2.5
CVE-2026-24508 - Improper Certificate Validation in Dell Alienware Command Center Enables Local Information Exposure
Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Certificate Validation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.
5.3
CVE-2026-31888 - Shopware has user enumeration via distinct error codes on Store API login endpoint
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknownβ¦
3.6
CVE-2026-24509 - Improper Access Control in Dell Alienware Command Center Leading to Denial of Service
Dell Alienware Command Center (AWCC), versions prior to 6.12.24.0, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service.
8.9
CVE-2026-31887 - Shopware unauthenticated data extraction possible through store-api.order endpoint
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8.1β¦
7.7
CVE-2026-31881 - Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active resβ¦
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization β¦
5.1
CVE-2026-31879 - Frappe Workspace modification and stored XSS due to improper resource ownership checks
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in 14.100β¦
4.8
CVE-2026-3949 - strukturag libheif HEIF File decoder_vvdec.cc vvdec_push_data2 out-of-bounds
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launchedβ¦
5
CVE-2026-31878 - Frappe: Possible SSRF by any authenticated user
Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6.0.
9.3
CVE-2026-31877 - Frappe SQL Injection due to improper field sanitization
Frappe is a full-stack web application framework. Prior to 15.84.0 and 14.99.0, a specially crafted request made to a certain endpoint could result in SQL injection, allowing an attacker to extract information they wouldn't otherwise be able to. This vulnerability is fixed in 15.84.0 and 14.99.0.
9.3
CVE-2019-25487 - SAPIDO RB-1732 V2.0.43 Remote Command Execution via formSysCmd
SAPIDO RB-1732 V2.0.43 contains a remote command execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the formSysCmd endpoint. Attackers can send POST requests with the sysCmd parameter containing shell commands to execuβ¦