5.3
CVE-2026-22052 - Authenticated Directory Listing Disclosure in ONTAP S3 NAS Buckets
ONTAP versions 9.12.1 and higher with S3 NAS buckets are susceptible to an information disclosure vulnerability. Successful exploit could allow an authenticated attacker to view a listing of the contents in a directory for which they lack permission.
9.3
CVE-2026-2833 - HTTP Request Smuggling via Premature Upgrade
An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the baβ¦
4.8
CVE-2025-41257 - Suprema BioStar 2 Insecure Password Change
Supremaβs BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise.
5.7
CVE-2026-2297 - SourcelessFileLoader does not use io.open_code()
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
6.5
CVE-2026-29085 - Hono: SSE Control Field Injection via CR/LF in writeSSE()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE protocol uses line breakβ¦
7.5
CVE-2026-29045 - Hono: Arbitrary file access via serveStatic vulnerability
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed withoutβ¦
5.4
CVE-2026-29086 - Hono: Cookie Attribute Injection via Unsanitized domain and path in setCookie()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cβ¦
6.3
CVE-2026-26002 - OnDemand susceptible to malicious input when navigating to a directory.
Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible.
8.5
CVE-2026-25750 - LangSmith Studio has URL Parameter Injection Vulnerability that Enables Token Theft via Malicious bβ¦
Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm version 0.12.71, a URL parameter injection vulnerability existed in LangSmith Studio that could allow unauthorized access to user accounts through stolen authentication tokens. The vβ¦
5.3
CVE-2026-22040 - NanoMQ 0.24.6 Use-After-Free Leading to Heap Corruption and Broker Crash
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, by generating a combined traffic pattern of high-frequency publishes and rapid reconnect/kick-out using the same ClientID and massive subscribe/unsubscribe jitter, it is possible to reliably trigger heap memoryβ¦