8.6
CVE-2026-33752 - Redirect-based SSRF leading to internal network access in curl_cffi (with TLS impersonation bypass)
curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpβ¦
7.5
CVE-2026-33540 - Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer reaβ¦
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used wβ¦
8.8
CVE-2026-33510 - DOM-Based XSS in Homarr /auth/login Redirect
Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a maliciousβ¦
6.5
CVE-2026-34897 - WordPress Media LIbrary Assistant plugin <= 3.34 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34.
5.4
CVE-2026-33406 - Pi-hole has a Stored HTML attribute injection
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enablβ¦
3.4
CVE-2026-33404 - Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.β¦
6.1
CVE-2026-33403 - Pi-hole has a Reflected XSS / HTML injection in taillog.js
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface bβ¦
8.5
CVE-2026-34885 - WordPress Media LIbrary Assistant plugin <= 3.34 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.
4.2
CVE-2026-32602 - Homarr has a Race Condition in Invite Token Registration (TOCTOU)
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operationβ¦
7.2
CVE-2026-29047 - GLPI has an Authenticated SQL Injection via log exports
GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6.