6.9
CVE-2026-39351 - Frappe allows unrestricted Doctype access via API exploit
Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit.
6.9
CVE-2026-5736 - PowerJob detailPlus Endpoint InstanceController.java sql injection
A vulnerability was identified in PowerJob 5.1.0/5.1.1/5.1.2. Impacted is an unknown function of the file powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/InstanceController.java of the component detailPlus Endpoint. The manipulation of the argument customQu…
5.3
CVE-2026-5762 - ReportIncident DiscussionTools integration causes slow requests
Allocation of resources without limits or throttling vulnerability in Wikimedia Foundation MediaWiki - ReportIncident Extension allows HTTP DoS. This issue was remediated only on the `master` branch.
6.9
CVE-2026-22711 - Stored XSS through system messages in WikiLove
Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.
2.1
CVE-2026-39349 - OrangeHRM Uses AES-ECB for Sensitive Data Encryption Enables Pattern Disclosure
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability i…
5.3
CVE-2026-39348 - OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specifica…
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifier…
5.1
CVE-2026-39347 - OrangeHRM's Self‑Appraisal Submission of Admin Users Can Be Modified After Completion
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability…
5.3
CVE-2026-39346 - OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fix…
4.6
CVE-2026-39345 - OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader
OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This vul…
9.3
CVE-2026-39324 - Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Mars…
Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of rejecting the cookie. Thi…