6.5
CVE-2026-40889 - Frappe HR has Improper Access Control on Files
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
6.5
CVE-2026-40888 - Frappe HR vulnerable to Improper Access Control
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are availabβ¦
9.1
CVE-2026-40887 - @vendure/core has a SQL Injection vulnerability
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression wβ¦
2.1
CVE-2026-40878 - mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.tβ¦
6.1
CVE-2026-33812 - Excessive memory allocation when decoding malicious SFNT in golang.org/x/image
Parsing a malicious font file can cause excessive memory allocation.
7.5
CVE-2026-33813 - Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
6.3
CVE-2026-40881 - Zebra: addr/addrv2 Deserialization Resource Exhaustion
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB mesβ¦
9.1
CVE-2026-40372 - ASP.NET Core Elevation of Privilege Vulnerability
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
7
CVE-2026-40875 - mailcow: dockerized vulnerable to stored XSS in user login history real_rip
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IPβ¦
7.2
CVE-2026-40880 - Zebra: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and zebra-consensus version 5.0.2, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but β¦