6.6
CVE-2026-24126 - Weblate has an argument injection in management console
Weblate is a web based localization tool. Prior to 5.16.0, the SSH management console did not validate the passed input while adding the SSH host key, which could lead to an argument injection to `ssh-add`. Version 5.16.0 fixes the issue. As a workaround, properly limit access to the management conβ¦
4.4
CVE-2026-26281 - InvoicePlane has Stored Cross-Site Scripting (XSS) Issue in Sumex Invoice View
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A stored cross-site scripting (XSS) vulnerability in the Sumex invoice view allows an authenticated user with client and invoice management privileges to execute arbitrary JavaScript in the browser oβ¦
5.3
CVE-2026-2683 - Tsinghua Unigroup Electronic Archives System downLoad.html path traversal
A vulnerability was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). The affected element is an unknown function of the file /Using/Subject/downLoad.html. Performing a manipulation of the argument path results in path traversal. The attack may be initiated remotely. The explβ¦
5.4
CVE-2026-26270 - InvoicePlane has Stored Cross-Site Scripting Issue in Identifier Formatting
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane (latest version) that allows an authenticated user with permissions to manage Invoice Groups to inject malicious JavaScript inβ¦
4.7
CVE-2025-15581 -
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application'sΒ HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.
4.8
CVE-2026-25596 - InvoicePlane has Stored XSS via Product Unit Name in Invoice Item List
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Product Unit Name fields. An authenticated administrator can inject malicious JavaScript that executes when any β¦
4.8
CVE-2026-25595 - InvoicePlane has Stored XSS via Invoice Number in Invoice View and Dashboard
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Invoice Number field. An authenticated administrator can inject malicious JavaScript that executes when any admiβ¦
4.8
CVE-2026-25594 - InvoicePlane has Stored XSS via Family Name in Product Form
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability exists in InvoicePlane 1.7.0 via the Family Name field. The `family_name` value is rendered without HTML encoding inside the family dropdown on the pβ¦
9.1
CVE-2026-25548 - InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A critical Remote Code Execution (RCE) vulnerability exists in InvoicePlane 1.7.0 through a chained Local File Inclusion (LFI) and Log Poisoning attack. An authenticated administrator can execute arbβ¦
5.7
CVE-2026-24745 - InvoicePlane has a Stored Cross-Site Scripting (XSS) issue
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Login Logo functions of InvoicePlane version 1.7.0. In the Upload Login Logo, the application allows uploading svg files. Althouβ¦