8.8
CVE-2026-22255 - iccDEV has heap-buffer-overflow in CIccCLUT::Init() at IccProfLib/IccTagLut.cpp
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. Thisβ¦
6.5
CVE-2026-22246 - Local Mastodon users can enumerate and access severed relationships of every other local user
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon 4.3 added notifications of severed relationships, allowing end-users to inspect the relationships they lost as the result of a moderation action. The code allowing users to download lists of severed relationships fβ¦
7
CVE-2025-67858 - A crafted "interface" input parameter can lead to integrity loss of the firewall configuration
A Improper Neutralization of Argument Delimiters vulnerability in Foomuuri can lead to integrity loss of the firewall configuration or further unspecified impact by manipulating the JSON configuration passed to `nft`. This issue affects Foomuuri: from ? before 0.31.
7.1
CVE-2026-22245 - Mastodon has SSRF Protection bypass
Mastodon is a free, open-source social network server based on ActivityPub. By nature, Mastodon performs a lot of outbound requests to user-provided domains. Mastodon, however, has some protection mechanism to disallow requests to local IP addresses (unless specified in `ALLOWED_PRIVATE_ADDRESSES`)β¦
8.5
CVE-2026-22244 - OpenMetadata Server-Side Template Injection (SSTI) in FreeMarker email templates that leads to RCE
OpenMetadata is a unified metadata platform. Versions prior to 1.11.4 are vulnerable to remote code execution via Server-Side Template Injection (SSTI) in FreeMarker email templates. An attacker must have administrative privileges to exploit the vulnerability. Version 1.11.4 contains a patch.
7.3
CVE-2026-22241 - Open eClass has Unrestricted File Upload that Leads to Remote Code Execution (RCE)
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. β¦
5.1
CVE-2025-67603 - Lack of client authorization allows arbitrary users to influence the firewall configuration
A Improper Authorization vulnerability in FoomuuriΒ llows arbitrary users to influence the firewall configuration.This issue affects Foomuuri: from ? before 0.31.
5.7
CVE-2026-22043 - RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parentβs full privilegβ¦
7.3
CVE-2025-66003 - Local users can perform a local root exploit via smb4k mounthelper
An External Control of File Name or Path vulnerability in smb4k allowsl ocal users to perform a local root exploit via smb4k mounthelper if they can access and control the contents of a Samba shareThis issue affects smb4k: from ? before 4.0.5.
5.3
CVE-2025-4596 - Information disclosure via IDOR in Asseco AMDX
Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX.