7.2
CVE-2026-35581 - Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values โ including the PLACE_NAME parameter โ with insufficient sanitization. Only spaces were replaced with underscores, allowing shelโฆ
9.1
CVE-2026-35580 - Emissary has GitHub Actions Shell Injection via Workflow Inputs
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflow_dispatch inputs were interpolated directly into shell commands via ${{ }} expression syntax. An attacker with repository write access cโฆ
5.3
CVE-2026-35578 - ChurchCRM has an Open Redirect via the โlinkBackโ URL Parameter in DonatedItemEditor.php
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For tโฆ
9.8
CVE-2026-4631 - Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH optionโฆ
8.8
CVE-2026-35567 - SQL Injection in MemberRoleChange.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated users to inject arbitrary SQL. The attack requires an authenticated session with ManageGroupโฆ
7.6
CVE-2026-35534 - ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characterโฆ
4.8
CVE-2026-35571 - Emissary has Stored XSS via Navigation Template Link Injection
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URโฆ
7.5
CVE-2026-35526 - Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without eโฆ
6.8
CVE-2026-4931 - CVE-2026-4931
Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.
8.8
CVE-2026-35521 - Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authentโฆ