5.1
CVE-2026-23887 - Group-Office has stored XSS vulnerability via unsanitized filenames
Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crβ¦
5.2
CVE-2026-23873 - HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize usβ¦
5.3
CVE-2026-1036 - Photo Gallery by 10Web β Mobile-Friendly Image Gallery <= 1.8.36 - Missing Authorization to Unautheβ¦
The Photo Gallery by 10Web β Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers toβ¦
7.5
CVE-2026-23737 - seroval Affected by Remote Code Execution via JSON Deserialization
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constantβ¦
7.3
CVE-2026-23736 - seroval Affected by Prototype Pollution via JSON Deserialization
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deseβ¦
3.5
CVE-2026-24048 - Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other pluβ¦
6.3
CVE-2026-23630 - Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/β¦
6.3
CVE-2026-24047 - @backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which β¦
7.1
CVE-2026-24046 - Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via β¦
3.7
CVE-2026-23996 - FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detectβ¦
FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys β¦