6.5
CVE-2026-24098 - Apache Airflow: Assigning single DAG permission leaked all DAGs Import Errors
Apache Airflow versions before 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue
5.1
CVE-2026-2227 - D-Link DCS-931L setSystemAdmin doSystem command injection
A vulnerability was found in D-Link DCS-931L up to 1.13.0. Impacted is the function doSystem of the file /setSystemAdmin. Performing a manipulation of the argument AdminID results in command injection. The attack may be initiated remotely. The exploit has been made public and could be used. This vuβ¦
5.1
CVE-2026-2226 - DouPHP ZIP File file.php unrestricted upload
A vulnerability has been found in DouPHP up to 1.9. This issue affects some unknown processing of the file /admin/file.php of the component ZIP File Handler. Such manipulation of the argument sql_filename leads to unrestricted upload. The attack can be launched remotely. The exploit has been discloβ¦
5.3
CVE-2026-23903 - Apache Shiro: Auth bypass when accessing static files only on case-insensitive filesystems
Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensitive filesystem, suchβ¦
6.9
CVE-2026-2225 - itsourcecode News Portal Project Administrator Login index.php sql injection
A flaw has been found in itsourcecode News Portal Project 1.0. This vulnerability affects unknown code of the file /admin/index.php of the component Administrator Login. This manipulation of the argument email causes sql injection. The attack can be initiated remotely. The exploit has been publisheβ¦
5.8
CVE-2026-25905 - Lack of isolation in mcp-run-python leads to MCP server takeover
The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Noβ¦
5.8
CVE-2026-25904 - Overly permissive Deno configuration in mcp-run-python leads to SSRF
The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.
5.1
CVE-2026-2224 - code-projects Online Reviewer System btn_functions.php cross site scripting
A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn_functions.php. The manipulation of the argument firstname results in cross site scripting. It is possible to launch the attack remotely. The explβ¦
4.3
CVE-2026-25916 -
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
8.6
CVE-2025-7799 - Reflected XSS in Zirve Information Technologies' e-Taxpayer Accounting Website
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS.This issue affects e-Taxpayer Accounting Website: through 07082025.