7.5
CVE-2026-3621 - IBM WebSphere Application Server Liberty is affected by identity spoofing
IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured.
8.4
CVE-2026-40517 - radare2 < 6.1.4 Command Injection via PDB Parser Symbol Names
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsaniti…
8.1
CVE-2026-41175 - Statamic: Unsafe method invocation via query value resolution allows data destruction
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requ…
5.5
CVE-2026-41177 - Squidex has Blind SSRF via file:// Protocol in Restore API leading to Local File Interaction
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). The application fails to validate the URI scheme of the user-supplied `Url` parameter, allowing the us…
7.3
CVE-2026-41172 - Squidex vulnerable to Server-Side Request Forgery (SSRF) via URL-based asset upload (/api/apps/{app…
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server to fetch arbitrary URLs, including localhost/private network targets, and persist the response as an…
7.3
CVE-2026-41171 - SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient
Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protection on the `Jint` HTTP client used by scripting engine functions (`getJSON`, `request`, etc.). An auth…
7.2
CVE-2026-41170 - Squidex has SSRF via Backup Restore Endpoint — Admin-Controlled URL Download Allows Internal and Ex…
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the "Backup" `HttpClient` w…
6.3
CVE-2026-41455 - WeKan < 8.35 SSRF via Webhook URL
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network a…
8.7
CVE-2026-41454 - WeKan < 8.35 Missing Authorization via Integration REST API
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integration…
4.8
CVE-2026-41314 - pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2…