8.2
CVE-2026-35604 - File Browser share links remain accessible after Share/Download permissions are revoked
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, when an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticatβ¦
7.5
CVE-2026-35585 - File Browser has a Command Injection via Hook Runner
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.0.0 through 2.63.1, the hook system in File Browser β which executes administrator-defined shell commands on file events such as upload, rename, and deleteβ¦
5.3
CVE-2026-35592 - pyLoad has an Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix β¦
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the _safe_extractall() function in src/pyload/plugins/extractors/UnTar.py uses os.path.commonprefix() for its path traversal check, which performs character-level string comparison rather than path-level coβ¦
6.8
CVE-2026-35586 - Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMIN_ONLY_CORE_OPTIONS authorization set in set_config_value() uses incorrect option names ssl_cert and ssl_key, while the actual configuration option names are ssl_certfile and ssl_keyfile. This name β¦
6.9
CVE-2026-35584 - FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Maβ¦
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unβ¦
7.6
CVE-2026-39384 - FreeScout Customer Merge Cross-Mailbox Authorization Bypass
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.
7.5
CVE-2026-35523 - Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processiβ¦
5.3
CVE-2026-35583 - Emissary has a Path Traversal via Blacklist Bypass in Configuration API
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-β¦
7.2
CVE-2026-35581 - Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values β including the PLACE_NAME parameter β with insufficient sanitization. Only spaces were replaced with underscores, allowing shelβ¦
9.1
CVE-2026-35580 - Emissary has GitHub Actions Shell Injection via Workflow Inputs
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access cβ¦