8.7
CVE-2026-25998 - strongMan vulnerable to private credential recovery due to key and counter reuse
strongMan is a management interface for strongSwan, an OpenSource IPsec-based VPN. When storing credentials in the database (private keys, EAP secrets), strongMan encrypts the corresponding database fields. So far it used AES in CTR mode with a global database key. Together with an initialization vβ¦
5.3
CVE-2026-25766 - Echo has a Windows path traversal via backslash in middleware.Static default filesystem
Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echoβs `middleware.Static` using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In `middleware/static.go`, the requested path is unescaped and noβ¦
5.4
CVE-2026-25739 - Indico affected by Cross-Site-Scripting via material uploads
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to cross-site scripting when uploading certain file types as materials. Users should upgrade to version 3.3.10 to receive a patch. To apply the fiβ¦
6.9
CVE-2026-25738 - Indico has Server-Side Request Forgery (SSRF) in multiple places
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Versions prior to 3.3.10 are vulnerable to server-side request forgery. Indico makes outgoing requests to user-provides URLs in various places. This is mostly intentional and part of Indβ¦
8.1
CVE-2026-25940 - jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOβ¦
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can β¦
5.1
CVE-2026-26223 - SPIP < 4.4.8 Cross-Site Scripting via Iframe Tags in Private Area
SPIP before 4.4.8 allows cross-site scripting (XSS) in the private area via malicious iframe tags. The application does not properly sandbox or escape iframe content in the back-office, allowing an attacker to inject and execute malicious scripts. The fix adds a sandbox attribute to iframe tags in β¦
8.6
CVE-2026-26345 - SPIP < 4.4.8 Cross-Site Scripting in Public Area
SPIP before 4.4.8 contains a stored cross-site scripting (XSS) vulnerability in the public area triggered in certain edge-case usage patterns. The echapper_html_suspect() function does not adequately sanitize user-controlled content, allowing authenticated users with content-editing privileges (e.gβ¦
8.5
CVE-2026-2274 - Arbitrary File Read and SSRF in Google AppSheet
A SSRF and Arbitrary File Read vulnerability in AppSheet Core in Google AppSheet prior to 2025-11-23 allows an authenticated remote attacker to read sensitive local files and access internal network resources via crafted requests to the production cluster. This vulnerability was patched and noβ¦
0.0
CVE-2025-71250 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
0.0
CVE-2025-71249 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.