3.7
CVE-2026-40279 - BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()`
BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, decode_signed32() in src/bacnet/bacint.c reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four bytes has bit 7 set (value β₯ 0x80), the left-shift opβ¦
7.7
CVE-2026-40161 - Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverβ¦
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to 1.10.0, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or Pβ¦
5.7
CVE-2026-35451 - Twenty: Stored XSS via BlockNote FileBlock
Twenty is an open source CRM. Prior to 1.20.6, a Stored Cross-Site Scripting (XSS) vulnerability exists in the BlockNote editor component. Due to a lack of protocol validation in the FileBlock component and insufficient server-side inspection of block content, an attacker can inject a javascript: Uβ¦
3.3
CVE-2026-29179 - October: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access β¦
8.2
CVE-2026-24189 - Unauthenticated Out-of-Bounds Read in NVIDIA CUDA-Q Endpoint
NVIDIA CUDA-Q contains a vulnerability in an endpoint, where an unauthenticated attacker could cause an out-of-bounds read by sending a maliciously crafted request. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
7.7
CVE-2026-24177 - Unauthorized API Access Leading to Information Disclosure in NVIDIA KAI Scheduler
NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure.
3.1
CVE-2026-27937 - October: Reflected XSS via DataTable Form Widget
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 aβ¦
4.3
CVE-2026-24176 - Improper Authorization Enabling Data Tampering via CrossβNamespace Pod References in NVIDIA KAI Schβ¦
NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering.
6.6
CVE-2026-26274 - October: Safe Mode Bypass via Twig Database Write Operations
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markupβ¦
4.9
CVE-2026-26067 - October: Safe Mode Bypass via CSS Preprocessor Compilers
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the coβ¦