•10 minutes ago•CVE-2026-33055
5.1CVE-2026-33055: Parser Differential and Archive Smuggling in Rust tar-rs
A parser differential vulnerability in the Rust tar-rs crate <= 0.4.44 allows attackers to smuggle hidden TAR entries past compliant security validators. The vulnerability arises from non-compliant handling of PAX extended header size overrides.
2 views•6 min read
•40 minutes ago•CVE-2026-33056
5.1CVE-2026-33056: Arbitrary Directory Permission Modification via Symlink Following in tar-rs
The tar-rs library version 0.4.44 and earlier contains a CWE-61 UNIX Symbolic Link (Symlink) Following vulnerability in the directory extraction logic. By utilizing a crafted tar archive containing a symlink and a directory of the same name, an attacker can manipulate directory permissions on the host system.
1 views•5 min read
•about 1 hour ago•CVE-2026-33312
5.3CVE-2026-33312: Broken Object-Level Authorization (BOLA) in Vikunja Project Background Deletion
Vikunja versions 0.20.2 through 2.1.x suffer from a Broken Object Level Authorization (BOLA) vulnerability. The application fails to properly validate permissions on the project background deletion endpoint, allowing users with only read access to permanently delete background images. The vulnerability is fixed in version 2.2.0.
2 views•6 min read
•about 2 hours ago•CVE-2026-32595
6.3CVE-2026-32595: Information Disclosure via Timing Attack in Traefik BasicAuth
CVE-2026-32595 is an observable timing discrepancy vulnerability in Traefik's BasicAuth middleware affecting versions across the 2.x and 3.x branches. The flaw allows unauthenticated remote attackers to enumerate valid user accounts by measuring the server's response time during authentication attempts.
2 views•6 min read
•about 2 hours ago•CVE-2026-32701
7.5CVE-2026-32701: Array Method Pollution and Denial of Service in Qwik City Middleware
Qwik City middleware versions prior to 1.19.2 contain an array method pollution vulnerability within the form parsing component. Unauthenticated remote attackers can overwrite native array methods via crafted multipart or URL-encoded HTTP requests, resulting in type confusion and server-side Denial of Service (DoS).
3 views•5 min read
•about 3 hours ago•CVE-2026-32711
7.8CVE-2026-32711: Path Traversal and Arbitrary File Operations in pydicom FileSet
CVE-2026-32711 is a high-severity path traversal vulnerability in the pydicom Python library, affecting versions 2.0.0-rc.1 through 3.0.1. The flaw resides in the FileSet implementation, where insufficient validation of the ReferencedFileID attribute allows malicious DICOMDIR files to perform out-of-bounds file reads, copies, or deletions.
4 views•6 min read
•about 4 hours ago•CVE-2026-29794
5.3CVE-2026-29794: Rate Limit Bypass via IP Spoofing in Vikunja
Vikunja versions prior to 2.2.0 contain a rate-limit bypass vulnerability due to improper validation of client IP addresses. Unauthenticated remote attackers can bypass IP-based rate limiting by spoofing HTTP headers such as X-Forwarded-For, enabling unlimited brute-force attacks against authentication endpoints.
3 views•6 min read
•about 8 hours ago•CVE-2025-3709
9.8CVE-2025-3709: Critical Account Lockout Bypass in Flowring Agentflow 4.0
CVE-2025-3709 is a critical account lockout bypass vulnerability (CWE-307) affecting Flowring Technology Agentflow version 4.0. This flaw allows unauthenticated remote attackers to perform unlimited password brute-force attacks against the authentication system, bypassing security controls designed to lock accounts after excessive failed attempts.
7 views•7 min read
•about 8 hours ago•CVE-2024-6485
6.4CVE-2024-6485: Cross-Site Scripting (XSS) in Bootstrap 3 Button Plugin
A cross-site scripting (XSS) vulnerability exists in the Bootstrap 3.x Button plugin. The flaw occurs due to improper sanitization of the data-loading-text attribute, allowing arbitrary JavaScript execution when the button's loading state is triggered via the JavaScript API.
5 views•6 min read
•about 9 hours ago•CVE-2026-21666
9.9CVE-2026-21666: Authenticated Remote Code Execution in Veeam Backup & Replication
CVE-2026-21666 is a critical remote code execution (RCE) vulnerability in Veeam Backup & Replication. By leveraging improper input validation, an authenticated domain user can inject arbitrary commands via newline characters, leading to execution with system-level privileges on the backup server infrastructure.
7 views•7 min read
•about 14 hours ago•GHSA-2MHW-8QCG-GR96
8.1GHSA-2mhw-8qcg-gr96: Supply Chain RCE in skia-python via Vendored libfreetype (CVE-2025-27363)
The skia-python package implicitly vendors a vulnerable version of libfreetype in its Linux wheel distributions, exposing applications to CVE-2025-27363. This underlying out-of-bounds write vulnerability allows for unauthenticated remote code execution via specially crafted font files.
5 views•6 min read
•about 15 hours ago•CVE-2026-26931
5.7CVE-2026-26931: Denial of Service via Decompression Bomb in Elastic Metricbeat Prometheus remote_write
Elastic Metricbeat is vulnerable to an unauthenticated Denial of Service (DoS) attack via a memory exhaustion flaw in the Prometheus remote_write HTTP handler. The vulnerability stems from insufficient validation of declared uncompressed sizes within Snappy-compressed payloads, allowing an attacker to trigger an Out-of-Memory (OOM) process termination.
6 views•5 min read