Briefs

CVE-2026-3857 describes a vulnerability in GitLab CE/EE versions 17.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, where an unauthenticated user can execute arbitrary GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection, potentially leading to data modification or privilege escalation.

CVE-2026-3988 is a denial of service vulnerability in GitLab CE/EE allowing unauthenticated users to crash instances by sending malformed GraphQL requests, affecting versions 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1.

CVE-2026-2995 is a vulnerability in GitLab EE versions 15.4 to 18.10.1 where an authenticated user can add email addresses to other user accounts due to improper HTML sanitization, potentially leading to account takeover or information disclosure.

Compromised versions of the LiteLLM package (1.82.7 and 1.82.8) on PyPI contained malware designed to harvest sensitive credentials and files, exfiltrating them to a remote API, impacting users who installed and ran the package.

An authenticated user with workflow creation/modification permissions can exploit insufficient restrictions in the n8n Merge node's AlaSQL sandbox to achieve remote code execution by reading local files or executing commands on the n8n host.

A vulnerability in NATS server allows a remote, unauthenticated attacker to cause a denial of service by sending a crafted WebSocket frame, leading to a server crash due to missing validation on WebSocket frame length.

The node-tesseract-ocr npm package through version 2.2.1 is vulnerable to OS command injection due to improper sanitization of the file path parameter in the recognize() function, potentially allowing for arbitrary command execution.

A remote SQL Injection vulnerability exists in code-projects Simple Laundry System 1.0 within the Parameter Handler component's /checkregisitem.php file, where manipulating the Long-arm-shirtVol argument can trigger the injection, with a publicly available exploit.

CVE-2026-4844 describes a SQL injection vulnerability in the Admin Login Module of code-projects Online Food Ordering System 1.0, which can be exploited remotely by manipulating the Username argument in the /admin.php file.

A remote SQL injection vulnerability exists in itsourcecode Online Enrollment System 1.0 within the Parameter Handler component affecting the `/sms/grades/index.php` file, allowing unauthorized database access and has been publicly disclosed.

The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.

CVE-2026-4840 is a critical command injection vulnerability in the Netcore Power 15AX router that allows remote attackers to execute arbitrary OS commands by manipulating the IpAddr argument in the setTools function of the /bin/netis.cgi file.

A remote SQL injection vulnerability (CVE-2026-4838) exists in the /display.php file of SourceCodester Malawi Online Market 1.0 due to improper input sanitization of the ID parameter, potentially allowing attackers to execute arbitrary SQL queries.

The Masteriyo LMS plugin for WordPress is vulnerable to privilege escalation, allowing authenticated users with student-level access or higher to gain administrator privileges by manipulating the 'InstructorsController::prepare_object_for_database' function.

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.

OpenEMR versions prior to 8.0.0.3 are susceptible to a blind SQL injection vulnerability in the Patient Search functionality, allowing authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys.

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 stores user credentials in plaintext, allowing local users to read sensitive information.

Picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns with quantifiers, leading to excessive CPU consumption and denial of service.

A denial-of-service vulnerability exists in the Protobuf PHP library due to maliciously crafted messages with negative varints or deep recursion, leading to application crashes and impacting service availability.

The code16/sharp Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions by manipulating the validation_rule parameter, potentially leading to Remote Code Execution (RCE) if the storage disk is configured to be publicly accessible.

SiYuan is vulnerable to arbitrary document reading via the publishing service, allowing attackers to retrieve document IDs and view the content of all documents, including encrypted or prohibited ones, by exploiting the `/api/file/readDir` and `/api/block/getChildBlocks` interfaces.

The `replace_first` filter in LiquidJS is vulnerable to exponential memory amplification due to its use of JavaScript's `String.prototype.replace()` and mishandling of the `$&` backreference pattern, allowing attackers to bypass the `memoryLimit` and cause denial of service.

OpenCart Core 4.0.2.3 is vulnerable to SQL injection via the 'search' parameter, enabling unauthenticated attackers to manipulate database queries and extract sensitive information through boolean-based or time-based blind SQL injection.

The pdf-image npm package through version 2.0.0 is vulnerable to OS command injection via the pdfFilePath parameter due to improper sanitization, potentially leading to arbitrary code execution.

Kiteworks Core versions 9.2.0 and 9.2.1 contain an access control vulnerability (CVE-2026-23514) due to improper ownership management, allowing authenticated users to access unauthorized content, which can be mitigated by upgrading to version 9.2.2 or later.

Firefox 148 and Thunderbird 148 contain memory safety bugs that could potentially be exploited to execute arbitrary code, impacting versions prior to 149.

Multiple vulnerabilities exist in GnuPG and Gpg4win that could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

Since August 2025, threat actors have been impersonating Palo Alto Networks talent acquisition staff in a sophisticated phishing campaign targeting senior professionals, using social engineering tactics to solicit fraudulent resume fees.

The Salvo web framework before version 0.89.3 is vulnerable to denial of service due to unbounded memory allocation when parsing form data, enabling attackers to crash services by sending large payloads.

A SQL injection vulnerability exists in SourceCodester Online Catering Reservation 1.0's `/search.php` file, allowing remote attackers to execute arbitrary SQL commands by manipulating the `rcode` argument.