5.3
CVE-2026-34230 - Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a reβ¦
7.5
CVE-2026-35385 - OpenSSH: OpenSSH: Privilege escalation via scp legacy protocol when not preserving file mode
In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).
5.3
CVE-2026-5354 - Trendnet TEW-657BRM setup.cgi vpn_connect os command injection
A flaw has been found in Trendnet TEW-657BRM 1.00.1. Affected by this vulnerability is the function vpn_connect of the file /setup.cgi. Executing a manipulation of the argument policy_name can lead to os command injection. The attack can be executed remotely. The exploit has been published and may β¦
2.1
CVE-2026-35038 - signalk-server: Arbitrary Prototype Read via `from` Field Bypass
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internalβ¦
5.3
CVE-2026-5353 - Trendnet TEW-657BRM setup.cgi ping_test os command injection
A vulnerability was detected in Trendnet TEW-657BRM 1.00.1. Affected is the function ping_test of the file /setup.cgi. Performing a manipulation of the argument c4_IPAddr results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vβ¦
6.1
CVE-2026-34083 - signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUrβ¦
6.9
CVE-2026-33951 - signalk-server: Unauthenticated Source Priorities Manipulation
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcβ¦
9.4
CVE-2026-33950 - signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, β¦
5.3
CVE-2026-5352 - Trendnet TEW-657BRM setup.cgi edit os command injection
A security vulnerability has been detected in Trendnet TEW-657BRM 1.00.1. This impacts the function Edit of the file /setup.cgi. Such manipulation of the argument pcdb_list leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Tβ¦
7.5
CVE-2025-65114 - Apache Traffic Server: Malformed chunked message body allows request smuggling
Apache Traffic Server allows request smuggling if chunked messages are malformed.Β This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.