5.3
CVE-2026-4507 - Mindinventory MindSQL mindsql_core.py ask_db sql injection
A vulnerability was determined in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the file mindsql/core/mindsql_core.py. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilβ¦
5.3
CVE-2026-4506 - Mindinventory MindSQL mindsql_core.py ask_db code injection
A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was conβ¦
4.3
CVE-2026-33177 - Statamic is missing authorization check on taxonomy term creation via fieldtype
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the autβ¦
8.7
CVE-2026-33172 - Statamic has Stored XSS via SVG Sanitization Bypass
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, a stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asβ¦
4.3
CVE-2026-33171 - Statamic has a path traversal in file dictionary fieldtype
Statamic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldβ¦
8.6
CVE-2026-33166 - Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allβ¦
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -contaβ¦
7.4
CVE-2026-32887 - Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent loaβ¦
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-depβ¦
9.8
CVE-2026-3584 - Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'caβ¦
7.4
CVE-2026-2378 - Address bar spoofing risk in ArcSearch on Android
ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
8.7
CVE-2026-33164 - NULL Pointer Dereference in libde265
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.17, a malformed H.265 PPS NAL unit causes a segmentation fault in pic_parameter_set::set_derived_values(). This issue has been patched in version 1.0.17.