8.2
CVE-2026-28677 - OpenSift: Insufficient URL destination restrictions in ingest flow could enable SSRF-style internalโฆ
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with incomplete destination restrictions. Although private/local host checks existed, missing restrictioโฆ
8.8
CVE-2026-28676 - OpenSift: Insufficient path containment checks in storage helpers could allow path traversal-style โฆ
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did not uniformly enforce base-directory containment. This created path-injection risk in file read/wriโฆ
5.3
CVE-2026-28675 - OpenSift: Sensitive implementation details exposed via raw exception messages and token-returning eโฆ
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to clients. Additionally, login token material was exposed in UI/rendered responses and token rotation output. This issโฆ
6.3
CVE-2026-28509 - LangBot has a Cross Site Scripting(XSS) Vulnerability
LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBotโs web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerability. This issue has been patched in version 4.8.7.
9.2
CVE-2026-28508 - Idno: Unauthenticated SSRF via URL Unfurl Endpoint
Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authentication flow causes the CSRF protection on the URL unfurl service endpoint to be trivially bypassed by any unauthenticated remote attacker. Combined with the absence of a login requirement on the endpoint โฆ
8.6
CVE-2026-28507 - Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal
Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulnerability via chained import file write and template path traversal. This issue has been patched in version 1.6.4.
6.3
CVE-2026-27605 - Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the application allows uploading files (project logos) without validating the file type or content. It trusts the extension provided by the user. Thโฆ
8.7
CVE-2026-27603 - Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter โฆ
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.4, the chart filter endpoint POST /project/:project_id/chart/:chart_id/filter is missing both verifyToken and checkPermissions middleware, allowing unaโฆ
8.8
CVE-2026-27005 - Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables)
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allowsโฆ
8.8
CVE-2026-25888 - Chartbrew: Remote Code Execution (RCE) via Vulnerable API
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.