5.4
CVE-2026-33628 - Invoice Ninja Denylist Bypass may Lead to Stored XSS via Invoice Line Items
Invoice Ninja is a source-available invoice, quote, project and time-tracking app built with Laravel. Invoice line item descriptions in Invoice Ninja v5.13.0 bypass the XSS denylist filter, allowing stored XSS payloads to execute when invoices are rendered in the PDF preview or client portal. The l…
6.7
CVE-2026-33623 - PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Comman…
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.4` contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell `-Command` string using…
6.1
CVE-2026-33622 - A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.8.3` through `v0.8.5` allow arbitrary JavaScript execution through `POST /wait` and `POST /tabs/{id}/wait` when the request uses `fn` mode, even if `security.allowEvaluate` is disabled. `POS…
4.8
CVE-2026-33621 - PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable endpoints. In `v0.7.7` through `v0.8.3`, a fully implemented `RateLimitMiddleware` existed in `inte…
4.3
CVE-2026-33620 - PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab `v0.7.8` through `v0.8.3` accepted the API token from a `token` URL query parameter in addition to the `Authorization` header. When a valid API credential is sent in the URL, it can be exposed t…
7.1
CVE-2026-3622 - Denial-of-Service Vulnerability in UPnP Component of TP Link's TL-WR841N
The vulnerability exists in the UPnP component of TL-WR841N v14, where improper input validation leads to an out-of-bounds read, potentially causing a crash of the UPnP service. Successful exploitation can cause the UPnP service to crash, resulting in a Denial-of-Service condition. This vulnera…
4.1
CVE-2026-33619 - PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to `POST /tasks` with a user-controlled `callbackUrl`, the v0.8.3 …
5.3
CVE-2026-33545 - MobSF has SQL Injection in its SQLite Database Viewer Utils
MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's `read_sqlite()` function in `mobsf/MobSF/utils.py` (lines 542-566) uses Python string formatting (`%`) to construct SQL queries with table names read from a SQLite database's `sqlite_master` table. When a secu…
4.3
CVE-2026-33635 - iCalendar has ICS injection via unsanitized URI property values
iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitr…
6.5
CVE-2026-33541 - TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Serv…
TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While …