8
CVE-2026-24785 - Clatter has a PSK Validity Rule Violation issue
Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Sectβ¦
6.5
CVE-2026-24134 - StudioCMS has an Authorization Bypass Through User-Controlled Key
StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Adminβ¦
10
CVE-2026-23830 - SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor
SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`Sβ¦
8.2
CVE-2025-55292 - In Meshtastic, an attacker can spoof licensed amateur flag for a node
Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn't use encryption. β¦
8.8
CVE-2025-67645 - OpenEMR Vulnerable to Broken Access Control in Profile Edit Endpoint
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another userβs recorβ¦
7.1
CVE-2025-54373 - OpenEMR may expose Contents of Clinical Notes and Care Planto users who do not have Sensitivities=hβ¦
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivitβ¦
5.9
CVE-2026-24910 -
In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github).
5.9
CVE-2026-24909 -
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
7.5
CVE-2026-24783 - soroban-fixed-point-math has Incorrect Rounding and Overflow Handling in Signed Fixed-Point Math wiβ¦
soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product β¦
7.1
CVE-2026-24779 - vLLM vulnerable to Server-Side Request Forgery (SSRF) in `MediaConnector`
vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and pβ¦