9.8
CVE-2026-27847 - Missing authentication in Linksys MR9600, Linksys MX4200
Due to improper neutralization of special elements, SQL statements can be injected via the handshake of a TLS-SRP connection. This can be used to inject known credentials into the database that can be utilized to successfully complete the handshake and use the protected service. This issue affects โฆ
8.8
CVE-2026-27701 - LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow
LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated โฆ
6.2
CVE-2026-27846 - Missing authentication in Linksys MR9600, Linksys MX4200
Due to missing authentication, a user with physical access to the device can misuse the mesh functionality for adding a new mesh device to the networkย to gain access to sensitive information, including the password for admin access to the web interface and the Wi-Fi passwords.This issue affects MRโฆ
8.2
CVE-2026-27700 - Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Hono is a Web application framework that provides support for any JavaScript runtime. In versions 4.12.0 and 4.12.1, when using the AWS Lambda adapter (`hono/aws-lambda`) behind an Application Load Balancer (ALB), the `getConnInfo()` function incorrectly selected the first value from the `X-Forwardโฆ
9.1
CVE-2026-27699 - Basic FTP has Path Traversal Vulnerability in its downloadToDir() method
The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()`ย method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written ouโฆ
4.3
CVE-2026-27695 - zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (`namespace/ENTITY#{id}`). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec),โฆ
5.3
CVE-2026-2878 - Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX
In Progressยฎ Telerikยฎ UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.
7.1
CVE-2026-27692 - iccDEV has HBO in CIccTagTextDescription::Release()
iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, heap-buffer-overflow read occurs during CIccTagTextDescription::Release() when strlen() reads past a heap buffer while parsing ICC profile XML text description tags,โฆ
6.2
CVE-2026-27691 - iccDEV has SIO in parse3DTable() at iccFromCube.cpp Line 218
iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer overflow in iccFromCube.cpp during multiplication triggers undefined behavior, potentially causing crashes or incorrect ICC profile generation when prโฆ
5.5
CVE-2026-3203 - Buffer Over-read in Wireshark
RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service