9.7
CVE-2026-32626 - AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS dβ¦
7.5
CVE-2026-32614 - Go ShangMi SM9 Infinity-Point Ciphertext Forgery Vulnerability
Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cauβ¦
5.1
CVE-2026-0977 - IBM CICS Transaction Gateway for Multiplatforms Information Disclosure
IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.
7.1
CVE-2026-32617 - AnythingLLM Permissable CORS policy
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the serveβ¦
8.2
CVE-2026-32600 - xml-security is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthoβ¦
xml-security is a library that implements XML signatures and encryption. Prior to 2.3.1, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, aβ¦
6.9
CVE-2026-32594 - Parse Server GraphQL WebSocket endpoint bypasses security middleware
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection controβ¦
5.3
CVE-2025-13212 - IBM Aspera Console Denial of Service
IBM Aspera Console 3.3.0 through 3.4.8 could allow an authenticated user to cause a denial of service in the email service due to improper control of interaction frequency.
2.7
CVE-2025-13459 - IBM Aspera Console Denial of Service
IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow.
5.3
CVE-2025-13460 - IBM Aspera Console Information Disclosure
IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
8.7
CVE-2026-32314 - Yamux remote Panic via malformed Data frame with SYN set and len = 262145
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbβ¦