7.1
CVE-2026-27832 - Group-Office Has Authenticated SQL Injection in advancedQueryData.comparator
Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection (SQLi) vulnerability, exploitable through the `advancedQueryData` parameter (`comparator` field) on an authenticated endpoint. The endpoint `index.pβ¦
5.3
CVE-2026-27824 - calibre has IP Ban Bypass via X-Forwarded-For Header Spoofing
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, the calibre Content Server's brute-force protection mechanism uses a ban key derived from both `remote_addr` and the `X-Forwarded-For` header. Since the `X-Forwarded-For` heaβ¦
6.4
CVE-2026-27810 - calibre Vulnerable to HTTP Response Header Injection
calibre is a cross-platform e-book manager for viewing, converting, editing, and cataloging e-books. Prior to version 9.4.0, an HTTP Response Header Injection vulnerability in the calibre Content Server allows any authenticated user to inject arbitrary HTTP headers into server responses via an unsaβ¦
6.5
CVE-2026-27734 - Beszel Vulnerable to Docker API Path Traversal via Unsanitized Container ID
Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs β¦
6.5
CVE-2026-27793 - Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notifβ¦
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the `GET /api/v1/user/:id` endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless ofβ¦
5.4
CVE-2026-27792 - Seerr missing authentication on pushSubscription endpoints
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other useβ¦
7.3
CVE-2026-27707 - Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin autβ¦
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configureβ¦
5.7
CVE-2026-28354 - ClipBucket v5 has IDOR in Collection Item Management
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another userβs collection items. This affects both add item (/actions/add_to_collection.php) due to miβ¦
2
CVE-2026-26997 - ClipBucket v5 has Stored XSS via Collection name
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 #59, a normal authenticated user can store the XSS payload. The payload is triggered by administrator. Version 5.5.3 #59 fixes the issue.
2.7
CVE-2026-22717 - VMware Workstation out-of-bound read vulnerability
Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the machine where VMware Workstation is installed.