1.3
CVE-2026-27465 - Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s configuration API could expose Google Calendar service account credentials to authenticated users with low-privilege roles. This may allow unauthorized access to Google Calendar resources associ…
1.2
CVE-2026-25963 - Fleet: Authorization Bypass in certificate template batch deletion for team administrators
Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports certificat…
0.6
CVE-2026-23999 - Fleet: Device lock PIN can be predicted if lock time is known
Fleet is open source device management software. In versions prior to 4.80.1, Fleet generated device lock and wipe PINs using a predictable algorithm based solely on the current Unix timestamp. Because no secret key or additional entropy was used, the resulting PIN could potentially be derived if t…
1.7
CVE-2026-24004 - Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet manageme…
8.1
CVE-2026-27975 - Ajenti has a potential Remote Code Execution
Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13.
8.1
CVE-2026-1779 - User Registration & Membership <= 5.1.2 - Authentication Bypass
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user o…
5.3
CVE-2026-2356 - User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limit…
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user contro…
4.8
CVE-2026-27974 - Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Au…
Audiobookshelf is a self-hosted audiobook and podcast server. A cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modificatio…
4.8
CVE-2026-27963 - Audiobookshelf has Stored XSS in Tooltip.vue via Audiobook Metadata
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.32.0 of the Audiobookshelf web application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modification…
4
CVE-2026-27973 - Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobil…
Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library modi…