6.9
CVE-2026-1173 - birkir prime GraphQL Array Based Query Batch graphql denial of service
A vulnerability was found in birkir prime up to 0.4.0.beta.0. The impacted element is an unknown function of the file /graphql of the component GraphQL Array Based Query Batch Handler. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been made publβ¦
8.3
CVE-2026-21696 - Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being conβ¦
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a conditionβ¦
8.3
CVE-2025-69199 - Pterodactyl Wings's websocket endpoints have no visible rate limits or monitoring, allowing for DOSβ¦
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these socβ¦
6
CVE-2025-69198 - Pterodactyl's improper resource locking allows raced queries to create more resources than alloted
Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and β¦
6.9
CVE-2026-1172 - birkir prime GraphQL Directive graphql denial of service
A vulnerability has been found in birkir prime up to 0.4.0.beta.0. The affected element is an unknown function of the file /graphql of the component GraphQL Directive Handler. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed β¦
5.8
CVE-2026-23845 - Mailpit Vulnerable to Server-Side Request Forgery (SSRF) via HTML Check API
Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, tβ¦
7.1
CVE-2026-23843 - teklifolustur_app's IDOR vulnerability allows unauthorized access to other users' offers
teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users caβ¦
7.5
CVE-2026-23842 - ChatterBot has Denial of Service via Database Connection Pool Exhaustion
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaustβ¦
9.3
CVE-2026-23841 - Movary vulnerable to Cross-site Scripting with `?categoryCreated=` param
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue.
9.3
CVE-2026-23840 - Movary vulnerable to Cross-site Scripting with `?categoryDeleted=` param
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.