5.3
CVE-2026-3965 - whyour qinglong API express.ts protection mechanism
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The eβ¦
6.8
CVE-2026-2808 - Consul vulnerable to arbitrary file reads through the vault kubernetes authentication provider
HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
4.8
CVE-2026-3964 - OpenAkita Chat API Endpoint shell.py run os command injection
A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The exβ¦
6.3
CVE-2026-3963 - perfree go-fastdfs-web Apache Shiro RememberMe ShiroConfig.java rememberMeManager hard-coded key
A security flaw has been discovered in perfree go-fastdfs-web up to 1.3.7. This affects the function rememberMeManager of the file src/main/java/com/perfree/config/ShiroConfig.java of the component Apache Shiro RememberMe. Performing a manipulation results in use of hard-coded cryptographic key . β¦
6.9
CVE-2026-31988 - yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE()β¦
5.3
CVE-2026-3962 - Jcharis Machine-Learning-Web-Apps Jinja2 Template app.py render_template cross site scripting
A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function render_template of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template Haβ¦
6.5
CVE-2026-3937 - UI Spoofing via Incorrect Download Security UI in Google Chrome Android
Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
8.8
CVE-2026-3936 - UseβAfterβFree in Chrome WebView Enables Heap Corruption via Crafted HTML
Use after free in WebView in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
6.5
CVE-2026-3932 - Chrome Android PDF Navigation Restriction Bypass via Crafted HTML Page
Insufficient policy enforcement in PDF in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
3.7
CVE-2025-62328 - HCL Nomad server on Domino is affected by a missing default frame-ancestors directive
HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors.