5.9
CVE-2026-30897 - Stack-Based Buffer Overflow Enabling Remote Code Execution on FortiWeb
A stack-based buffer overflow vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow a remote authenticated attacker who can bypass stack protection and ASLR to execute arbitβ¦
5.1
CVE-2026-22628 - Improper Access Control Enabling Remote Command Execution via SSH Config on FortiSwitchAXFixed
An improper access control vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an authenticated admin to execute system commands via a specifically crafted SSH config file.
8.7
CVE-2026-30941 - Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verificatβ¦
8.8
CVE-2026-30939 - Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resβ¦
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The serβ¦
6.9
CVE-2026-30938 - Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placemβ¦
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caβ¦
7.3
CVE-2026-30930 - Glances has SQL Injection via Process Names in TimescaleDB Export
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single qβ¦
8.7
CVE-2026-30928 - Glances Exposes Unauthenticated Configuration Secrets
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for aβ¦
8.9
CVE-2026-30934 - FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template β¦
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/<hash> without context-aware escaping. The server uses text/template inβ¦
7.5
CVE-2026-30933 - FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /β¦
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-β¦
5.3
CVE-2026-27661 - Metadata Leak in Siemens SINEC Security Monitor
A vulnerability has been identified in SINEC Security Monitor (All versions < V4.9.0). The affected application leaks confidential information in metadata, and files such as information on contributors and email address, on `SSM Server`.