5.1
CVE-2026-4285 - taoofagi easegen-admin Pdf2MdUtil.java recognizeMarkdown path traversal
A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. Impacted is the function recognizeMarkdown of the file yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/Pdf2MdUtil.java. Such maβ¦
5.1
CVE-2026-4284 - taoofagi easegen-admin PPT File PPTUtil.java downloadFile server-side request forgery
A vulnerability was determined in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. This issue affects the function downloadFile of the file - yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/PPTUtil.java of the β¦
9.1
CVE-2026-4177 - YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including β¦
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailβ¦
5.5
CVE-2026-21991 -
A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.
8.2
CVE-2026-32829 - lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset valuesβ¦
8.7
CVE-2026-29522 - ZwickRoell Test Data Management < 3.0.8 Path Traversal LFI
ZwickRoell Test Data Management versions prior toΒ 3.0.8 contain a local file inclusion (LFI) vulnerability in the /server/node_upgrade_srv.js endpoint. An unauthenticated attacker can supply directory traversal sequences via the firmware parameter to access arbitrary files on the server, leading toβ¦
4.3
CVE-2026-1629 - Permalink Preview Information Disclosure After Permission Revocation
Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or relogin.. Mattermost Advisory ID: MMSA-2026-00580
3.8
CVE-2026-26230 - Team Admin Privilege Escalation to Demote Members to Guest
Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531
5.8
CVE-2026-2454 - DoS in Calls plugin via malformed msgpack in websocket request.
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: β¦
4.3
CVE-2026-26304 - Permission Bypass in Playbook Run Creation
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542