7.1
CVE-2026-25147 - OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'β¦
6.5
CVE-2026-24488 - OpenEMR Vulnerable to Arbitrary File Exfiltration via Fax Endpoint
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax sending endpoint allows any authenticated user to read and transmit any file on the server (includiβ¦
8.2
CVE-2026-2293 - NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13.
8.7
CVE-2026-3304 - Multer vulnerable to Denial of Service via incomplete cleanup
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patcβ¦
8.7
CVE-2026-2359 - Multer vulnerable to Denial of Service via resource exhaustion
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to reβ¦
5.5
CVE-2026-3277 - Cleartext Storage of OIDC Client Secret in PowerShell Universal
The OpenID Connect (OIDC) authentication configuration in PowerShell Universal before 2026.1.3 stores the OIDC client secret in cleartext in the .universal/authentication.ps1 script, which allows an attacker with read access to that file to obtain the OIDC client credentials
9.9
CVE-2026-2749 - Path traversal in Centreon Open Tickets
Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7.
9.1
CVE-2026-2750 - Command Injection via CLAPI generatetraps
Improper Input Validation vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centreon Open Tickets modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10; 24.10;24.04.
4.8
CVE-2026-3327 - Authenticated DatoCMS Web Previews Plugin Iframe Injection
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31.
9.3
CVE-2025-15498 - SQL Injection in Pro3W CMS
Pro3W CMS if vulnerable toΒ SQL injection attacks.Β Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges.Β This issue was identified in version 1.2.0 of this software. Due to lack of response from tβ¦