6.9
CVE-2026-28256 - Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
8.2
CVE-2026-28255 - Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge
A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
6.9
CVE-2026-28254 - Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge
A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.
8.7
CVE-2026-28253 - Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Traceโฆ
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
8.5
CVE-2026-3841 - Command Injection Vulnerability in Telnet CLI on TP-Link TL-MR6400
A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations. An authenticated attacker with elevated privileges may be able to executeโฆ
9.2
CVE-2026-28252 - Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and โฆ
A Use of a Broken or Risky Cryptographic Algorithm vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to bypass authentication and gain root-level access to the device.
0
CVE-2026-31873 - Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity
Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('dโฆ
5.3
CVE-2026-31860 - Unhead has a XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol cโฆ
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrโฆ
6.5
CVE-2026-31841 - Raw exposure of database statements in Hyperterse MCP search tool
Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces from declarative config. Prior to v2.2.0, the search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL queries, exposing statements which were supโฆ
7.7
CVE-2026-21887 - OpenCTI has a Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platformโs data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). โฆ