Recent
Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030
Published 2026-03-26 by drupal
Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
Published 2026-03-26 by drupal
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
Published 2026-03-26 by drupal
Libssh: libssh: denial of service via improper configuration file handling
Published 2026-03-26 by redhat
Libssh: libssh: denial of service via inefficient regular expression processing
Published 2026-03-26 by redhat
Libssh: libssh: denial of service due to malformed sftp message
Published 2026-03-26 by redhat
Libssh: improper sanitation of paths received from scp servers
Published 2026-03-26 by redhat
Libssh: buffer underflow in ssh_get_hexa() on invalid input
Published 2026-03-26 by redhat
Missing Protected-field Authorization in Provisioning Contact Points API
Published 2026-03-26 by GRAFANA
Grafana MSSQL Data Source Plugin: Restriction Bypass Leading to OOM DoS
Published 2026-03-26 by GRAFANA
Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Published 2026-03-26 by GitHub_M
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
Published 2026-03-26 by drupal
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026
Published 2026-03-26 by drupal
OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025
Published 2026-03-26 by drupal
Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024
Published 2026-03-26 by drupal
Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
Published 2026-03-26 by drupal
AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022
Published 2026-03-26 by drupal
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
Published 2026-03-26 by drupal
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
Published 2026-03-26 by drupal
P11-kit: p11-kit: null dereference via c_derivekey with specific null parameters
Published 2026-03-26 by redhat
Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Published 2026-03-26 by GitHub_M
Gimp: gimp: application crash (dos) via crafted psd file due to heap-buffer-overflow
Published 2026-03-26 by redhat
Gimp: gimp: memory corruption due to integer overflow in ico file handling
Published 2026-03-26 by redhat
Gimp: gimp: denial of service via crafted psp image file
Published 2026-03-26 by redhat
ImageMagick has an Out-of-bounds Write via InterpretImageFilename
Published 2026-03-26 by GitHub_M
ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction
Published 2026-03-26 by GitHub_M
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
Published 2026-03-26 by GitHub_M
Infinite loop in github.com/antchfx/xpath
Published 2026-03-26 by Go
Denial of service in github.com/jackc/pgproto3/v2
Published 2026-03-26 by Go
Denial of service in github.com/buger/jsonparser
Published 2026-03-26 by Go
Denial of service in github.com/shamaton/msgpack
Published 2026-03-26 by Go
InvenTree has Path Traversal In Report Templates
Published 2026-03-26 by GitHub_M
InvenTree Vulnerable to ORM Filter Injection
Published 2026-03-26 by GitHub_M
ClearanceKit: opfilter policy bypass via exchangedata and clone operations
Published 2026-03-26 by GitHub_M
Libsoup: libsoup: denial of service via use-after-free in soupserver during tls handshake
Published 2026-03-26 by redhat
ClearanceKit: opfilter policy bypass via non-open file operations
Published 2026-03-26 by GitHub_M
Ruckus AP CLI Arbitrary File Read Allows Authenticated Remote File Access
Published 2026-03-26 by VulnCheck
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
Published 2026-03-26 by GitHub_M
GoDoxy has a Path Traversal Vulnerability in its File API
Published 2026-03-26 by GitHub_M
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Published 2026-03-26 by GitHub_M
Ruckus Unleashed Authenticated RCE in Gateway Mode
Published 2026-03-26 by VulnCheck
Keycloak: org.keycloak/keycloak-services: keycloak: privilege escalation via manage-clients permission
Published 2026-03-26 by redhat
Keycloak: keycloak: information disclosure via improper role enforcement in uma 2.0 protection api
Published 2026-03-26 by redhat
Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication
Published 2026-03-26 by GitHub_M
Tandoor Recipes's Unauthenticated Debug Parameter Leaks Full Raw SQL Queries Including Schema, Table Names, and Access Control Logic
Published 2026-03-26 by GitHub_M
URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key
Published 2026-03-26 by GitHub_M
Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII
Published 2026-03-26 by GitHub_M
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
Published 2026-03-26 by openjs
thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal
Published 2026-03-26 by VulnCheck
path-to-regexp vulnerable to Denial of Service via sequential optional groups
Published 2026-03-26 by openjs
Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404
Published 2026-03-26 by GitHub_M
Tandoor Recipes Vulnerable to Host Header Injection
Published 2026-03-26 by GitHub_M
DOM-Based XSS in Ory Polis Login Page
Published 2026-03-26 by GitHub_M
Zen-C has Stack-Based Buffer Overflow in Identifier Mangling
Published 2026-03-26 by GitHub_M
Ory Keto has a SQL injection via forged pagination tokens
Published 2026-03-26 by GitHub_M
Ory Hydra has a SQL injection via forged pagination tokens
Published 2026-03-26 by GitHub_M
Ory Kratos has a SQL injection via forged pagination tokens
Published 2026-03-26 by GitHub_M
Ory Oathkeeper has an authentication bypass by cache key confusion
Published 2026-03-26 by GitHub_M
Firecrawl Playwright Service SSRF Protection Bypass via Missing Post-Redirect Validation
Published 2026-03-26 by VulnCheck
Ory Oathkeeper has an authentication bypass by usage of untrusted header
Published 2026-03-26 by GitHub_M
Ory Oathkeeper has a path traversal authorization bypass
Published 2026-03-26 by GitHub_M
srvx is vulnerable to middleware bypass via absolute URI in request line
Published 2026-03-26 by GitHub_M
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
Published 2026-03-26 by GitHub_M
goxmldsig has validateSignature Loop Variable Capture Signature Bypass
Published 2026-03-26 by GitHub_M
Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents
Published 2026-03-26 by GitHub_M
Syft improper temporary file cleanup
Published 2026-03-26 by GitHub_M
FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users’ file content
Published 2026-03-26 by GitHub_M
Frigate has cross-camera snapshot disclosure via unrestricted timeline IDs and missing authorization in /api/events/{event_id}/snapshot-clean.webp
Published 2026-03-26 by GitHub_M
Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw
Published 2026-03-26 by GitHub_M
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
Published 2026-03-26 by GitHub_M
Load more ↓