1.2
CVE-2026-4159 - wc_PKCS7_DecodeEnvelopedData 1 byte out-of-bounds read
1-byte OOB heap read in wc_PKCS7_DecodeEnvelopedData via zero-length encrypted content. A vulnerability existed in wolfSSL 5.8.4 and earlier, where a 1-byte out-of-bounds heap read in wc_PKCS7_DecodeEnvelopedData could be triggered by a crafted CMS EnvelopedData message with zero-length encrypted cβ¦
8.7
CVE-2026-27934 - Discourse leaks private topic title and post excerpt via user action API endpoint
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2β¦
6.8
CVE-2026-32750 - SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their conβ¦
5.1
CVE-2026-32751 - SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same opeβ¦
7.6
CVE-2026-32749 - SiYuan importSY/importZipMd: Path Traversal via multipart filename enables arbitrary file write
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outsideβ¦
1.2
CVE-2026-3229 - Integer Overflow in Certificate Chain Allocation
An integer overflow vulnerability existed in the static function wolfssl_add_to_chain, that caused heap corruption when certificate data was written out of bounds of an insufficiently sized certificate buffer. wolfssl_add_to_chain is called by these API: wolfSSL_CTX_add_extra_chain_cert, wolfSSL_CTβ¦
9.9
CVE-2026-26137 - Microsoft Exchange Elevation of Privilege Vulnerability
Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network.
6.5
CVE-2026-26136 - Microsoft Copilot Information Disclosure Vulnerability
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network.
5.3
CVE-2026-24299 - M365 Copilot Information Disclosure Vulnerability
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
8.6
CVE-2026-23659 - Azure Data Factory Information Disclosure Vulnerability
Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network.