5.1
CVE-2026-35398 - WeGIA - Open Redirect - OrigemControle - listarTodos() & listarId_Nome() - Unvalidated $_GET['nextP…
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos & listarId_Nome and nomeClasse=Or…
5.1
CVE-2026-35396 - WeGIA - Open Redirect - IsaidaControle - listarId() - Unvalidated $_GET['nextPage']
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IsaidaControle. The a…
8.8
CVE-2026-35395 - WeGIA has a SQL Injection in DespachoDAO.php via id_memorando parameter
WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated in…
8.3
CVE-2026-35394 - Mobile Next has Arbitrary Android Intent Execution via mobile_open_url
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls…
9.8
CVE-2026-35393 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multip…
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, the POST multipart upload directory not sanitized. This vulnerability is fixed in 2.0.0-beta.3.
9.8
CVE-2026-35392 - goshs has an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in gosh…
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, PUT upload in httpserver/updown.go has no path sanitization. This vulnerability is fixed in 2.0.0-beta.3.
5
CVE-2026-34972 - OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via li…
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper pol…
5.1
CVE-2026-5683 - Tenda CX12L P2pListFilter fromP2pListFilter stack-based overflow
A vulnerability was found in Tenda CX12L 16.03.53.12. Affected by this vulnerability is the function fromP2pListFilter of the file /goform/P2pListFilter. Performing a manipulation of the argument page results in stack-based buffer overflow. The attack must originate from the local network. The expl…
8.7
CVE-2026-35391 - Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit …
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP() function in lib/admin/session.ts trusted the first (leftmost) entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to…
5.3
CVE-2026-35390 - Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy (proxy.ts) set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting (XSS) attacks were logged but not block…