5.1
CVE-2026-40353 - wger: Stored XSS via Unescaped License Attribution Fields
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django'β¦
9.1
CVE-2026-40258 - Gramps Web API has Zip Slip Path Traversal in Media Archive Import
The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-trβ¦
8.8
CVE-2026-29013 - libcoap Out-of-Bounds Read in OSCORE CBOR Unwrap Handling
libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which is removed in release builds compiled with NDEBUG. Attackers can send crafted CoAP requests with malfβ¦
8.1
CVE-2026-40321 - DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increaseβ¦
8.8
CVE-2026-40352 - FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privileged β¦
6.9
CVE-2026-40306 - DNN has same HostGUID for all new installs
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.
4.3
CVE-2026-40305 - DNN has Force Friend Request Acceptance
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2β¦
9.8
CVE-2026-40351 - FastGPT: NoSQL Injection in loginByPassword leads to Authentication Bypass
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL inβ¦
5.3
CVE-2026-40304 - zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontendβ¦
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condiβ¦
7.5
CVE-2026-40303 - zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every requestβ¦