9.4
CVE-2026-27212 - Swiper has a Prototype Pollution Vulnerability
Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. Versions 6.5.1 through 12.1.1 have a Prototype pollution vulnerability. The vulnerability resides in line 94 of shared/utils.mjs, where the indexOf() function is used to check whether user provided iβ¦
6.5
CVE-2026-26047 - Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service
A denial-of-service vulnerability was identified in Moodleβs TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade perfβ¦
7.2
CVE-2026-26046 - Moodle: moodle: improper input sanitization in tex filter administration setting
A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could β¦
7.2
CVE-2026-26045 - Moodle: moodle: improper validation in file restore functionality leading to remote code execution
A flaw was identified in Moodleβs backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available toβ¦
9.1
CVE-2026-27211 - Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse
Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to arbitrary host file exfiltration (constrained by process privileges) when using virtio-block devices backed by raw images. A malicious guest can overwrite its disk header with a crafted QCβ¦
5.3
CVE-2026-27210 - Pannellum has a XSS vulnerability in hot spot attributes
Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting β¦
2.3
CVE-2026-27205 - Flask session does not add `Vary: Cookie` header when accessed in some ways
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache β¦
6.3
CVE-2026-27199 - Werkzeug safe_join() allows Windows special device names
Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that saβ¦
8.8
CVE-2026-27198 - Formwork Improperly Manages Privileges During User Creation
Formwork is a flat file-based Content Management System (CMS). In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sβ¦
9.1
CVE-2026-27197 - Sentry: Improper Authentication on SAML SSO process allows user identity linking
Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on thβ¦