7.6
CVE-2025-59057 - React Router has XSS Vulnerability
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execโฆ
6.5
CVE-2025-68470 - React Router has unexpected external redirect via untrusted paths
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is onโฆ
8.9
CVE-2026-22612 - Fickling vulnerable to detection bypass due to "builtins" blindness
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7.
8.9
CVE-2026-22609 - Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detecteโฆ
8.9
CVE-2026-22608 - Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still rโฆ
8.9
CVE-2026-22607 - Fickling Blocklist Bypass: cProfile.run()
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Ficklโฆ
8.9
CVE-2026-22606 - Fickling has a bypass via runpy.run_path() and runpy.run_module()
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Pythonโs runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If aโฆ
4.3
CVE-2026-22605 - OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been โฆ
6.9
CVE-2026-22604 - OpenProject is vulnerable to user enumeration via the change password function
OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/change_password endpoint with an arbitrary User ID as the password_change_user_id parameter, the resulting error page would show tโฆ
6.9
CVE-2026-22603 - OpenProject has no protection against brute-force attacks in the Change Password function
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, OpenProjectโs unauthenticated password-change endpoint (/account/change_password) was not protected by the same brute-force safeguards that apply to the normal login form. In affected versions, an attackeโฆ