•about 20 hours ago•GHSA-XF4V-W5X5-PV79
5.1GHSA-XF4V-W5X5-PV79: CSV Formula Injection in Spree Customer Export
A CSV Formula Injection vulnerability (CWE-1236) exists in the Spree headless eCommerce platform within the customer export functionality. An unauthenticated attacker can register a customer profile containing malicious formula sequences in fields like the first name or last name. When an administrator exports the customer data to a CSV file and opens it in a spreadsheet application, the spreadsheet engine can interpret and execute these formulas, potentially leading to remote command execution on the administrator's workstation or out-of-band data exfiltration.
4 views•6 min read
•about 21 hours ago•CVE-2026-47694
5.4CVE-2026-47694: Stored Cross-Site Scripting in WWBN AVideo Category Descriptions
A Stored Cross-Site Scripting (XSS) vulnerability exists in WWBN AVideo versions up to and including 29.0. Unsanitized category descriptions are stored in the database and subsequently rendered as raw HTML in the Gallery view plugin, allowing low-privileged authenticated users to execute arbitrary JavaScript in the browsers of visiting users.
6 views•7 min read
•about 21 hours ago•GHSA-JPVJ-WPMJ-H7RV
9.6GHSA-JPVJ-WPMJ-H7RV: Supply Chain Compromise and Malicious Code Injection in @cap-js/openapi
A critical supply chain compromise was identified in the Node.js package @cap-js/openapi at version 1.4.1. An attacker gained unauthorized publishing access to the npm registry and distributed a backdoored release that harvests sensitive developer credentials, environment variables, and SSH keys. The malicious code then exfiltrates the collected data to external actor-controlled servers.
12 views•5 min read
•about 22 hours ago•CVE-2026-47696
7.1CVE-2026-47696: Authenticated Wallet Credit Bypass in WWBN AVideo AuthorizeNet Plugin
An authenticated wallet credit bypass vulnerability exists in WWBN AVideo version 29.0 and earlier. The AuthorizeNet plugin includes an unfinished mockup endpoint, processPayment.json.php, which lacks actual transaction verification and hardcodes success. This allows any authenticated user to credit their wallet with arbitrary balances without making any payments.
4 views•5 min read
•about 22 hours ago•GHSA-8WHC-2WMV-WW35
8.8GHSA-8whc-2wmv-ww35: Unauthenticated Stored DOM-based Cross-Site Scripting in WWBN AVideo YPTSocket Plugin
An unauthenticated stored DOM-based Cross-Site Scripting (DOM XSS) vulnerability in the YPTSocket plugin of WWBN AVideo (formerly YouPHPTube) allows remote attackers to execute arbitrary JavaScript within the session context of administrative users. Unsanitized metadata parameters supplied during the WebSocket handshake are persisted in an SQLite database and broadcast to connected users. The frontend application processes these parameters through an unsafe jQuery append sink, leading to silent, high-impact administrative context compromise.
6 views•7 min read
•about 23 hours ago•CVE-2026-47676
5.3CVE-2026-47676: Inconsistent Path Parsing and Slicing in Hono Framework Sub-Application Mounting
A path parsing and normalization inconsistency vulnerability exists in the Hono web framework prior to version 4.12.21. When hosting sub-applications via the app.mount() routing interface, Hono calculates the routing path prefix length on a percent-decoded representation of the URI but executes the path-slicing offset on the raw, percent-encoded string. This discrepancy results in malformed request paths being dispatched to mounted sub-applications, potentially leading to route bypasses, route confusion, and application-level Denial of Service.
4 views•6 min read
•1 day ago•CVE-2026-47706
5.3CVE-2026-47706: Application-Level Denial of Service via Uncontrolled Recursion in Strawberry GraphQL
An application-level Denial of Service vulnerability exists in the Strawberry GraphQL library (versions 0.71.0 through 0.315.6) due to uncontrolled recursion within the QueryDepthLimiter and MaxAliasesLimiter extensions when processing circular fragment references.
5 views•6 min read
•1 day ago•CVE-2026-34077
7.5CVE-2026-34077: Denial of Service and Unsafe Deserialization in React Router Single Fetch
React Router and the underlying turbo-stream vendor library contain a vulnerability allowing remote unauthenticated attackers to trigger a Denial of Service (DoS) or potentially client-side Cross-Site Scripting (XSS) due to unsafe dynamic deserialization of streaming error payloads.
10 views•6 min read
•1 day ago•CVE-2026-47707
5.3CVE-2026-47707: GraphQL Alias Amplification Bypass in Strawberry GraphQL MaxAliasesLimiter
A security flaw in strawberry-graphql versions 0.172.0 through 0.315.6 allows unauthenticated attackers to bypass the MaxAliasesLimiter extension. By utilizing GraphQL fragment spreads, clients can trigger high levels of alias amplification, causing uncontrolled backend resource consumption and application-level Denial of Service.
4 views•5 min read
•1 day ago•CVE-2026-48710
7.0CVE-2026-48710: Starlette BadHost HTTP Host-Header Path-Poisoning and Authentication Bypass
CVE-2026-48710 is a critical security-desynchronization vulnerability in the Starlette ASGI framework (versions >= 0.8.3, < 1.0.1) that allows remote attackers to bypass path-based security middleware and access-control decorators. By injecting URI authority-to-path delimiters into the Host header, attackers can manipulate the application-level parsed URL path while the underlying ASGI server dispatches the request to target endpoints.
18 views•7 min read
•1 day ago•CVE-2026-20230
8.6CVE-2026-20230: Server-Side Request Forgery in Cisco Unified Communications Manager WebDialer Service
CVE-2026-20230 is a critical Server-Side Request Forgery (SSRF) vulnerability in the WebDialer service of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The flaw arises from improper validation of input parameters within WebDialer HTTP requests. Unauthenticated remote attackers can exploit this vulnerability to force the application to make HTTP requests to internal administrative services bound to the loopback interface. In the Cisco Voice Operating System (VOS) environment, these local services trust loopback traffic inherently, permitting unauthorized file writes. By writing malicious files to specific system directories, the attacker can execute arbitrary commands with root privileges.
65 views•6 min read
•1 day ago•CVE-2026-48526
7.4CVE-2026-48526: Algorithm Confusion Vulnerability in PyJWT
CVE-2026-48526 is an algorithm-confusion vulnerability in PyJWT prior to version 2.13.0. When an application decodes tokens using a raw JSON Web Key (JWK) string while simultaneously supporting mixed algorithm families (symmetric and asymmetric), PyJWT does not validate that the key matches its intended algorithm context. This allows an attacker to sign a forged token using the public JWK string as an HMAC symmetric secret, bypassing authentication controls.
9 views•7 min read