8.8
CVE-2026-33175 - OAuthenticator: Authentication Bypass in Auth0OAuthenticator via Unverified Email Claims
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is β¦
8.2
CVE-2015-10148 - Hirschmann HiLCOS Hard-coded Credentials SSH SSL Keys
Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-β¦
8.7
CVE-2026-28797 - RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Texβ¦
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsaβ¦
7.2
CVE-2026-27885 - Piwigo: SQL Injection in Activity.getList
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability was discovered in Piwigo affecting the Activity List API endpoint. This vulnerability allows an authenticated administrator to extract sensitive data from the database, including uβ¦
7.2
CVE-2026-27834 - Piwigo: SQL Injection in pwg.users.getList API Method via filter Parameter
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrβ¦
7.5
CVE-2026-27833 - Piwigo: Unauthenticated Information Disclosure via pwg.history.search API
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched iβ¦
8.7
CVE-2026-27634 - Piwigo: Pre-auth SQL injection via date filter parameters in ws_std_image_sql_filter
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters (f_min_date_available, f_max_date_available, f_min_date_created, f_max_date_created) in ws_std_image_sql_filter() are concatenated directly into SQL without any escaping or type β¦
2.7
CVE-2026-34947 - Discourse: Staged user custom fields are exposed on public invite pages
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been paβ¦
6.3
CVE-2026-27481 - Discourse: Hidden tag visibility bypass on tag routes
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, an authorization bypass vulnerability allows unauthenticated or unauthorized users to view hidden (staff-only) tags and its β¦
4.7
CVE-2026-27456 - util-linux: TOCTOU Race Condition in util-linux mount(8) - Loop Device Setup
util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privilegeβ¦