8.7
CVE-2026-22787 - html2pdf.js has a cross-site scripting vulnerability
html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowingβ¦
6.3
CVE-2026-22779 - BlackSheep ClientSession is vulnerable to CRLF injection
BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new heβ¦
7.2
CVE-2026-22708 - Cursor has a Terminal Tool Allowlist Bypass via Environment Variables
Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indireβ¦
6.1
CVE-2026-22694 - AliasVault is Missing Origin Validation in Android Passkey Credential Provider
AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for β¦
2.3
CVE-2026-21889 - Weblate leaks information via screenshots
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.
7.2
CVE-2025-37181 - Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading β¦
5.5
CVE-2025-37185 - Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator β¦
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary β¦
9.8
CVE-2025-37184 - Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention
A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby comproβ¦
7.2
CVE-2025-37183 - Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading β¦
7.2
CVE-2025-37182 - Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading β¦