7
CVE-2025-67858 - A crafted "interface" input parameter can lead to integrity loss of the firewall configuration
A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`. This issue affects Foomuuri: from ? before 0.31.
7.1
CVE-2026-22245 - Mastodon has SSRF Protection bypass
Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`)β¦
8.5
CVE-2026-22244 - OpenMetadata Server-Side Template Injection (SSTI) in FreeMarker email templates that leads to RCE
OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
7.3
CVE-2026-22241 - Open eClass has Unrestricted File Upload that Leads to Remote Code Execution (RCE)
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. β¦
5.1
CVE-2025-67603 - Lack of client authorization allows arbitrary users to influence the firewall configuration
A Improper Authorization vulnerability in FoomuuriΒ llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31.
5.7
CVE-2026-22043 - RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parentβs full privilegβ¦
7.3
CVE-2025-66003 - Local users can perform a local root exploit via smb4k mounthelper
An External Control of File Name or Path vulnerability in smb4k allowsl ocal users to perform a local root exploit via smb4k mounthelper if they can access and control the contents of a Samba shareThis issue affects smb4k: from ? before 4.0.5.
5.3
CVE-2025-4596 - Information disclosure via IDOR in Asseco AMDX
Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX.
5.7
CVE-2026-22042 - RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation
RustFS is a distributed object storage system built in Rust. Prior to version 1.0.0-alpha.79, he `ImportIam` admin API validates permissions using `ExportIAMAction` instead of `ImportIAMAction`, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM β¦
2
CVE-2026-22041 - loggingredactor converts non-string types to string types in logs
Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No knowβ¦