5.3
CVE-2026-23484 - Blinko: Authenticated Arbitrary File Write - saveDevPlugin
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the fileName parameter is not filtered, allowing path traversal to write files anywhere on the file system. Moreover, this interface only requires authProcedure (normal user), not superAdminAuthMiddleware. At time o…
6.9
CVE-2026-23483 - Blinko: Unauthorized Arbitrary File Read - /plugins
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join() to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly availa…
8.2
CVE-2026-23482 - Blinko: Unauthorized Arbitrary File Read - /api/file/temp
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the file server endpoint does not perform permission checks on the temp/ path and does not filter path traversal sequences, allowing unauthorized attackers to read arbitrary files on the server. When scheduled backup tasks ar…
9.3
CVE-2026-3055 - Insufficient input validation leading to memory overread
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread
5.3
CVE-2026-4597 - 648540858 wvp-GB28181-pro Stream Proxy Query StreamProxyProvider.java selectAll sql injection
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. Impacted is the function selectAll of the file src/main/java/com/genersoft/iot/vmp/streamProxy/dao/provider/StreamProxyProvider.java of the component Stream Proxy Query Handler. The manipulation results in sql injection. …
7.7
CVE-2026-4368 - Race Condition leading to User Session Mixup
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup
9.4
CVE-2026-2298 - Argument Injection via Web Services in Salesforce Marketing Cloud Engagement
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Salesforce Marketing Cloud Engagement allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 30th, 2026.
4.9
CVE-2026-32879 - New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Starting in version 0.10.0, a logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebA…
5.1
CVE-2026-4596 - projectworlds Lawyer Management System lawyers.php cross site scripting
A vulnerability was identified in projectworlds Lawyer Management System 1.0. This issue affects some unknown processing of the file /lawyers.php. The manipulation of the argument first_Name leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and m…
6.5
CVE-2026-30886 - New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference (IDOR) vulnerability in the video proxy endpoint (`GET /v1/videos/:task_id/content`) allows any authenticated user to access …