0.0
CVE-2026-27501 -
Further research determined the situation described is not a vulnerability.
8.4
CVE-2026-26280 - Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the `wifiNetworks()` function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In `lib/wiβ¦
7.5
CVE-2026-26278 - fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, itβs possible toβ¦
7.6
CVE-2026-27013 - Fabric.js Affected by Stored XSS via SVG Export
Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When β¦
7.5
CVE-2026-26267 - rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names cβ¦
soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` macro contains a bug in how it wires up function calls. `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing the trait version. Thiβ¦
7.1
CVE-2026-26205 - opa-envoy-plugin has an Authorization Bypass via Double-Slash Path Misinterpretation in `input.parsβ¦
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`)β¦
5.1
CVE-2026-26203 - PJSIP's pjmedia-video has use-after-free in H264 packetizer when packetizing fragmented NAL
PJSIP is a free and open source multimedia communication library. Versions prior to 2.17 have a critical heap buffer underflow vulnerability in PJSIP's H.264 packetizer. The bug occurs when processing malformed H.264 bitstreams without NAL unit start codes, where the packetizer performs unchecked pβ¦
7.5
CVE-2026-26202 - Penpot has Arbitrary File Read via create-font-variant RPC endpoint
Penpot is an open-source design tool for design and code collaboration. Prior to version 2.13.2, an authenticated user can read arbitrary files from the server by supplying a local file path (e.g. `/etc/passwd`) as a font data chunk in the `create-font-variant` RPC endpoint, resulting in the file cβ¦
7
CVE-2026-26201 - emp3r0r Affected by Concurrent Map Access DoS (panic/crash)
emp3r0r is a C2 designed by Linux users for Linux environments. Prior to version 3.21.2, multiple shared maps are accessed without consistent synchronization across goroutines. Under concurrent activity, Go runtime can trigger `fatal error: concurrent map read and map write`, causing C2 process craβ¦
7.8
CVE-2026-26200 - HDF5 Affected by H5T__conv_struct_opt Heap Buffer Overflow
HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an `h5` file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on β¦