5.1
CVE-2026-27746 - SPIP jeux < 4.1.1 Reflected XSS via index Parameters
The SPIP jeux plugin versions prior toΒ 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pageβ¦
7.1
CVE-2026-27747 - SPIP interface_traduction_objets < 2.2.2 Authenticated SQL Injection
The SPIP interface_traduction_objets plugin versions prior toΒ 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly iβ¦
4.8
CVE-2026-3146 - libvips matrixload.c vips_foreign_load_matrix_header null pointer dereference
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337β¦
5.2
CVE-2025-5781 - Information Exposure Vulnerability in Hitachi Configuration Manager, Hitachi Ops Center API Configuβ¦
Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 before 11.0.5-00; Hitachi Configuration Manager: from 8.β¦
2.6
CVE-2026-27632 - Talishar Vulnerable to Cross-Site Request Forgery (CSRF)
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By fβ¦
5.9
CVE-2026-27629 - InvenTree Vulnerable to Server Side Template Injection (SSTI)
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by β¦
1.2
CVE-2026-27628 - pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.
10
CVE-2026-27626 - OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extractioβ¦
OliveTin gives access to predefined shell commands from a web interface. In versions up to and including 3000.10.0, OliveTin's shell mode safety check (`checkShellArgumentSafety`) blocks several dangerous argument types but not `password`. A user supplying a `password`-typed argument can inject sheβ¦
6.1
CVE-2026-27612 - Repostat Vulnerable to Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
Repostat is a React component to fetch and display GitHub repository info. Prior to version 1.0.1, the `RepoCard` component is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability occurs because the component uses React's `dangerouslySetInnerHTML` to render the repository name (`reβ¦
6.8
CVE-2026-27621 - TypiCMS Core has Stored Cross-Site Scripting (XSS) via SVG File Upload
TypiCMS is a multilingual content management system based on the Laravel framework. A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS prior to version 16.1.7. The application allows users with file upload permissions to upload SVG files. While there is a β¦