7
CVE-2026-27610 - Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the `ConfigKeyCache` uses the same cache key for both master key and read-only master key when resolving function-typed keys. Under specific timing conditions, a read-only useβ¦
8.3
CVE-2026-27609 - Parse Dashboard Missing CSRF Protection on Agent Endpoint
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submβ¦
9.3
CVE-2026-27608 - Parse Dashboard Missing Authorization on Agent Endpoint
Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint (`POST /apps/:appId/agent`) does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by β¦
9.1
CVE-2026-27822 - Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.83, a Stored Cross-Site Scripting (XSS) vulnerability in the RustFS Console allows an attacker to execute arbitrary JavaScript in the context of the management console. By bypassing the PDF preview logic, an aβ¦
8.1
CVE-2026-27607 - RustFS's Missing Post Policy Validation leads to Arbitrary Object Write
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enablβ¦
8.8
CVE-2026-27606 - Rollup 4 has Arbitrary File Write via Path Traversal
Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x and present in current source) is vulnerable to an Arbitrary File Write via Path Traversal. Insecure file name sanitization in the core engine allows an attacker tβ¦
4.5
CVE-2026-25135 - OpenEMR's location resource for Group.$export operation returns entire patient/user population contβ¦
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure vulnerability that leaks the entire contact information for all users, organizations, and patients in the system to anyone who has the systβ¦
4.8
CVE-2026-3145 - libvips matrixload.c vips_foreign_load_matrix_header memory corruption
A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. This patcβ¦
8.8
CVE-2026-25131 - OpenEMR has Broken Access Control in Procedures Configuration
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedureβ¦
7
CVE-2026-25127 - OpenEMR has Broken Access Control on Care Coordination Module
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.