0.0
CVE-2026-35578 -
This CVE is a duplicate of another CVE.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39940. Reason: This candidate is a reservation duplicate of CVE-2026-39940. Notes: All CVE users should reference CVE-2026-39940 instead of this candidate. All references and descriptionsโฆ
9.8
CVE-2026-4631 - Cockpit: cockpit: unauthenticated remote code execution due to ssh command-line argument injection
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH optionโฆ
0.0
CVE-2026-35567 -
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39327. Reason: This candidate is a duplicate of CVE-2026-39327. Notes: All CVE users should reference CVE-2026-39327 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidentโฆ
7.6
CVE-2026-35534 - ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characterโฆ
4.8
CVE-2026-35571 - Emissary has Stored XSS via Navigation Template Link Injection
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URโฆ
7.5
CVE-2026-35526 - Strawberry GraphQL affected by a Denial of Service via unbounded WebSocket subscriptions
Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without eโฆ
6.8
CVE-2026-4931 - CVE-2026-4931
Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.
8.8
CVE-2026-35521 - Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authentโฆ
9.8
CVE-2026-33816 - CVE-2026-33816 in github.com/jackc/pgx
Memory-safety vulnerability in github.com/jackc/pgx/v5.
9.8
CVE-2026-33815 - CVE-2026-33815 in github.com/jackc/pgx
Memory-safety vulnerability in github.com/jackc/pgx/v5.