8.9
CVE-2026-33765 - Pi-hole Web Interface has a Command Injection Vulnerability
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] paramete…
5.7
CVE-2026-33739 - FOG has Stored XSS in Multiple Management Pages
FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.1812, the listing tables on multiple management pages (Host, Storage, Group, Image, Printer, Snapin) are vulnerable to Stored Cross-Site Scripting (XSS), due to insufficient server-side parameter san…
8.9
CVE-2026-33654 - Zero-Click Indirect Prompt Injection and Authentication Bypass via Email Polling
nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, unauthenticated attacker to execute arbitrary LLM instructions (and subsequently, system tools) with…
9.7
CVE-2026-34205 - Home Assistant: Unauthenticated App (Add-on) Endpoints Exposed to Local Network via Host Network Mo…
Home Assistant is open source home automation software that puts local control and privacy first. Home Assistant apps (formerly add-ons) configured with host network mode expose unauthenticated endpoints bound to the internal Docker bridge interface to the local network. On Linux, this configuratio…
5.4
CVE-2026-34475 -
Varnish Cache before 8.0.1 and Varnish Enterprise before 6.0.16r12, in certain unchecked req.url scenarios, mishandle URLs with a path of / for HTTP/1.1, potentially leading to cache poisoning or authentication bypass.
7.3
CVE-2026-33045 - Home Assistant has stored XSS in history-graphs
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, simila…
7.3
CVE-2026-33044 - Home Assistant has stored XSS in Map-card through malicious device name
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a …
7.5
CVE-2026-32241 - Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that allo…
6.8
CVE-2026-31951 - LibreChat's MCP Server Header Injection Enables OAuth Token Theft
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc1 through 0.8.3-rc1, user-created MCP (Model Context Protocol) servers can include arbitrary HTTP headers that undergo credential placeholder substitution. An attacker can create a malicious MCP server with headers containin…
5.3
CVE-2026-31950 - LibreChat's IDOR in SSE Stream Subscription Allows Reading Other Users' Chats
LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint `/api/agents/chat/stream/:streamId` does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and …