9.4
CVE-2026-24834 - Kata Container to Guest micro VM privilege escalation
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.27.0, an issue in Kata with Cloud Hypervisor allows a user of the container to modify the file system used by the Guest micro VMβ¦
8.7
CVE-2026-26336 - Hyland Alfresco Improper Authorization Arbitrary File Read
Hyland Alfresco allows unauthenticated attackers to read arbitrary files from protected directories (like WEB-INF) via the "/share/page/resource/" endpoint, thus leading to the disclosure of sensitive configuration files.
9.2
CVE-2026-26016 - Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorizβ¦
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, eveβ¦
8.7
CVE-2026-25998 - strongMan vulnerable to private credential recovery due to key and counter reuse
strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vβ¦
5.3
CVE-2026-25766 - Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echoβs `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and noβ¦
5.4
CVE-2026-25739 - Indico affected by Cross-Site-Scripting via material uploads
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fiβ¦
6.9
CVE-2026-25738 - Indico has Server-Side Request Forgery (SSRF) in multiple places
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indβ¦
8.1
CVE-2026-25940 - jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOβ¦
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can β¦
5.1
CVE-2026-26223 - SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in β¦
8.6
CVE-2026-26345 - SPIP < 4.4.8 Cross-Site Scripting in Public Area
SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.gβ¦