7.5
CVE-2026-33901 - ImageMagick has a Heap Buffer Overflow via MVG decoder
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in veโฆ
5.9
CVE-2026-33900 - ImageMagick has a Heap overflow caused by integer overflow/wraparound in viff encoder on 32-bit buiโฆ
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crashโฆ
5.3
CVE-2026-33899 - ImageMagick: Heap BufferOverflow write of single zero byte when parsing XML
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-1โฆ
4.8
CVE-2026-6219 - aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly โฆ
5.4
CVE-2026-33740 - EspoCRM: Email importEml can import and delete another user's attachment by raw fileId
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly fromโฆ
3.5
CVE-2026-33659 - EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTโฆ
5.3
CVE-2026-6218 - aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting
A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosโฆ
8.7
CVE-2026-32272 - Craft Commerce: Blind SQL Injection via hasVariant/hasProduct
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix โฆ
7.7
CVE-2026-32271 - Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitโฆ
5.1
CVE-2026-6216 - DbGate SVG Icon String FontIcon.svelte cross site scripting
A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launchedโฆ