6.9
CVE-2026-3133 - itsourcecode Document Management System Login loging.php sql injection
A vulnerability has been found in itsourcecode Document Management System 1.0. This issue affects some unknown processing of the file /loging.php of the component Login. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit has β¦
4.8
CVE-2026-26351 - GetSimpleCMS-CE < 3.3.22 Stored XSS via components.php
GetSimpleCMS Community Edition (CE) version 3.3.16 contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields β¦
5.5
CVE-2026-27117 - bit7z has a path traversal vulnerability
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability ("Zip Slip") exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive entβ¦
9.3
CVE-2026-27593 - Statamic is vulnerable to account takeover via password reset link injection
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid aβ¦
6.9
CVE-2026-27572 - Wasmtime can panic when adding excessive fields to a `wasi:http/types.fields` instance
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the `wasi:http/types.fields` resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the `wasmtime-wasi-httpβ¦
6.9
CVE-2026-27204 - Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested bβ¦
6.9
CVE-2026-27195 - Wasmtime is vulnerable to panic when dropping a `[Typed]Func::call_async` future
Wasmtime is a runtime for WebAssembly. Starting with Wasmtime 39.0.0, the `component-model-async` feature became the default, which brought with it a new implementation of `[Typed]Func::call_async` which made it capable of calling async-typed guest export functions. However, that implementation haβ¦
7.5
CVE-2026-25899 - Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation
Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpacβ¦
7.7
CVE-2026-25891 - Fiber has an Arbitrary File Read in Static Middleware on Windows
Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patβ¦
5.5
CVE-2026-25882 - Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route regiβ¦