7.5
CVE-2026-29181 - OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos aβ¦
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, β¦
2
CVE-2026-27949 - Plane Exposes User Email (PII and part of credential) in GET Parameter
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling (e.g., when an invalid magic code is submitted). Transmitting personally iβ¦
5.3
CVE-2026-39401 - Privilege Escalation via update_event Job Output in Cronicle
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilegβ¦
5.3
CVE-2026-39400 - Stored XSS via Job HTML/Table Output in Cronicle
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The serβ¦
9.4
CVE-2026-39397 - @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthentβ¦
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. Theβ¦
4.3
CVE-2026-39395 - Cosign's verify-blob-attestation reports false positive when payload parsing fails
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, tβ¦
6.9
CVE-2026-5741 - suvarchal docker-mcp-server HTTP index.ts pull_image os command injection
A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stop_container/remove_container/pull_image of the file src/index.ts of the component HTTP Interface. This manipulation causes os command injection. The attack is possible to be carried ouβ¦
7.5
CVE-2026-39356 - SQL Injection via escapeName() in all Drizzle ORM SQL dialects
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or bacβ¦
7
CVE-2025-14859 - Semtech LR11xx Secure Boot Bypass
The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device cβ¦
5.1
CVE-2025-14858 - Semtech LR11xx Encrypted Firmware Disclosure
The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package β¦