5.7
CVE-2026-35451 - Twenty: Stored XSS via BlockNote FileBlock
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: Uβ¦
3.3
CVE-2026-29179 - October: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access β¦
8.2
CVE-2026-24189 - Unauthenticated Out-of-Bounds Read in NVIDIA CUDA-Q Endpoint
NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
7.7
CVE-2026-24177 - Unauthorized API Access Leading to Information Disclosure in NVIDIA KAI Scheduler
NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.
3.1
CVE-2026-27937 - October: Reflected XSS via DataTable Form Widget
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 aβ¦
4.3
CVE-2026-24176 - Improper Authorization Enabling Data Tampering via CrossβNamespace Pod References in NVIDIA KAI Schβ¦
NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
6.6
CVE-2026-26274 - October: Safe Mode Bypass via Twig Database Write Operations
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markupβ¦
4.9
CVE-2026-26067 - October: Safe Mode Bypass via CSS Preprocessor Compilers
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the coβ¦
9.3
CVE-2019-25714 - Seeyon Office Anywhere (OA) A8 Unauthenticated Arbitrary File Write via htmlofficeservlet
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can writeβ¦
8.5
CVE-2026-40568 - FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only β¦