2.1
CVE-2026-35200 - Parse Server has a file upload Content-Type override via extension mismatch
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the exteβ¦
6.3
CVE-2026-5682 - Meesho Online Shopping App com.meesho.supply endpoint risky encryption
A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation leads to risky cryptographic algorithm. The attack may be performed from remote. The attack requires a β¦
6.1
CVE-2026-35199 - SymCrypt SymCryptXmssSign function - Heap overflow via 64->32-bit leaf-count truncation
SymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value to a helper function that accepts a 32-bit parameter. For XMSS^MT parameter sets with total tree height >= 32 (which includeβ¦
6.6
CVE-2026-35197 - Code injection in dye template expressions
dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1.
9.3
CVE-2026-35459 - pyLoad has SSRF fix bypass via HTTP redirect
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. Howeverβ¦
7.7
CVE-2026-35187 - pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenβ¦
8.7
CVE-2026-35185 - HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client Iβ¦
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows β¦
8.7
CVE-2026-35184 - EcclesiaCRM has a Critical SQL Injection
EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0.
5.3
CVE-2026-5681 - itsourcecode sanitize or validate this input Parameter borrowedequip.php sql injection
A flaw has been found in itsourcecode sanitize or validate this input 1.0. This impacts an unknown function of the file /borrowedequip.php of the component Parameter Handler. This manipulation of the argument emp_id causes sql injection. The attack is possible to be carried out remotely. The exploiβ¦
7.1
CVE-2026-35183 - Brave CMS has an Insecure Direct Object Reference in Article Image Deletion
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL bβ¦