8
CVE-2026-35575 - ChurchCRM has Stored XSS in Group Name
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panelโs group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator โฆ
6.9
CVE-2026-22680 - OpenViking < 0.3.3 Missing Authorization via Task Polling
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes withoโฆ
7
CVE-2026-35572 - SSRF via Referer header in ChurchCRM allows server-side HTTP/HTTPS requests to arbitrary hosts
ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain, coโฆ
9.1
CVE-2026-35573 - ChurchCRM has a Path traversal leads to RCE
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vโฆ
7.3
CVE-2026-35574 - ChurchCRM has a Stored XSS in Person Profile - Add a Note
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administโฆ
4
CVE-2026-39316 - CUPS has a use-after-free in `cupsdDeleteTemporaryPrinters` via dangling subscription pointer
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printโฆ
4
CVE-2026-39314 - CUPS has an integer underflow in `_ppdCreateFromIPP` causes root cupsd crash via negative `job-passโฆ
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative โฆ
8.8
CVE-2026-35610 - PolarLearn has a Server Action Admin Bypass in Account Management Actions
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassword(userId, password) and deleteUser(userId) in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute โฆ
7.5
CVE-2026-39312 - Pre-Auth EAP-TLS DoS on SoftEther VPN Developer Edition
SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2.5188 (and likely earlier versions of Developer Edition). An unauthenticated remote attacker can craโฆ
9.4
CVE-2026-23696 - Windmill < 1.603.3 File Ownership Handling SQLi RCE
Windmill CE and EE versions 1.276.0 through 1.603.2 contain an SQL injection vulnerability in the folder ownership management functionality that allows authenticated attackers to inject SQL through the owner parameter. An attacker can use the injection to read sensitive data such as the JWT signingโฆ