9.1
CVE-2026-41167 - Jellystat has SQL Injection that leads to to Remote Code Execution
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetailโฆ
7.6
CVE-2026-40882 - OpenRemote has XXE in Velbus Asset Import
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-โฆ
7
CVE-2026-41166 - OpenRemote has Improper Access Control via updateUserRealmRoles function
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including `master`. The handler uses the `{realm}` path segment when talking to tโฆ
7.3
CVE-2026-41134 - Kiota: Code Generation Literal Injection
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, aโฆ
8.3
CVE-2026-40937 - RustFS missing admin authorization on notification target endpoints, which allows unauthenticated cโฆ
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admโฆ
7.2
CVE-2026-33733 - EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled `name` and `scope` values and pass them into template path construction without normalization or traversal filtering. As a result, an auโฆ
9.1
CVE-2026-33656 - EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, eโฆ
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the `sourceId` field on `Attachment` entities. Because `sourceId` is โฆ
6.8
CVE-2026-34068 - nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the proof-of-knowledge requiremโฆ
4.6
CVE-2026-3837 - Frappe Framework 16.10.0 - Stored DOM XSS in Multiple Field Formatters
An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without escapiโฆ
3.1
CVE-2026-34067 - nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived frโฆ