8.7
CVE-2026-40876 - SFTP root escape via prefix-based path validation in goshs
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can exposβ¦
6.5
CVE-2026-41320 - Frappe HR has possibility of SQL Injection due to improper field sanitization
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. Versions 15.54.0 and 1β¦
6.5
CVE-2026-40889 - Frappe HR has Improper Access Control on Files
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available.
6.5
CVE-2026-40888 - Frappe HR vulnerable to Improper Access Control
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting certain api endpoint. Versions 15.58.1 and 16.4.1 contain a patch. No known workarounds are availabβ¦
9.1
CVE-2026-40887 - @vendure/core has a SQL Injection vulnerability
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query string parameter is interpolated directly into a raw SQL expression wβ¦
2.1
CVE-2026-40878 - mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.tβ¦
6.1
CVE-2026-33812 - Excessive memory allocation when decoding malicious SFNT in golang.org/x/image
Parsing a malicious font file can cause excessive memory allocation.
7.5
CVE-2026-33813 - Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
6.3
CVE-2026-40881 - Zebra: addr/addrv2 Deserialization Resource Exhaustion
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-network version 5.0.1, when deserializing addr or addrv2 messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB mesβ¦
9.1
CVE-2026-40372 - ASP.NET Core Elevation of Privilege Vulnerability
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.