6.1
CVE-2026-1838 - Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter
The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripβ¦
8.6
CVE-2026-40489 - editorconfig-core-c has incomplete fix for CVE-2023-0341
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted direcβ¦
8.9
CVE-2026-40487 - Postiz Has Unrestricted File Upload via MIME Type Spoofing that Leads to Stored XSS
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to the server by spoofing the `Content-Type` header. The uploaded files are then served by nginx with a β¦
8.8
CVE-2026-35582 - Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The IN_FILE_ENDING and OUT_Fβ¦
7.5
CVE-2026-35465 - SecureDrop Client has path injection in read_gzip_header_filename()
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine (sd-app) by exploiting improper fileβ¦
9
CVE-2026-40572 - NovumOS has Arbitrary Memory Mapping via Syscall 15 (MemoryMapRange)
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address ranges into their address space without validating against forbidden regions, including critical kerβ¦
9.4
CVE-2026-40317 - NovumOS has Privilege Escalation in the Syscall Interface
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers without validation, allowing any Ring 3 user-mode process to jump to kernel addresses and execute arbitrβ¦
8.8
CVE-2026-40350 - Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users β¦
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route deβ¦
8.8
CVE-2026-40349 - Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Seβ¦
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a useβ¦
4.8
CVE-2026-40593 - ChurchCRM: Stored XSS in UserEditor.php via Login Name Field
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username containing HTML attribute-breaking characβ¦