6.6
CVE-2026-34388 - Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all connβ¦
5.7
CVE-2026-34387 - Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts
Fleet is open source device management software. Prior to 4.81.1, a command injection vulnerability in Fleet's software installer pipeline allows an attacker to achieve arbitrary code execution as root (macOS/Linux) or SYSTEM (Windows) on managed hosts when an uninstall is triggered for a crafted sβ¦
6.3
CVE-2026-34386 - Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet daβ¦
6.2
CVE-2026-34385 - Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user credβ¦
4.9
CVE-2026-29180 - Fleet's team maintainer can transfer hosts from any team via missing source team authorization
Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control oβ¦
5.3
CVE-2026-4970 - code-projects Social Networking Site Endpoint delete_photos.php sql injection
A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file delete_photos.php of the component Endpoint. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been releasedβ¦
5.1
CVE-2026-4969 - code-projects Social Networking Site Alert home.php cross site scripting
A vulnerability was identified in code-projects Social Networking Site 1.0. The impacted element is an unknown function of the file /home.php of the component Alert Handler. The manipulation of the argument content leads to cross site scripting. Remote exploitation of the attack is possible. The exβ¦
8.7
CVE-2026-26061 - Fleet's unbounded request body read allows remote Denial of Service
Fleet is open source device management software. Prior to 4.81.0, Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive meβ¦
6
CVE-2026-26060 - Fleet: Password reset tokens remain valid after password change for 24 hours
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleetβs password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the accoβ¦
8.2
CVE-2026-34375 - AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the fβ¦