6.3
CVE-2026-31867 - Craft Commerce has a Potential IDOR in Commerce carts
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference (IDOR) vulnerability exists in Craft Commerceβs cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController aβ¦
7.5
CVE-2026-31866 - Allocation of Resources Without Limits or Throttling in flagd
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context iβ¦
6.3
CVE-2026-30226 - devalue has prototype pollution in devalue.parse and devalue.unflatten
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could leaβ¦
3.6
CVE-2026-31863 - Improper Restriction of Excessive Authentication Attempts in github.com/anyproto/anytype-heart
Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5.
6.9
CVE-2026-31859 - Craft has Reflective XSS via incomplete return URL sanitization
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URLβ¦
8.7
CVE-2026-31858 - CraftCMS's `ElementSearchController` Affected by Blind SQL Injection
Craft is a content management system (CMS). The ElementSearchController::actionSearch() endpoint is missing the unset() protection that was added to ElementIndexesController in CVE-2026-25495. The exact same SQL injection vulnerability (including criteria[orderBy], the original advisory vector) worβ¦
8.1
CVE-2026-31857 - CraftCMS has an RCE vulnerability via relational conditionals in the control panel
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Tβ¦
8.7
CVE-2026-31975 - Cloud CLI WebSocket shell injection
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the WebSocket message payload and interpolated intoβ¦
8.7
CVE-2026-31861 - Shell Command Injection in Git Routes [CloudCLI UI]
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to child_process.exec(). β¦
9.1
CVE-2026-31862 - Cloud CLI has Command Injection via Multiple Parameters
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackersβ¦