5.8
CVE-2026-41153 -
In JetBrains Junie before 252.549.29 command execution was possible via malicious project file
5.1
CVE-2026-6493 - lukevella rallly Reset Password reset-password-form.tsx cross site scripting
A flaw has been found in lukevella rallly up to 4.7.4. This affects an unknown function of the file apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx of the component Reset Password Handler. Executing a manipulation of the argument redirectTo can lead to cross site β¦
6.9
CVE-2026-6492 - arnobt78 Hotel Booking Management System Health Check Endpoint detailed information disclosure
A vulnerability was detected in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Performing a manipulation results in information disclosure. β¦
4.8
CVE-2026-6491 - libvips nip2 vips7compat.c im_minpos_vec heap-based overflow
A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached β¦
8.7
CVE-2026-40459 - LDAP Injection in PAC4J
PAC4J is vulnerable to LDAP Injection in multiple methods. A low-privileged remote attacker can inject crafted LDAP syntax into ID-based search parameters, potentially resulting in unauthorized LDAP queries and arbitrary directory operations. This issue was fixed in PAC4J versions 4.5.10, 5.7.10 aβ¦
7
CVE-2026-40458 - Cross-Site Request Forgery in PAC4J
PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacβ¦
6.9
CVE-2026-6490 - QueryMine sms GET Request Parameter deletecourse.php sql injection
A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated rβ¦
5.3
CVE-2026-6489 - QueryMine sms Background Management addteacher.php unrestricted upload
A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The atβ¦
5.3
CVE-2026-6488 - QueryMine sms GET Request Parameter editcourse.php sql injection
A vulnerability was identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affects unknown code of the file admin/editcourse.php of the component GET Request Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initβ¦
5.3
CVE-2026-6487 - Qihui jtbc5 CMS Code Endpoint manage.php path traversal
A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been puβ¦