Umbraco CMS User Group Management
A vertical privilege escalation vulnerability in Umbraco CMS allows authenticated backoffice users with user management permissions to elevate their privileges to Administrator. The flaw stems from missing authorization checks during user group assignments, enabling unauthorized users to assign highly privileged roles.
2 views•6 min read
•about 9 hours ago•CVE-2026-31839
8.2CVE-2026-31839: Striae Integrity Bypass in Digital Confirmation Workflow
Striae versions prior to 3.0.0 suffer from a high-severity integrity bypass vulnerability in the digital confirmation workflow. The application relies on an unauthenticated hash-only validation model for exported forensic packages, allowing attackers to modify evidence and forge validation metadata without detection.
2 views•4 min read
•about 9 hours ago•CVE-2026-31857
8.1CVE-2026-31857: Authenticated Remote Code Execution in Craft CMS via Server-Side Template Injection
Craft CMS versions 4.x and 5.x are vulnerable to a high-severity Server-Side Template Injection (SSTI) flaw. Authenticated attackers with minimal Control Panel permissions can execute arbitrary PHP code. The vulnerability exists in the processing of relational condition rules within the element index and search functionalities.
5 views•4 min read
•about 10 hours ago•GHSA-G3HP-VVQF-8VW6
3.5GHSA-G3HP-VVQF-8VW6: Stored Cross-Site Scripting in Craft CMS User Permissions Page
Craft CMS versions prior to 5.8.22 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Control Panel's User Permissions page. The application fails to properly HTML-encode User Group names, allowing an authenticated attacker with group management privileges to execute arbitrary JavaScript in the context of an administrator's session.
3 views•6 min read
•about 11 hours ago•CVE-2026-31816
9.1CVE-2026-31816: Authentication Bypass via Webhook Query Parameter Injection in Budibase
Budibase versions 3.31.4 and earlier contain a critical authentication bypass vulnerability due to improper URL parsing in the server's authorized middleware. Attackers can bypass all authentication, authorization, and CSRF checks by appending a webhook routing pattern to the query string of any API request.
15 views•7 min read
•about 15 hours ago•CVE-2026-31887
8.9CVE-2026-31887: Incorrect Authorization in Shopware Store API Order Route
CVE-2026-31887 is an Incorrect Authorization vulnerability in the Shopware commerce platform. The flaw resides in the store-api.order endpoint, allowing unauthenticated attackers to bypass Data Abstraction Layer (DAL) filters and extract sensitive Personal Identifiable Information (PII) belonging to other customers.
8 views•4 min read