5.1
CVE-2026-0729 - code-projects Intern Membership Management System add_activity.php sql injection
A vulnerability was detected in code-projects Intern Membership Management System 1.0. Impacted is an unknown function of the file /intern/admin/add_activity.php. Performing a manipulation of the argument Title results in sql injection. Remote exploitation of the attack is possible. The exploit is β¦
7.2
CVE-2025-14436 - Brevo for WooCommerce <= 4.0.49 - Unauthenticated Stored Cross-Site Scripting
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βuser_connection_idβ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject β¦
5.6
CVE-2025-14505 - Elliptic Cryptanalysis vulnerability when `k` has leading zeros
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This hβ¦
7.5
CVE-2025-15464 - KL-001-2026-01: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls.
6.5
CVE-2026-22588 - Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other usersβ address information by modifying β¦
5.1
CVE-2026-0728 - code-projects Intern Membership Management System delete_admin.php sql injection
A security vulnerability has been detected in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /intern/admin/delete_admin.php. Such manipulation of the argument admin_id leads to sql injection. The attack may be launched remotely. The expβ¦
3.3
CVE-2026-0747 - External Observer Can View Password Screens in Devolutions Remote Desktop Manager
Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen β¦
5.4
CVE-2026-22253 - Soft Serve is missing an authorization check in LFS lock deletion
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path proceβ¦
6.3
CVE-2026-21860 - Werkzeug safe_join() allows Windows special device names with compound extensions
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present aβ¦
8.8
CVE-2026-22257 - Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can uploadβ¦