7
CVE-2026-41166 - OpenRemote has Improper Access Control via updateUserRealmRoles function
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to tβ¦
7.3
CVE-2026-41134 - Kiota: Code Generation Literal Injection
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, aβ¦
8.3
CVE-2026-40937 - RustFS missing admin authorization on notification target endpoints, which allows unauthenticated cβ¦
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admβ¦
7.2
CVE-2026-33733 - EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. As a result, an auβ¦
9.1
CVE-2026-33656 - EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, eβ¦
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is β¦
6.8
CVE-2026-34068 - nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the proof-of-knowledge requiremβ¦
4.6
CVE-2026-3837 - Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escapiβ¦
3.1
CVE-2026-34067 - nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived frβ¦
5.3
CVE-2026-34066 - nimiq-blockchain: Peer-triggerable panic during history sync
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). Durβ¦
7.5
CVE-2026-34065 - nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals
nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hasβ¦