Threat Intelligence Feed

CVE-2026-40941 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import sign MED · CVE-2026-40084 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Tra HIGH · CVE-2026-40083 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through MED · CVE-2026-40082 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regen MED · CVE-2026-40080 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Red CVE-2026-8720 wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a CVE-2026-7532 iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced CVE-2026-7511 PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bo CVE-2026-6331 HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC ve CVE-2026-6330 The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's i CVE-2026-6329 PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and all CVE-2026-6325 Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write pas CVE-2026-6092 When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing E CVE-2026-55962 TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the cl HIGH · CVE-2026-54479 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to HIGH · CVE-2026-50176 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absenc MED · CVE-2026-44622 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. CRIT · CVE-2026-40702 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a res HIGH · CVE-2026-22879 vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability CVE-2026-13283 Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a MED · CVE-2026-13282 Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially e CVE-2026-13281 Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the rend HIGH · CVE-2026-12992 A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.ws HIGH · CVE-2026-12975 A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without ena HIGH · CVE-2026-11800 A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an a CVE-2026-11703 Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for t CVE-2026-10098 OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose se HIGH · CVE-2025-71340 picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode CRIT · CVE-2025-71338 Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauth CRIT · CVE-2025-71336 Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnera HIGH · CVE-2025-71335 Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens aft CRIT · CVE-2025-71334 Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missin CVE-2025-71333 Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoin HIGH · CVE-2025-71328 Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their accou CRIT · CVE-2025-71327 Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows HIGH · CVE-2025-71324 Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-fil HIGH · CVE-2021-47987 Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the of HIGH · CVE-2021-47986 Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the reposit MED · CVE-2020-37256 Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security config CVE-2026-6731 X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN CVE-2026-40941 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have a package import sign MED · CVE-2026-40084 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Tra HIGH · CVE-2026-40083 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have SQL Injection through MED · CVE-2026-40082 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regen MED · CVE-2026-40080 Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Open Red CVE-2026-8720 wc_Blake2bHmacFinal and wc_Blake2sHmacFinal discard the message when the key length exceeds the block size, producing a CVE-2026-7532 iPAddress name constraints bypass when WOLFSSL_IP_ALT_NAME is not defined. IP address name constraints are not enforced CVE-2026-7511 PKCS7_verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bo CVE-2026-6331 HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC ve CVE-2026-6330 The ML-KEM ARM64 NEON ciphertext comparison only compares half of the input, breaking the Fujisaki-Okamoto transform's i CVE-2026-6329 PKCS#12 MAC verification uses an attacker-controlled comparison length, weakening the integrity check on the MAC and all CVE-2026-6325 Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write pas CVE-2026-6092 When HAVE_ENCRYPT_THEN_MAC is configured, the implementation could fall back to MAC-then-Encrypt rather than enforcing E CVE-2026-55962 TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished message without the cl HIGH · CVE-2026-54479 The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to HIGH · CVE-2026-50176 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absenc MED · CVE-2026-44622 Charging station authentication identifiers are publicly accessible via web-based mapping platforms. CRIT · CVE-2026-40702 WebSocket endpoints lack proper authentication mechanisms, enabling attackers to impersonate charging stations. As a res HIGH · CVE-2026-22879 vtk vtk-dicom vtkDICOMItem::NewDataElement heap-based buffer overflow vulnerability CVE-2026-13283 Use after free in AdFilter in Google Chrome on Android prior to 149.0.7827.201 allowed a remote attacker who convinced a MED · CVE-2026-13282 Use after free in Payments in Google Chrome on Android prior to 149.0.7827.201 allowed a local attacker to potentially e CVE-2026-13281 Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the rend HIGH · CVE-2026-12992 A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.ws HIGH · CVE-2026-12975 A flaw was found in Apicurio Registry. The ContentTypeUtil.isParsableXml() method creates a SAXParserFactory without ena HIGH · CVE-2026-11800 A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an a CVE-2026-11703 Missing SNI/ALPN binding on stateful (session-ID) resumption, which previously skipped the binding check performed for t CVE-2026-10098 OCSP CertID serial-number length-confusion in wolfSSL_OCSP_resp_find_status allows a same-issuer SingleResponse whose se HIGH · CVE-2025-71340 picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode CRIT · CVE-2025-71338 Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauth CRIT · CVE-2025-71336 Flowise before 3.0.6 (affected versions 2.2.7-patch.1 and earlier) contains an unsandboxed remote code execution vulnera HIGH · CVE-2025-71335 Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens aft CRIT · CVE-2025-71334 Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to missin CVE-2025-71333 Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoin HIGH · CVE-2025-71328 Flowise before 3.0.10 contains an unverified password change vulnerability. An authenticated user can change their accou CRIT · CVE-2025-71327 Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows HIGH · CVE-2025-71324 Flowise before 3.0.6 contains an arbitrary file read vulnerability in the chatId parameter of the /api/v1/get-upload-fil HIGH · CVE-2021-47987 Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the of HIGH · CVE-2021-47986 Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the reposit MED · CVE-2020-37256 Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security config CVE-2026-6731 X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN