7.2
CVE-2026-22708 - Cursor has a Terminal Tool Allowlist Bypass via Environment Variables
Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indireβ¦
6.1
CVE-2026-22694 - AliasVault is Missing Origin Validation in Android Passkey Credential Provider
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for β¦
2.3
CVE-2026-21889 - Weblate leaks information via screenshots
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.
7.2
CVE-2025-37181 - Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading β¦
5.5
CVE-2025-37185 - Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator β¦
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary β¦
9.8
CVE-2025-37184 - Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention
A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby comproβ¦
7.2
CVE-2025-37183 - Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading β¦
7.2
CVE-2025-37182 - Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading β¦
5.1
CVE-2026-22211 - TinyOS <= 2.1.2 Global Buffer Overflow in printfUART
TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack. The implementation formats output into a fixed-size global buffer and concatenates strings for %s formaβ¦
6.3
CVE-2026-22820 - Outray cli is vulnerable to race conditions in tunnels creation
Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5.