7.1
CVE-2026-34598 - YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"
YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected pageโฆ
7.1
CVE-2026-34591 - Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacโฆ
7.1
CVE-2026-34828 - listmonk: Active sessions remain valid after password reset and password change
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and passwoโฆ
5.4
CVE-2026-34584 - listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment)
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-useโฆ
5.1
CVE-2026-5370 - krayin laravel-crm Activities Module/Notes inbox.spec.ts composeMail cross site scripting
A vulnerability was identified in krayin laravel-crm up to 2.2. Impacted is the function composeMail of the file packages/Webkul/Admin/tests/e2e-pw/tests/mail/inbox.spec.ts of the component Activities Module/Notes Module. The manipulation leads to cross site scripting. Remote exploitation of the atโฆ
5.4
CVE-2026-34590 - Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation
Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl() (format check), missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updโฆ
8.6
CVE-2026-34577 - Postiz: Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extensโฆ
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the GET /public/stream endpoint in PublicController accepts a user-supplied url query parameter and proxies the full HTTP response back to the caller. The only validation is url.endsWith('mp4'), which is trivially bypassable by โฆ
8.3
CVE-2026-34576 - Postiz: SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata
Postiz is an AI social media scheduling tool. Prior to version 2.21.3, the POST /public/v1/upload-from-url endpoint accepts a user-supplied URL and fetches it server-side using axios.get() with no SSRF protections. The only validation is a file extension check (.png, .jpg, etc.) which is trivially โฆ
7.1
CVE-2026-34124 - Denial of Service via Path Expansion Overflow in HTTP Service in TP-Link Tapo C520WS
A denial-of-service vulnerability was identified in TP-Link Tapo C520WS v2.6 within the HTTP request path parsing logic. The implementation enforces length restrictions on the raw request path but does not account for path expansion performed during normalization. An attacker on the adjacent netwoโฆ
7.1
CVE-2026-34122 - Stack-based Buffer Overflow Leading to Denial of Service in TP-Link Tapo C520WS
A stack-based buffer overflow vulnerability was identified in TP-Link Tapo C520WS v2.6 within a configuration handling component due to insufficient input validation. An attacker can exploit this vulnerability by supplying an excessively long value for a vulnerable configuration parameter, resultiโฆ