Common Vulnerabilities and Exposures (CVE)
CVE-2026-45692
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config...
CVE-2026-56663
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.52, an authenticated user can bypass the SSRF / private-IP protections in SendWebRequestBlock and reach ...
CVE-2026-54327
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the pr...
CVE-2026-45407
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission sett...
CVE-2026-48090
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstr...
CVE-2026-47220
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, ...
CVE-2026-54557
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the ...
CVE-2026-56790
CANBoat through 6.22, fixed in commit a5a22b7, contains an off-by-one global buffer overflow in the searchForPgn() function in analyzer/pgn.c that allows remote attackers to crash the application. Attackers can deliver a crafted NMEA-2000 m...
CVE-2025-63078
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.
CVE-2025-68063
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
CVE-2026-54820
Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions.
CVE-2026-54832
Unauthenticated Broken Access Control in Gutenverse Companion <= 2.5.0 versions.
CVE-2026-54840
Unauthenticated Broken Access Control in Newsletters <= 4.13 versions.
CVE-2026-56025
Unauthenticated Broken Access Control in Paymob for WooCommerce <= 4.1.2 versions.
CVE-2026-56031
Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions.