4.4
CVE-2026-28420 - Vim has Heap-based Buffer Overflow and OOB Read in :terminal
Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.
5.3
CVE-2026-28419 - Vim has Heap-based Buffer Underflow in Emacs tags parsing
Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding thβ¦
4.4
CVE-2026-28418 - Vim has Heap-based Buffer Overflow in Emacs tags parsing
Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary.β¦
4.4
CVE-2026-28417 - Vim has OS Command Injection in netrw
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell comβ¦
9.8
CVE-2026-28411 - WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)`
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, an unsafe use of the `extract()` function on the `$_REQUEST` superglobal allows an unauthenticated attacker to overwrite local variables in multiple PHP scripts. This vulnerability can be leveraged to completely bypass authβ¦
10
CVE-2026-28409 - WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, a critical Remote Code Execution (RCE) vulnerability exists in the WeGIA application's database restoration functionality. An attacker with administrative access (which can be obtained via the previously reported Authenticaβ¦
9.8
CVE-2026-28408 - WeGIA lacks authentication verification in adicionar_tipo_docs_atendido.php
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionar_tipo_docs_atendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like Poβ¦
8.2
CVE-2026-28416 - Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, a Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses β¦
4.3
CVE-2026-28415 - Gradio has Open Redirect in OAuth Flow
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callbackβ¦
7.5
CVE-2026-28414 - Gradio has Absolute Path Traversal on Windows with Python 3.13+
Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed β¦