9.3
CVE-2026-27743 - SPIP referer_spam <= 1.2.1 Unauthenticated SQL Injection
The SPIP referer_spam plugin versions prior toย 1.3.0 contain an unauthenticated SQL injection vulnerability in the referer_spam_ajouter and referer_spam_supprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input โฆ
9.3
CVE-2026-27744 - SPIP tickets < 4.3.3 Unauthenticated RCE
The SPIP tickets plugin versions prior toย 4.3.3 contain an unauthenticated remote code execution vulnerability in the forum preview handling for public ticket pages. The plugin appends untrusted request parameters into HTML that is later rendered by a template using unfiltered environment renderingโฆ
8.7
CVE-2026-27745 - SPIP interface_traduction_objets < 2.2.2 Authenticated RCE
The SPIP interface_traduction_objets plugin versions prior toย 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because fieโฆ
5.1
CVE-2026-27746 - SPIP jeux < 4.1.1 Reflected XSS via index Parameters
The SPIP jeux plugin versions prior toย 4.1.1 contain a reflected cross-site scripting (XSS) vulnerability in the pre_propre pipeline. The plugin incorporates untrusted request parameters into HTML output without proper output encoding, allowing attackers to inject arbitrary script content into pageโฆ
7.1
CVE-2026-27747 - SPIP interface_traduction_objets < 2.2.2 Authenticated SQL Injection
The SPIP interface_traduction_objets plugin versions prior toย 2.2.2 contain an authenticated SQL injection vulnerability in interface_traduction_objets_pipelines.php. When handling translation requests, the plugin reads the id_parent parameter from user-supplied input and concatenates it directly iโฆ
4.8
CVE-2026-3146 - libvips matrixload.c vips_foreign_load_matrix_header null pointer dereference
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337โฆ
5.2
CVE-2025-5781 - Information Exposure Vulnerability in Hitachi Configuration Manager, Hitachi Ops Center API Configuโฆ
Information Exposure Vulnerability in Hitachi Ops Center API Configuration Manager, Hitachi Configuration Manager, Hitachi Device Manager allows Session Hijacking.This issue affects Hitachi Ops Center API Configuration Manager: from 10.0.0-00 before 11.0.5-00; Hitachi Configuration Manager: from 8.โฆ
2.6
CVE-2026-27632 - Talishar Vulnerable to Cross-Site Request Forgery (CSRF)
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. By fโฆ
5.9
CVE-2026-27629 - InvenTree Vulnerable to Server Side Template Injection (SSTI)
InvenTree is an Open Source Inventory Management System. Prior to version 1.2.3, insecure server-side templates can be hijacked to expose secure information to the client. When generating custom batch codes, the InvenTree server makes use of a customizable jinja2 template, which can be modified by โฆ
1.2
CVE-2026-27628 - pypdf has a possible infinite loop when loading circular /Prev entries in cross-reference streams
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.