Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 6.3 CVE-2026-54903

Oj: Integer Overflow in Oj.load 2GB String Handling_CVE-2026-54903

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corru...

ohler55 oj < 3.17.2 CVE
MEDIUM 6.3 CVE-2026-54902

Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback_CVE-2026-54902

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in...

ohler55 oj < 3.17.2 CVE
MEDIUM 6.3 CVE-2026-54901

Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking_CVE-2026-54901

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not m...

ohler55 oj < 3.17.2 CVE
CRITICAL 9.4 CVE-2026-53488

containerd CRI plugin: — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull_CVE-2026-53488

containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 the CRI plugin propagates labels from ...

containerd containerd < 1.7.33 CVE
LOW 3.3 CVE-2026-41579

runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations_CVE-2026-41579

runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5...

opencontainers runc < 1.3.6 CVE
MEDIUM 4.3 CVE-2026-58450

Invoice Ninja 5.13.26 – Open Redirect in Client Portal Login via intended Parameter_CVE-2026-58450

Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect ...

invoiceninja invoiceninja CVE
CRITICAL 9.8 CVE-2026-58449

txtai – Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter_CVE-2026-58449

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolv...

neuml txtai CVE
MEDIUM 6.5 CVE-2026-58448

yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API_CVE-2026-58448

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary ...

YunaiV yudao-cloud CVE
MEDIUM 6.5 CVE-2026-58447

Invidious – Cross-User Playlist Video Deletion via Missing Ownership Check_CVE-2026-58447

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attac...

iv-org Invidious CVE
MEDIUM 6.5 CVE-2026-58446

Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint_CVE-2026-58446

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PAS...

presenton presenton CVE