Vulnerability Notes
- CVE-2026-2072 - Cross-Site Scripting vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
- CVE-2026-3912 - TIBCO ActiveMatrix BusinessWorks Injection Vulnerability
- CVE-2025-33244 - NVIDIA APEX Deserialization Vulnerability
- CVE-2026-33511 - pyload-ng: Authentication Bypass via Host Header Injection in ClickNLoad
- CVE-2026-33419 - MinIO: LDAP login brute-force via user enumeration and missing rate limit
- CVE-2026-33329 - FileRise: Path Traversal in `resumableIdentifier` Leading to Arbitrary File Write, Recursive Directory Deletion, and Limited Existence Oracle
- CVE-2026-33322 - MinIO: JWT Algorithm Confusion in OIDC Authentication
- CVE-2026-22559 - "UniFi Network Server Cross-Site Scripting Vulnerability"
- CVE-2026-33498 - Parse Server: Query condition depth bypass via pre-validation transform pipeline
- CVE-2026-2417 - Missing Authentication for Critical Function in Pharos Controls Mosaic Show Controller
- CVE-2026-23921 - Blind, read-only SQL injection in Zabbix API via sortfield parameter
- CVE-2026-33407 - Wallos: SSRF via HTTP Proxy Environment Variable
- CVE-2026-33157 - Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
- CVE-2026-33340 - LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint
- CVE-2026-33678 - Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
- CVE-2026-29839 - DedeCMS CSRF
- CVE-2025-71275 - Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection
- CVE-2026-33316 - Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
- CVE-2026-32647 - NGINX ngx_http_mp4_module vulnerability