CVEs
CVE-2026-42089: yeoman-environment's Silent Package Installation from Caller-Supplied Names
2026-06-25
A local package installation helper trusted caller-supplied package names too much. In yeoman-environment, missing generators could be installed without user confirmation, turning attacker-controlled project metadata into a package-install and code-execution path.
CVE-2026-46558: Plane’s Cross-Workspace Asset Authorization Bypass in V2 Asset Endpoints
2026-06-25
Plane’s V2 asset subsystem trusted workspace slugs and asset UUIDs without enforcing the right membership checks, which let one authenticated user read, copy, delete, and overwrite assets in other workspaces.
CVE-2026-45806: Penpot's Authenticated SSRF in Remote Image Import
2026-06-24
Penpot's remote image import let an authenticated file editor turn a normal media convenience feature into backend-origin SSRF because attacker-controlled URLs crossed into a redirect-following server fetch path without destination filtering.
CVE-2026-34207: Typebot's SSRF Protection Bypass via DNS-Resolved Hostnames in Webhook / HTTP Request Validation
2026-06-23
The SSRF filter checked hostname text, but the actual destination was decided later by DNS. That gap let attacker-controlled Webhook URLs reach loopback, metadata, and private network targets.
CVE-2026-46552: NocoDB Shared-Base Links Could Invite Real Base Members and Survive Share Revocation
2026-05-29
A public shared-base link in NocoDB inherited member-management permissions, which let an anonymous share session enumerate members, invite arbitrary users into the base, and convert temporary link access into durable authenticated membership.
CVE-2026-34212: Stored XSS in Docmost Attachment Nodes via Unsanitized URL Schemes
2026-05-15
Docmost accepted a javascript: URL inside an attachment node, preserved it through storage and rendering, and turned it back into a clickable anchor in the Docmost origin.
CVE-2026-34213: Docmost's Attachment Overwrite Shortcut That Let One Page Clobber Another Page's File
2026-05-15
A low-privileged Docmost user could supply a victim attachmentId to the generic upload endpoint and overwrite another page's stored attachment inside the same workspace.
CVE-2026-33146: Docmost Public Share Search Leaks Restricted Child Page Metadata
2026-04-11
A public share looked clean in the page tree, but the search endpoint told a different story. In Docmost, restricted child pages hidden from public share viewers could still leak through public share search results.
CVE-2026-34828: listmonk’s Session Persistence After Password Reset and Password Change
2026-04-02
A stolen session did not die when the password changed. In listmonk, previously issued authenticated sessions remained valid after both password reset and password change, turning credential recovery into incomplete recovery.
CVE-2026-33936: python-ecdsa’s DER Length Validation Bug That Turned Malformed Input into Crashy Key Parsing
2026-03-29
Malformed DER with truncated length fields was accepted instead of rejected, and that let untrusted input reach an internal exception path during key parsing.
CVE-2026-32722: Bloomberg Memray’s Stored XSS via Unescaped Command-Line Metadata
2026-03-15
A profiling tool turned command-line metadata into executable HTML because one attacker-controlled field crossed into a browser sink without escaping.