2
CVE-2026-22041 - loggingredactor converts non-string types to string types in logs
Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No knowβ¦
9.2
CVE-2026-22034 - Snuffleupagus vulnerable to RCE on instances with upload validation enabled but without the VLD pacβ¦
Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream validatiβ¦
4.3
CVE-2026-22032 - Directus has open redirect in SAML
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.14.0, an open redirect vulnerability exists in the Directus SAML authentication callback endpoint. During SAML authentication, the `RelayState` parameter is intended to preserve the user's original β¦
6.9
CVE-2025-66002 - Local users can perform arbitrary unmounts via smb4k mount helper due to lack of input validation
An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability allows local users ton perform arbitrary unmounts via smb4k mount helper
7.2
CVE-2026-22028 - Preact has JSON VNode Injection issue
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to β¦
2.7
CVE-2026-21895 - rsa crate has potential panic on a prime being equal to 1
The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
5.3
CVE-2026-21892 - Parsl Monitoring Visualization Vulnerable to SQL Injection
Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL rouβ¦
9.4
CVE-2026-21891 - ZimaOS has Authentication Bypass via System-Level Username
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a knowβ¦
6.5
CVE-2026-21885 - Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources
Miniflux 2 is an open source feed reader. Prior to version 2.2.16, Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen medβ¦
9.3
CVE-2026-21876 - OWASP CRS has multipart bypass using multiple content-type parts
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a coβ¦