6.3
CVE-2026-32293 - GL-iNet Comet (GL-RM1) KVM insufficient certificate validation
The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invaβ¦
9.3
CVE-2026-32292 - GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting
The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.
7
CVE-2026-32291 - GL-iNet Comet (GL-RM1) KVM unauthenticated root access via UART serial console
The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.
7
CVE-2026-32290 - GL-iNet Comet (GL-RM1) KVM insufficient firmware verification
The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.
6.9
CVE-2026-4319 - code-projects Simple Food Order System add-item.php sql injection
A vulnerability was identified in code-projects Simple Food Order System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/add-item.php. Such manipulation of the argument price leads to sql injection. The attack can be launched remotely. The exploit is publicly avβ¦
8.7
CVE-2026-4148 - ExpressionContext use-after-free in classic engine $lookup and $graphLookup aggregation operators
A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline.
7.1
CVE-2026-4147 - Stack memory disclosure in filemd5 command
An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.
4.3
CVE-2026-28506 - Outline's Information Disclosure in Activity Logs allows User Enumeration of Private Drafts
Outline is a service that allows for collaborative documentation. Prior to 1.5.0, the events.list API endpoint, used for retrieving activity logs, contains a logic flaw in its filtering mechanism. It allows any authenticated user to retrieve activity events associated with documents that have no coβ¦
8.1
CVE-2026-24901 - Outline's IDOR allows unauthorized viewing and seizing of private deleted drafts
Outline is a service that allows for collaborative documentation. Prior to 1.4.0, an Insecure Direct Object Reference (IDOR) vulnerability in the document restoration logic allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users, includβ¦
6.5
CVE-2026-21886 - OpenCTI's GraphQL Mutations Allow Deletion of Unrelated Entities
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutatβ¦