9.8
CVE-2026-28213 - EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in β¦
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1β¦
7.8
CVE-2026-28211 - Arbitrary code execution in log reader via untrusted log file
The NVDA Dev & Test Toolbox is an NVDA add-on for gathering tools to help NVDA development and testing. A vulnerability exists in versions 2.0 through 8.0 in the Log Reader feature of this add-on. A maliciously crafted log file can lead to arbitrary code execution when a user reads it with log readβ¦
5.9
CVE-2026-28208 - Junrar has arbitrary file write due to backslash path traversal bypass in LocalFolderExtractor on Lβ¦
Junrar is an open source java RAR archive library. Prior to version 7.5.8, a backslash path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unixβ¦
6.6
CVE-2026-28207 - Zen-C Vulnerable to Command Injection via Malicious Output Filename
Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` commanβ¦
5.7
CVE-2026-27638 - ActualBudget missing authorization in sync endpoints allows cross-user budget file access in multi-β¦
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode (OpenID), the sync API endpoints (`/sync/*`) don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's β¦
4.3
CVE-2026-27839 - wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three `nutritional_values` action endpoints fetch objects via `Model.objects.get(pk=pk)` β a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrβ¦
3.1
CVE-2026-27838 - wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. In versions up to and including 2.4, ache keys are scoped only by `pk` β no user ID is included. When a victim has previously accessed their routine via thβ¦
5.3
CVE-2026-3264 - go2ismail Free-CRM Administrative redirect
A vulnerability was determined in go2ismail Free-CRM up to b83c40a90726d5e58f0cc680ffdcaa28a03fb5d1. Affected by this issue is some unknown functionality of the component Administrative Interface. Executing a manipulation can lead to execution after redirect. The attack can be executed remotely. Thβ¦
4.3
CVE-2026-27835 - wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any regisβ¦
4.3
CVE-2026-27457 - Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's `AddonViewSet` (`weblate/api/views.py`, line 2831) uses `queryset = Addon.objects.all()` without overriding `get_queryset()` to scope results by user permissions. This allows any authenticated user (or anonymous usersβ¦