7.8
CVE-2026-24062 - Insufficient XPC Client validation leading to local privilege escalation in Arturia Software Center
The "Privileged Helper" component of the Arturia Software Center (MacOS) does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation.
4.3
CVE-2026-33004 - LoadNinja API Keys Unmasked in Jenkins LoadNinja Plugin
Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
4.3
CVE-2026-33003 -
Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
7.5
CVE-2026-33002 - jenkins: Jenkins: Origin validation bypass via DNS rebinding in CLI WebSocket endpoint
Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable…
8.8
CVE-2026-33001 - jenkins: Jenkins: Arbitrary file write and potential code execution through crafted archives
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running Jenki…
7.5
CVE-2026-32609 - Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Creden…
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints…
7.4
CVE-2026-3278 - XSS Vulnerability discovered in OpenText™ ZENworks Service Desk.
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ ZENworks Service Desk allows Cross-Site Scripting (XSS). The vulnerability could allow an attacker to execute arbitrary JavaScript leading to unauthorized actions on behalf of the user.Th…
9.8
CVE-2026-25449 - WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1.
7.5
CVE-2026-4427 - github.com/jackc/pgproto3: pgproto3: Denial of Service via negative field length in DataRow message
Duplicate of CVE-2026-32286
6.6
CVE-2026-32694 - Insecure Direct Object Reference attack via predictable secret ID in Juju
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the sa…