5.3
CVE-2026-2819 - Dromara RuoYi-Vue-Plus Workflow deleteByInstanceIds SaServletFilter authorization
A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. Tβ¦
8.8
CVE-2026-26990 - LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below have a Time-Based Blind SQL Injection vulnerability in address-search.inc.php via the address parameter. When a crafted subnet prefix is supplied, the prefix value is concatenated directly into β¦
4.3
CVE-2026-26989 - LibreNMS has Stored XSS in Alert Rule
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are affected by a Stored Cross-Site Scripting (XSS) vulnerability in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browserβ¦
9.3
CVE-2026-26988 - LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajax_table.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically, β¦
5.3
CVE-2026-26987 - LibreNMS affected by reflected XSS via email field
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0.
7.1
CVE-2026-26960 - node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extractiβ¦
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user.β¦
9.4
CVE-2026-26980 - Ghost has a SQL Injection in its Content API
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
6.9
CVE-2026-26977 - Frappe Learning Management System exposes details of unpublished courses to unauthorized users
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
8.8
CVE-2026-26975 - Music Assistant Server Path Traversal in Playlist Update API Allows Remote Code Execution
Music Assistant is an open-source media library manager that integrates streaming services with connected speakers. Versions 2.6.3 and below allow unauthenticated network-adjacent attackers to execute arbitrary code on affected installations. The music/playlists/update API allows users to bypass thβ¦
7.6
CVE-2026-26974 - Sylde has Improper Control of Generation of Code
Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projecβ¦