5.3
CVE-2026-39415 - Frappe Learning Management System has Client-Side Manipulation of Quiz Scores
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated β¦
7.1
CVE-2026-39414 - MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing
MinIO is a high-performance object storage system. From RELEASE.2018-08-18T03-49-57Z to before RELEASE.2025-12-20T04-58-37Z, MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV files containing lines longer than available memory. The CSV reader's nextSplit() function caβ¦
5
CVE-2026-39880 - Remnawave Backend has a race condition in HWID device limit allows bypassing max devices
Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriβ¦
6.9
CVE-2026-5802 - idachev mcp-javadc HTTP os command injection
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might bβ¦
4.4
CVE-2026-39864 - Kamailio Auth: Processing Vulnerability For Additional Authenticated User Identity Checks
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted SIP packet if a successful userβ¦
7.5
CVE-2026-39863 - Kamailio Core: TCP Data Processing Vulnerability
Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.1.1, 6.0.6, and 5.8.8, an out-of-bounds access in the core of Kamailio (formerly OpenSER and SER) allows remote attackers to cause a denial of service (process crash) via a specially crafted data packet sent over TCP. Tβ¦
6.3
CVE-2026-39862 - Tophat has a Command Injection Vulnerability When Accessing a Maliciously Crafted Tophat Link
Tophat is a mobile applications testing harness. Prior to 2.5.1, Tophat is affected by remote code execution via crafted tophat:// or http://localhost:29070 URLs. The arguments query parameter flows unsanitized from URL parsing through to /bin/bash -c execution, allowing an attacker to execute arbiβ¦
6.3
CVE-2026-39859 - LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty tβ¦
4.2
CVE-2026-39413 - LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algβ¦
5.3
CVE-2026-39412 - LiquidJS has an ownPropertyOnly bypass via sort_natural filter β prototype property information disβ¦
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applicatioβ¦