5
CVE-2026-39411 - LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-β¦
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key β¦
5.3
CVE-2026-39362 - InvenTree has SSRF via Remote Image Download β No IP/Hostname Validation on remote_image URLs
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, when INVENTREE_DOWNLOAD_FROM_URL is enabled (opt-in), authenticated users can supply remote_image URLs that are fetched server-side via requests.get() with only Django's URLValidator check. There is no validation agaβ¦
8.2
CVE-2026-35525 - LiquidJS has a root restriction bypass for partial and layout loading through symlinked templates
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not reaβ¦
6.6
CVE-2026-35479 - InvenTree Plugin Installation - Insufficient Permissions
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions (such as uβ¦
7.2
CVE-2026-35476 - InvenTree Affected by Privilege Escalation via API
InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any userβ¦
8.3
CVE-2026-35478 - InvenTree has Arbitrary API Token Creation
InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system β including administrators and superusers β by supplying the target's user ID in the user field of a POST /aβ¦
5.5
CVE-2026-35477 - InvenTree has SSTI in PART_NAME_FORMAT bypasses CVE-2026-27629 fix via {% if part.pk %} sandbox escβ¦
InvenTree is an Open Source Inventory Management System. From 1.2.3 to 1.2.6, the fix for CVE-2026-27629 upgraded the PART_NAME_FORMAT validator to use jinja2.sandbox.SandboxedEnvironment. However, the actual renderer in part/helpers.py was not updated and still uses the non-sandboxed jinja2.Enviroβ¦
7.5
CVE-2026-23869 - react-server-dom-parcel: react-server-dom-turbopack: react-server-dom-webpack: denial of service viβ¦
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The vulnerability is triggered β¦
7.3
CVE-2026-35455 - immich has Stored XSS via OCR Text in 360Β° Panorama Viewer
immich is a high performance self-hosted photo and video management solution. Prior to 2.7.0, sStored Cross-Site Scripting (XSS) in the 360Β° panorama viewer allows any authenticated user to execute arbitrary JavaScript in the browser of any other user who views the malicious panorama with the OCR oβ¦
7.7
CVE-2026-35446 - LORIS has a path traversal in FilesDownloadHandler
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping tβ¦