8.7
CVE-2026-40943 - Oxia: Server crash via race condition in session heartbeat handling
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timinβ¦
5.3
CVE-2026-6829 - nesquena hermes-webui Arbitrary Workspace Directory Access
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or change a session workspace to an arbitrary existing directory on disk by manipulating workspace path parameters in endpoints such as /api/session/new, /api/session/update, /api/chat/sβ¦
6.3
CVE-2026-40942 - DSF: Inverted Time Comparison in OIDC JWKS and Token Cache
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, The OIDC JWKS and Metadata Document caches used an inverted time comparison (isBefore instead of isAfter), causing the cache to never return cached values. Every incβ¦
6.8
CVE-2026-40939 - DSF: Missing Session Timeout for OIDC Sessions
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. Thisβ¦
10
CVE-2026-40933 - Flowise: Authenticated RCE Via MCP Adapters
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerability β¦
5.3
CVE-2026-6799 - Comfast CF-N1-S Endpoint mbox-config command injection
A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component Endpoint. Performing a manipulation of the argument destination results in command injection. The attβ¦
8.4
CVE-2026-40931 - Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but faiβ¦
5.4
CVE-2026-40927 - Docmost: XSS in Comments with JavaScript URI
Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page, it is possible to include a JavaScript URI as the link. When a user clicks on the link the JavaScript executes. This vulnerability is fixed in 0.80.0.
5.4
CVE-2026-40923 - Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses striβ¦
6.5
CVE-2026-40924 - Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Eβ¦
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Prior to 1.11.1, the HTTP resolver's FetchHttpResource function calls io.ReadAll(resp.Body) with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the Hβ¦