7.2
CVE-2025-64122 - Nuvation Energy Multi-Stack Controller Private Key Stored on Device
Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1.
10
CVE-2025-64121 - Nuvation Energy Multi-Stack Controller Authentication Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.
9.4
CVE-2025-64120 - Nuvation Energy Multi-Stack Controller OS Command Injection
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.
9.3
CVE-2025-64119 - Nuvation Energy BMS Client-side Authentication
A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9.
5.4
CVE-2026-21483 - listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, theβ¦
7.5
CVE-2026-21452 - MessagePack-Java Vulnerable to Remote Denial of Service via Malicious .msgpack Model File Triggerinβ¦
MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trβ¦
7.3
CVE-2026-21450 - Bagisto has SSTI in parameter that can lead to RCE
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.
5.2
CVE-2026-21451 - Bagisto has HTML Filter Bypass that Enables Stored XSS
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize `<script>` tags, the filtering can be bypassed by manipulating the raw HTβ¦
7.4
CVE-2026-21449 - Bagisto has SSTI via first and last name from low-privilege user (not admin)
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.
8.9
CVE-2026-21448 - Bagisto has Normal & Blind SSTI from low-privilege user when ordering product
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.β¦