9.3
CVE-2026-28794 - oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbβ¦
5.3
CVE-2026-28428 - Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions
Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions β including sending chat messages and submitting game inputs β by suβ¦
7.5
CVE-2026-28429 - Talishar: Critical Path Traversal in gameName Parameter
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone scriptβ¦
8.2
CVE-2026-28787 - OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-storeβ¦
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verifβ¦
6.5
CVE-2026-28685 - Kimai: API invoice endpoint missing customer-level access control (IDOR)
Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/{id}" only checks the role-based view_invoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLE_TEAMLEAD (which grants view_invoice) can rβ¦
4.6
CVE-2026-29084 - Gokapi: CSRF in Login Endpoint
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a sessβ¦
5.4
CVE-2026-29061 - Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions,β¦
5
CVE-2026-29060 - Gokapi: Privilege escalation with auth token
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokβ¦
8.7
CVE-2026-28683 - Gokapi: Stored XSS in SVG Hotlinks
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3.
6.4
CVE-2026-28682 - Gokapi: Data Leak in Upload Status Stream
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes file_id values that are not scoped to the requesting uβ¦