9.2
CVE-2026-34759 - OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, β¦
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. These β¦
9.1
CVE-2026-34758 - OneUptime: Missing Authentication on Notification Endpoints
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42.
8.7
CVE-2026-34752 - Haraka affected by DoS via `__proto__` email header
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with __proto__: as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
9.1
CVE-2026-34745 - Unauthenticated Path Traversal Arbitrary File Write in /api/uploadChunked/public
Fireshare facilitates self-hosted media and link sharing. Prior to version 1.5.3, the fix for CVE-2026-33645 was applied to the authenticated /api/uploadChunked endpoint but was not applied to the unauthenticated /api/uploadChunked/public endpoint in the same file (app/server/fireshare/api.py). An β¦
7.1
CVE-2026-5429 - Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
Unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a potentially damaging crafted color theme name when a local user opens the workspace. This issue requires the user toβ¦
1.7
CVE-2026-34743 - XZ Utils: Buffer overflow in lzma_index_append()
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too liβ¦
7.6
CVE-2026-34742 - Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on β¦
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandβ¦
6.9
CVE-2026-5418 - appsmithorg appsmith Dashboard WebClientUtils.java computeDisallowedHosts server-side request forgeβ¦
A vulnerability was identified in appsmithorg appsmith up to 1.97. Impacted is the function computeDisallowedHosts of the file app/server/appsmith-interfaces/src/main/java/com/appsmith/util/WebClientUtils.java of the component Dashboard. Such manipulation leads to server-side request forgery. The aβ¦
5.3
CVE-2026-34736 - Open edX Platform: Account Activation Bypass via activation_key Exposure in REST API
Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (dβ¦
3.3
CVE-2025-43236 -
A type confusion issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An attacker may be able to cause unexpected app termination.