9.3
CVE-2026-39382 - dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output
dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an eβ¦
8.5
CVE-2026-32863 - Out-of-Bounds Read in sentry_transaction_context_set_operation()
There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially cβ¦
5.3
CVE-2026-39381 - Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any autβ¦
8.5
CVE-2026-32862 - Out-of-Bounds Write in ResFileFactory::InitResourceMgr()
There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted Vβ¦
5.4
CVE-2026-39380 - Open Source Point of Sale has Stored XSS in Stock Location (Configuration)
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Stock Locations configuration feature. The application fails to properly sanitize user input supplied througβ¦
6.3
CVE-2026-39837 - Stored XSS through the dynamic table format in Cargo
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in WikiWorks Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
8.5
CVE-2026-32861 - Out-of-Bounds Write Vulnerability in NI LabVIEW when loading lvclass file
There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted β¦
7.5
CVE-2026-39376 - FastFeedParser has an infinite redirect loop DoS via meta-refresh chain
FastFeedParser is a high performance RSS, Atom and RDF parser. Prior to 0.5.10, when parse() fetches a URL that returns an HTML page containing a <meta http-equiv="refresh"> tag, it recursively calls itself with the redirect URL β with no depth limit, no visited-URL deduplication, and no redirect cβ¦
6.3
CVE-2026-39841 - Stored XSS through list fields on Cargo's page values and Special:CargoTables
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS.This issue affects Mediawiki - Cargo Extension: before 3.8.7.
8.5
CVE-2026-32860 - Out-of-Bounds Write Vulnerability in NI LabVIEW when loading lvlib file
There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.Β This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lβ¦