7.4
CVE-2026-32132 - ZITADEL: Reactivation of Expired Passkey Registration Codes
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a potential vulnerability exists in Zitadel's passkey registration endpoints. This endpoint allows registering a new passkey using a previously retrieved code. An improper expiration check of the code, could allow anβ¦
7.7
CVE-2026-32131 - ZITADEL Cross-Tenant Information Disclosure in Management API
ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token (e.g., project.read, project.grant.read, or project.app.read) to retrieve managemenβ¦
7.5
CVE-2026-32130 - ZITADEL SCIM Authentication Bypass via URL Encoding
ZITADEL is an open source identity management platform. From 2.68.0 to before 3.4.8 and 4.12.2, Zitadel provides a System for Cross-domain Identity Management (SCIM) API to provision users from external providers into Zitadel. Request to the API with URL-encoded path values were correctly routed buβ¦
4.8
CVE-2026-3959 - 0xKoda WireMCP Tshark CLI index.js server.tool os command injection
A vulnerability was found in 0xKoda WireMCP up to 7f45f8b2b4adeb76be8c6227eefb38533fdd6b1e. Impacted is the function server.tool of the file index.js of the component Tshark CLI Command Handler. The manipulation results in os command injection. The attack needs to be approached locally. The exploitβ¦
5.3
CVE-2026-3958 - Woahai321 ListSync JSON api_server.py requests.post server-side request forgery
A vulnerability has been found in Woahai321 ListSync up to 0.6.6. This issue affects the function requests.post of the file list-sync-main/api_server.py of the component JSON Handler. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploβ¦
6.3
CVE-2026-32128 - FastGPT Python Sandbox Bypass of File-Write Restriction
FastGPT is an AI Agent building platform. In 4.14.7 and earlier, FastGPT's Python Sandbox (fastgpt-sandbox) includes guardrails intended to prevent file writes (static detection + seccomp). These guardrails are bypassable by remapping stdout (fd 1) to an arbitrary writable file descriptor using fcnβ¦
7.6
CVE-2026-32117 - grafanacubism-panel : Stored XSS via javascript: URL in panel zoom link (Editor β Viewer)
The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign() / window.open() with no scheme validation. An attacker with dashboard Editor privileges can set the linkβ¦
10
CVE-2026-27591 - Winter: Privilege escalation by authenticated backend users
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their accoβ¦
5.1
CVE-2026-3957 - xierongwkhd weimai-wetapp Endpoint HomeController.java getLikeMovieList sql injection
A flaw has been found in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This vulnerability affects the function getLikeMovieList of the file source-code/src/main/java/com/moke/wp/wx_weimai/controller/HomeController.java of the component Endpoint. Executing a manipulation β¦
8.8
CVE-2026-32127 - SQL Injection Vulnerability in ajax graphs library (OpenEMR)
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input vβ¦