5.3
CVE-2026-35208 - lichess.org has an Unsanitized Stream Title Injection on /streamer
lichess.org is the forever free, adless and open source chess server. Any approved streamer can inject arbitrary HTML into /streamer and the homepage โLive streamsโ widget by placing markup in their Twitch/YouTube stream title. CSP is present and blocks inline script execution, but the issue is stiโฆ
7.5
CVE-2026-35203 - ZLMediaKit VP9 RTP Parser Out-of-Bounds Read
ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, aโฆ
5.9
CVE-2026-35201 - Discount has an Out-of-bounds Read in rdiscount
Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, aโฆ
2.1
CVE-2026-35200 - Parse Server has a file upload Content-Type override via extension mismatch
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the exteโฆ
6.3
CVE-2026-5682 - Meesho Online Shopping App com.meesho.supply endpoint risky encryption
A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation leads to risky cryptographic algorithm. The attack may be performed from remote. The attack requires a โฆ
6.1
CVE-2026-35199 - SymCrypt SymCryptXmssSign function - Heap overflow via 64->32-bit leaf-count truncation
SymCrypt is the core cryptographic function library currently used by Windows. From 103.5.0 to before 103.11.0, The SymCryptXmssSign function passes a 64-bit leaf count value to a helper function that accepts a 32-bit parameter. For XMSS^MT parameter sets with total tree height >= 32 (which includeโฆ
6.6
CVE-2026-35197 - Code injection in dye template expressions
dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1.
9.3
CVE-2026-35459 - pyLoad has SSRF fix bypass via HTTP redirect
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. Howeverโฆ
7.7
CVE-2026-35187 - pyLoad has SSRF in parse_urls API endpoint via unvalidated URL parameter
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/__init__.py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenโฆ
8.7
CVE-2026-35185 - HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client Iโฆ
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens (user_token), user activity, client IP addresses, and server configuration details. This allows โฆ