5.7
CVE-2026-24768 - NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redire…
4.9
CVE-2026-24767 - NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protection…
4.9
CVE-2026-24766 - NocoDB Vulnerable to Prototype Pollution in Connection Test Endpoint, Leading to DoS
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server r…
6.3
CVE-2026-24739 - Symfony has incorrect argument escaping under MSYS2/Git Bash on Windows that can lead to destructiv…
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP…
6.5
CVE-2026-24742 - Discourse staff action logs expose sensitive information to moderators
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secre…
6.9
CVE-2026-23743 - Discourse allows permalinks to restricted resources to leak resource slugs to unauthorized users
Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user did…
8.1
CVE-2025-14472 - Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3.
4.2
CVE-2025-13986 - Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3.
5.3
CVE-2025-13985 - Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123
Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing.This issue affects Entity Share: from 0.0.0 before 3.13.0.
6.1
CVE-2025-13984 - Next.js - Critical - Access bypass - SA-CONTRIB-2025-122
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.