5.1
CVE-2026-2064 - Portabilis i-Educar User Data meusdadod.php cross site scripting
A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attackβ¦
4.3
CVE-2026-25642 - HedgeDoc security headers for uploaded files were not working
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interaβ¦
6.8
CVE-2026-25727 - time affected by a stack exhaustion denial of service attack
time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are pβ¦
3.3
CVE-2025-15320 - Tanium addressed a denial of service vulnerability in Tanium Client.
Tanium addressed a denial of service vulnerability in Tanium Client.
9.1
CVE-2026-25643 - Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configβ¦
0
CVE-2026-22254 - Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker wouldβ¦
9.1
CVE-2026-25751 - FUXA Unauthenticated Exposure of Plaintext Database Credentials
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full β¦
9.3
CVE-2026-25752 - FUXA Unauthenticated Remote Arbitrary Device Tag Write
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and oβ¦
4.6
CVE-2026-25647 - Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clickβ¦
5.1
CVE-2026-2063 - D-Link DIR-823X Web Management set_ac_server os command injection
A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be launched remotely. The exβ¦