9.4
CVE-2026-26021 - Prototype pollution in set-in
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden β¦
6.5
CVE-2026-26012 - vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible toβ¦
4.1
CVE-2026-26019 - @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin valiβ¦
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same siteβ¦
5.9
CVE-2026-26014 - Pion DTLS uses random nonce generation with AES GCM ciphers risks leaking the authentication key
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce β¦
7.6
CVE-2026-26010 - Leaky JWTs in OpenMetadata exposing highly-privileged bot users
OpenMetadata is a unified metadata platform. Prior to 1.11.8, calls issued by the UI against /api/v1/ingestionPipelines leak JWTs used by ingestion-bot for certain services (Glue / Redshift / Postgres). Any read-only user can gain access to a highly privileged account, typically which has the Ingesβ¦
7.1
CVE-2026-25999 - Klaw has an improper authorisation check on /resetMemoryCache
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the /resetMemoryCache endpoint, aβ¦
8.1
CVE-2026-25994 - PJSIP has a heap buffer overflow in ICE with long username
PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, a buffer overflow vulnerability exists in PJNATH ICE Session when processing credentials with excessively long usernames.
8.6
CVE-2026-25990 - Pillow has an out-of-bounds write when loading PSD images
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, an out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
8.5
CVE-2020-37158 - AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)
AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials withoβ¦
6.9
CVE-2020-37156 - BloodX 1.0 - Authentication Bypass
BloodX 1.0 contains an authentication bypass vulnerability in login.php that allows attackers to access the dashboard without valid credentials. Attackers can exploit the vulnerability by sending a crafted payload with '=''or' parameters to bypass login authentication and gain unauthorized access.