Common Vulnerabilities and Exposures (CVE)

CVE-2026-27771

Jul 7, 2026 16:58:45 UTC

Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.

CVE-2026-28705

Jul 7, 2026 16:58:39 UTC

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.

CVE-2026-28737

Jul 7, 2026 16:58:33 UTC

Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.

CVE-2026-28740

Jul 7, 2026 16:58:26 UTC

Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.

CVE-2025-71364

Jul 7, 2026 16:58:20 UTC

picklescan before 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function ...

CVE-2025-71375

Jul 7, 2026 16:58:14 UTC

picklescan before 0.0.34 fails to detect the _operator.methodcaller built-in function when scanning pickle files for malicious code. Attackers can craft malicious pickle payloads using _operator.methodcaller that evade detection and execute...

CVE-2026-59194

Jul 7, 2026 16:57:59 UTC

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 a...

CVE-2026-54059

Jul 7, 2026 16:57:53 UTC

Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allo...

CVE-2026-41514

Jul 7, 2026 16:57:46 UTC

OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA-OAEP decryption...

CVE-2026-50134

Jul 7, 2026 16:57:36 UTC

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker ...

CVE-2026-50135

Jul 7, 2026 16:57:29 UTC

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's...

CVE-2026-14613

Jul 7, 2026 16:51:57 UTC

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an ...

CVE-2024-24445

Jul 7, 2026 16:39:46 UTC

OpenAirInterface CN5G AMF (oai-cn5g-amf) <= 2.0.0 contains a null dereference in its handling of unsupported NGAP protocol messages which allows an attacker with network-adjacent access to the AMF to carry out denial of service. When a proc...

CVE-2025-22916

Jul 7, 2026 16:39:21 UTC

RE11S v1.11 was discovered to contain a stack overflow via the pppUserName parameter in the formPPPoESetup function.

CVE-2025-22912

Jul 7, 2026 16:38:35 UTC

RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept.