6.9
CVE-2025-20628 - Insufficient granularity of access control for Remote Connector Servers in client mode
An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exisβ¦
6.9
CVE-2026-39936 - Stored XSS in Score due to usage of non-reserved data attributes
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - Score Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Score Extension.
6.9
CVE-2026-39935 - XSS-via-i18n in localised wiki names
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS).Β This issue was remediated only on the `master` branch.
0.0
CVE-2026-31789 - Heap Buffer Overflow in Hexadecimal Conversion
Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker cβ¦
7.5
CVE-2026-28390 - Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo
Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denialβ¦
0.0
CVE-2026-28387 - Potential Use-after-free in DANE Client Code
Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequenceβ¦
6.9
CVE-2026-39934 - Growth Experiments ReassignMenteesJob runs as an infinite loop
Loop with unreachable exit condition ('infinite loop') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects Mediawiki - GrowthExperiments Extension: 1.45.2, 1.44.4, 1.43.7.
10
CVE-2026-39933 - Multiple XSS vulnerabilities in GlobalWatchlist
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches.
8.8
CVE-2026-39937 - Global vanishing does not completely remove user email
Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects non release branches.
9.1
CVE-2026-39847 - Emmett has a path traversal in internal assets handler
Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets (/__emmett__ paths) is vulnerable to path traversal attacks. An attacker can use ../ sequences (eg /__emmett__/../rsgi/handlers.py) to read arbitrarβ¦