9.4
CVE-2026-22813 - Malicious website can execute commands on the local system through XSS in the OpenCode web UI
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response foโฆ
8.8
CVE-2026-22812 - OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.
2.1
CVE-2026-22805 - Metabase channel test endpoint can reach internal local addresses
Metabase is an open-source data analytics platform. Prior to 55.13, 56.3, and 57.1, self-hosted Metabase instances that allow users to create subscriptions could be potentially impacted if their Metabase is colocated with other unsecured resources. This vulnerability is fixed in 55.13, 56.3, and 57โฆ
8
CVE-2026-22804 - Termix has a Stored XSS in File Manager leading to Local File Inclusion (LFI) in Electron and Sessiโฆ
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. From 1.7.0 to 1.9.0, Stored Cross-Site Scripting (XSS) vulnerability exists in the Termix File Manager component. The application fails to sanitize SVG file content before rendering it. Thiโฆ
2.4
CVE-2026-22800 - PILOS affected by a CSRF via GET request allows unintentional termination of all active video confeโฆ
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performโฆ
9.3
CVE-2026-22799 - emlog Arbitrary File Upload Vulnerability
Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint (/index.php?rest-api=upload) for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers (with a valid API keyโฆ
5.9
CVE-2026-22798 - hermes's raw options logging may disclose secrets passed in via subcommand options argument
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via heโฆ
9.7
CVE-2026-22794 - Account Takeover Vulnerability in Appsmith
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be generatโฆ
5.4
CVE-2026-22789 - WebErpMesv2 has a File Upload Validation Bypass Leading to RCE
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, WebErpMesv2 contains a file upload validation bypass vulnerability in multiple controllers that allows authenticated users to upload arbitrary files, including PHP scripts, leading to Remote Codโฆ
8.2
CVE-2026-22788 - WebErpMesv2 allows unauthenticated API Access
WebErpMesv2 is a Resource Management and Manufacturing execution system Web for industry. Prior to 1.19, the WebErpMesV2 application exposes multiple sensitive API endpoints without authentication middleware. An unauthenticated remote attacker can read business-critical data including companies, quโฆ