3.5
CVE-2026-33659 - EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTโฆ
5.3
CVE-2026-6218 - aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting
A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosโฆ
8.7
CVE-2026-32272 - Craft Commerce: Blind SQL Injection via hasVariant/hasProduct
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix โฆ
7.7
CVE-2026-32271 - Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitโฆ
5.1
CVE-2026-6216 - DbGate SVG Icon String FontIcon.svelte cross site scripting
A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launchedโฆ
1.7
CVE-2026-32270 - Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some cusโฆ
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON erroโฆ
4.6
CVE-2026-33657 - EspoCRM: Stored HTML injection in email notifications about stream notes via unescaped post field
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by craftingโฆ
5.3
CVE-2026-6215 - DbGate REST/GraphQL openApiDriver.ts apiServerUrl1 server-side request forgery
A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been madโฆ
4.3
CVE-2026-33534 - EspoCRM has authenticated SSRF via internal-host validation bypass using alternative IPv4 notation
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 01โฆ
5.3
CVE-2026-6202 - code-projects Easy Blog Site post.php sql injection
A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used โฆ