•about 1 hour ago•CVE-2026-47706
5.3CVE-2026-47706: Application-Level Denial of Service via Uncontrolled Recursion in Strawberry GraphQL
An application-level Denial of Service vulnerability exists in the Strawberry GraphQL library (versions 0.71.0 through 0.315.6) due to uncontrolled recursion within the QueryDepthLimiter and MaxAliasesLimiter extensions when processing circular fragment references.
3 views•6 min read
•about 2 hours ago•CVE-2026-34077
7.5CVE-2026-34077: Denial of Service and Unsafe Deserialization in React Router Single Fetch
React Router and the underlying turbo-stream vendor library contain a vulnerability allowing remote unauthenticated attackers to trigger a Denial of Service (DoS) or potentially client-side Cross-Site Scripting (XSS) due to unsafe dynamic deserialization of streaming error payloads.
5 views•6 min read
•about 2 hours ago•CVE-2026-47707
5.3CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter
A security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.
3 views•5 min read
•about 4 hours ago•CVE-2026-48710
7.0CVE-2026-48710: Starlette BadHost HTTP Host-Header Path-Poisoning and Authentication Bypass
CVE-2026-48710 is a critical security-desynchronization vulnerability in the Starlette ASGI framework (versions >= 0.8.3, < 1.0.1) that allows remote attackers to bypass path-based security middleware and access-control decorators. By injecting URI authority-to-path delimiters into the Host header, attackers can manipulate the application-level parsed URL path while the underlying ASGI server dispatches the request to target endpoints.
10 views•7 min read
•about 4 hours ago•CVE-2026-20230
8.6CVE-2026-20230: Server-Side Request Forgery in Cisco Unified Communications Manager WebDialer Service
CVE-2026-20230 is a critical Server-Side Request Forgery (SSRF) vulnerability in the WebDialer service of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The flaw arises from improper validation of input parameters within WebDialer HTTP requests. Unauthenticated remote attackers can exploit this vulnerability to force the application to make HTTP requests to internal administrative services bound to the loopback interface. In the Cisco Voice Operating System (VOS) environment, these local services trust loopback traffic inherently, permitting unauthorized file writes. By writing malicious files to specific system directories, the attacker can execute arbitrary commands with root privileges.
10 views•6 min read
•about 9 hours ago•CVE-2026-48526
7.4CVE-2026-48526: Algorithm Confusion Vulnerability in PyJWT
CVE-2026-48526 is an algorithm-confusion vulnerability in PyJWT prior to version 2.13.0. When an application decodes tokens using a raw JSON Web Key (JWK) string while simultaneously supporting mixed algorithm families (symmetric and asymmetric), PyJWT does not validate that the key matches its intended algorithm context. This allows an attacker to sign a forged token using the public JWK string as an HMAC symmetric secret, bypassing authentication controls.
5 views•7 min read
•about 10 hours ago•CVE-2026-23479
8.8CVE-2026-23479: Use-After-Free Vulnerability in Redis Blocking-Client Command Re-Execution
CVE-2026-23479 is a critical Use-After-Free (UAF) vulnerability inside the blocking-client code path of the Redis in-memory data structure server. In affected versions from 7.2.0 until 8.6.3, the unblock client flow fails to handle an error return from processCommandAndResetClient when re-executing a previously blocked command. If a blocked client is evicted due to maxmemory limits or client eviction policies during this command processing flow, its client structure is freed. Because the caller ignores the error return and continues processing, it attempts to read and write properties on the freed client structure, leading to a Use-After-Free condition.
13 views•7 min read
•about 17 hours ago•CVE-2026-42211
8.1CVE-2026-42211: Remote Code Execution via Insecure Deserialization in React Router Framework Mode
A critical vulnerability exists in React Router v7 when running in Framework Mode. The vulnerability arises from insecure deserialization of TYPE_ERROR objects in the internal turbo-stream library, which resolves constructors from the global scope. If an application contains an independent prototype pollution vulnerability, an attacker can trigger unauthenticated Remote Code Execution (RCE) on the server.
9 views•5 min read
•about 18 hours ago•CVE-2026-47265
6.6CVE-2026-47265: Cross-Origin Cookie Leakage in AIOHTTP Client Redirects
AIOHTTP prior to version 3.14.0 fails to clear request-specific cookies when executing cross-origin automatic HTTP redirects. This vulnerability allows remote web servers to harvest sensitive credentials and session cookies originally scoped to an authorized target domain.
7 views•6 min read
•about 18 hours ago•CVE-2026-49144
7.1CVE-2026-49144: Unauthenticated Arbitrary File Read via Path Traversal in BrowserStack Runner
An unauthenticated path traversal vulnerability in BrowserStack Runner versions up to and including 0.9.5 allows remote or adjacent network attackers to read arbitrary files from the host system. The flaw exists within the local HTTP test server's fallback and patch file handlers, which fail to sanitize path inputs before passing them to file resolution APIs.
8 views•7 min read
•about 19 hours ago•CVE-2026-49143
8.8CVE-2026-49143: Unauthenticated Remote Code Execution in browserstack-runner
An unauthenticated remote code execution (RCE) vulnerability exists in the browserstack-runner npm package (versions up to and including 0.9.5). The flaw lies in the /_log HTTP endpoint handler, which evaluates user-supplied input within a non-secure Node.js VM context combined with dynamic eval() execution. Network-adjacent attackers can exploit this behavior to escape the sandbox and execute arbitrary system commands on the host machine.
10 views•6 min read
•about 19 hours ago•GHSA-F9RX-7WF7-JR36
8.1GHSA-F9RX-7WF7-JR36: Two-Factor Authentication Bypass and Passwordless API Key Creation in Froxlor
An architectural flaw in the Froxlor server administration control panel allows attackers to completely bypass Two-Factor Authentication (2FA) by issuing commands directly through the API. The API authentication routine in 'FroxlorRPC::validateAuth' fails to check the account's 2FA status, enabling arbitrary execution of administrative and customer actions. Furthermore, in versions prior to 2.3.7, API keys could be created without validating the current user password, exposing users to persistent backdoor access via session hijacking or CSRF.
6 views•5 min read