8.7
CVE-2026-24848 - OpenEMR Arbitrary File Write leading to Remote Code Execution
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerabilitโฆ
9.8
CVE-2026-27012 - Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/โฆ
5.1
CVE-2026-24415 - OpenSTAManager affected by reflected XSS in modifica_iva.php via righe parameter
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET paraโฆ
5.1
CVE-2026-21866 - Dify - Stored XSS in chat
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Difyโs default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vโฆ
5.1
CVE-2026-3487 - itsourcecode College Management System class-result.php sql injection
A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.php. Performing a manipulation of the argument course_code results in sql injection. The attack can be initiated remotely. The exploit has been made puโฆ
9.8
CVE-2026-3130 - Authenticated Users Can Delete CheckedโOut PAM Accounts via Bulk Delete
Improper Enforcement of Behavioral Controls inย Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion.
9.8
CVE-2026-3204 - Error Message Spoofing via Crafted URL in Devolutions Server
Improper input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
9.8
CVE-2026-2590 - Credential Persistence via Improper Password Saving Enforcement
Improper enforcement of the Disable password saving in vaults setting in the connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries, potentially exposing sensitive information to other users, by โฆ
9.8
CVE-2026-3224 - Authentication Bypass via Forged JSON Web Token in Devolutions Server
Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
8.8
CVE-2026-1775 - Missing Authentication for Critical Function in Labkotec LID-3300IP
The Labkotec LID-3300IP has an existing vulnerability in the ice detector software that enables an unauthenticated attacker to alter device parameters and run operational commands when specially crafted packets are sent to the device.