CVE-2026-20430 - In wlan AP FW, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for explo... read CVE-2026-20430
Published: March 02, 2026; 4:16:16 AM -0500

CVE-2026-20434 - In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges n... read CVE-2026-20434
Published: March 02, 2026; 4:16:16 AM -0500

CVE-2026-26337 - Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve both arbitrary file read and server-side request forgery through the absolute path traversal.
Published: February 19, 2026; 1:24:59 PM -0500

CVE-2026-26338 - Hyland Alfresco Transformation Service allows unauthenticated attackers to achieve server-side request forgery (SSRF) through the document processing functionality.
Published: February 19, 2026; 1:24:59 PM -0500

V3.1: 9.8 CRITICAL

CVE-2025-55749 - XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows... read CVE-2025-55749
Published: December 01, 2025; 4:15:51 PM -0500

V3.1: 7.5 HIGH

CVE-2026-26710 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/edit-orders.php.
Published: March 02, 2026; 2:16:33 PM -0500

V3.1: 9.8 CRITICAL

CVE-2026-26711 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket.php.
Published: March 02, 2026; 2:16:33 PM -0500

V3.1: 9.8 CRITICAL

CVE-2026-26712 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/view-ticket-admin.php.
Published: March 02, 2026; 3:16:26 PM -0500

V3.1: 9.8 CRITICAL

CVE-2026-26713 - code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php.
Published: March 02, 2026; 3:16:27 PM -0500

V3.1: 9.8 CRITICAL

CVE-2026-26077 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, several webhook endpoints (SendGrid, Mailjet, Mandrill, Postmark, SparkPost) in the `WebhooksController` accepted requests without a valid authen... read CVE-2026-26077
Published: February 26, 2026; 10:17:36 AM -0500

CVE-2026-26078 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, when the `patreon_webhook_secret` site setting is blank, an attacker can forge valid webhook signatures by computing an HMAC-MD5 with an empty st... read CVE-2026-26078
Published: February 26, 2026; 11:24:06 AM -0500

CVE-2026-26207 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, `discourse-policy` plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The `PolicyContro... read CVE-2026-26207
Published: February 26, 2026; 11:24:07 AM -0500

CVE-2026-26265 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all u... read CVE-2026-26265
Published: February 26, 2026; 11:24:07 AM -0500

CVE-2026-26973 - Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR (Insecure Direct Object Reference) in `ReviewableNotesController`. When `enable_category_group_moderation` is enabled, a user belongi... read CVE-2026-26973
Published: February 26, 2026; 3:31:37 PM -0500

CVE-2026-26979 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 p... read CVE-2026-26979
Published: February 26, 2026; 3:31:37 PM -0500

V3.1: 2.7 LOW

CVE-2026-24479 - HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP a... read CVE-2026-24479
Published: January 26, 2026; 8:16:02 PM -0500

V3.1: 9.8 CRITICAL

CVE-2026-27021 - Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Ve... read CVE-2026-27021
Published: February 26, 2026; 4:28:53 PM -0500

V3.1: 5.3 MEDIUM

CVE-2026-24408 - sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sen... read CVE-2026-24408
Published: January 26, 2026; 6:16:08 PM -0500

V3.1: 5.0 MEDIUM

CVE-2025-55292 - Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by... read CVE-2025-55292
Published: January 27, 2026; 7:15:49 PM -0500

CVE-2026-24783 - soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative.... read CVE-2026-24783
Published: January 27, 2026; 5:15:57 PM -0500