7.5
CVE-2026-27959 - Koa has Host Header Injection via `ctx.hostname`
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed H…
4.9
CVE-2026-27954 - LiveHelperChat has department-level authorization bypass in holdaction, blockuser, and transferchat…
Live Helper Chat is an open-source application that enables live support websites. In versions up to and including 4.52, three chat action endpoints (holdaction.php, blockuser.php, and transferchat.php) load chat objects by ID without calling `erLhcoreClassChat::hasAccessToRead()`, allowing operat…
8.8
CVE-2026-27961 - Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE
Agenta is an open-source LLMOps platform. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when runni…
8.8
CVE-2026-27952 - Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package …
5.4
CVE-2026-27948 - Copyparty vulnerable to eflected cross-site scripting via setck parameter
Copyparty is a portable file server. In versions prior to 1.20.9, an XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`. Version 1.20.9 fixes the issue.
6.5
CVE-2026-27943 - OpenEMR's Eye Exam View Trusts form_id Without Verifying Patient/Encounter Ownership
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context…
4.4
CVE-2026-2499 - Custom Logo <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Logo Path Setti…
The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and abo…
6.4
CVE-2026-2029 - Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Script…
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. Specifically, the…
4.4
CVE-2026-2489 - TP2WP Importer <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Watched dom…
The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping when domains are saved via A…
4.4
CVE-2026-2498 - WP Social Meta <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings
The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions an…