8.4
CVE-2026-34377 - Zebra has a Consensus Failure due to Improper Verification of V5 Transactions
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorizβ¦
9.2
CVE-2026-34202 - Zebra node crash β V5 transaction hash panic (P2P reachable)
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 β¦
7.7
CVE-2026-34200 - Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port
Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to isβ¦
8.5
CVE-2026-20915 - Stored cross-site scripting in Pending Changes sidebar
Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar.
7.7
CVE-2026-34172 - Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinjβ¦
Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enablβ¦
2.8
CVE-2026-33762 - go-git: Missing validation decoding Index v4 files leads to panic
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-gitβs index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-boβ¦
5
CVE-2026-34165 - go-git: Maliciously crafted idx file can cause asymmetric memory consumption
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denialβ¦
8.6
CVE-2026-33276 - XSS in Unified Search via Unescaped Host/Service Names
Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.
10
CVE-2026-34162 - FastGPT: Unauthenticated SSRF via httpTools Endpoint Leads to Internal API Key Theft
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts as a full HTTP proxy β it accepts a user-supplied baseUrl, toolPath, HTTP method, custom headers, β¦
7.7
CVE-2026-34163 - Server-Side Request Forgery via MCP Tools Endpoint in FastGPT
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without validating whether tβ¦