5.5
CVE-2026-25537 - jsonwebtoken has Type Confusion that leads to potential authorization bypass
jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the libraryβs intβ¦
7.1
CVE-2026-25536 - @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHβ¦
9.8
CVE-2026-25526 - JinJava Bypass through ForTag leads to Arbitrary Java Execution
JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-β¦
5.3
CVE-2026-25523 - Magento's X-Original-Url header can expose admin url
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1.
6.5
CVE-2024-51451 - Multiple Vulnerabilities in IBM Concert Software
IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
9.4
CVE-2026-25521 - Locutus is vulnerable to Prototype Pollution
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input containβ¦
6.3
CVE-2024-43181 - Multiple Vulnerabilities in IBM Concert Software
IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
5.9
CVE-2026-25518 - cert-manager-controller DoS via Specially Crafted DNS Response
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookupβ¦
4.3
CVE-2024-40685 - IBM Operations Analytics - Log Analysis is affected by CSRF Token Replay Attack
IBM Operations Analytics β Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics β Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions.
3.5
CVE-2025-2134 - IBM Jazz Reporting Service Denial of Service
IBM Jazz Reporting Service could allow an authenticated user on the network to affect the system's performance using complicated queries due to insufficient resource pooling.