4.6
CVE-2026-22186 - Bio-Formats <= 8.3.0 XXE in Leica XLEF Metadata Parser
Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component (e.g., XLEF). The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entiβ¦
4.6
CVE-2026-22185 - OpenLDAP <= 2.6.10 LMDB mdb_load Heap Buffer Underflow in readline()
OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and caβ¦
6.9
CVE-2026-22188 - Panda3D <= 1.10.16 Deploy-Stub Stack Exhaustion via Unbounded alloca()
Panda3D versions up to and including 1.10.16 deploy-stub contains a denial of service vulnerability due to unbounded stack allocation. The deploy-stub executable allocates argv_copy and argv_copy2 using alloca() based directly on the attacker-controlled argc value without validation. Supplying a laβ¦
5.1
CVE-2026-22190 - Panda3D <= 1.10.16 egg-mkfont Format String Information Disclosure
Panda3D versions up to and including 1.10.16 egg-mkfont contains an uncontrolled format string vulnerability. The -gp (glyph pattern) command-line option is used directly as the format string for sprintf() with only a single argument supplied. If an attacker provides additional format specifiers, eβ¦
6.9
CVE-2026-22189 - Panda3D <= 1.10.16 egg-mkfont Stack Buffer Overflow
Panda3D versions up to and including 1.10.16 egg-mkfont contains a stack-based buffer overflow vulnerability due to use of an unbounded sprintf() call with attacker-controlled input. When constructing glyph filenames, egg-mkfont formats a user-supplied glyph pattern (-gp) into a fixed-size stack buβ¦
4.6
CVE-2026-22184 - zlib <= 1.3.1.2 untgz Global Buffer Overflow in TGZfname()
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz comβ¦
8.6
CVE-2025-66620 - Columbia Weather Systems MicroServer Command Shell in Externally Accessible Directory
An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file β¦
7.1
CVE-2025-64305 - Columbia Weather Systems MicroServer Cleartext Storage in a File or on Disk
MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal.
8.7
CVE-2025-61939 - Columbia Weather Systems MicroServer Improper Restriction of Communication Channel to Intended Endpβ¦
An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controβ¦
6.1
CVE-2026-0670 - Stored XSS through a system message and a user-provided parameter in ProofreadPage
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - ProofreadPage Extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - ProofreadPage Extension: 1.45, 1.44, 1.43, 1.39.