7.3
CVE-2026-23736 - seroval Affected by Prototype Pollution via JSON Deserialization
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deseβ¦
3.5
CVE-2026-24048 - Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other pluβ¦
6.3
CVE-2026-23630 - Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/β¦
6.3
CVE-2026-24047 - @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which β¦
7.1
CVE-2026-24046 - Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via β¦
3.7
CVE-2026-23996 - FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detectβ¦
FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys β¦
5.3
CVE-2026-23990 - Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows aβ¦
6.9
CVE-2026-23986 - Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_syβ¦
Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it β¦
6.8
CVE-2026-23968 - Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: falβ¦
Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the `--UNSAFE,--trust` flag. As it β¦
9.8
CVE-2026-23524 - Laravel Redis Horizontal Scaling Insecure Deserialization
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHPβs unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remβ¦