Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 1.7.11 versions.

Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.

Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field

Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

NocoDB: Server-Side Request Forgery via Spreadsheet Import Endpoint

NocoDB: Server-Side Request Forgery via Base Migration URL

NocoDB: Stored Cross-Site Scripting via Secure Attachment

NocoDB: Refresh Tokens Persist Through Password Recovery

NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL

vLLM: OOM Denial of Service via Audio Decompression Bomb

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router

vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving

vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels

Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services

Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory

Pi Agent: Pi loads project-local extensions without approval

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output es...

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level...