Recent Advisories

Severity ID Title Vendor Product Date Type
HIGH 7 CVE-2026-44949

Unauthenticated namespace creation and RBAC injection via rancher-webhook FleetWorkspace mutating webhook_CVE-2026-44949

A Rancher FleetWorkspace admission path allowed side effects to occur in the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to ...

SUSE Rancher 0.7.0 CVE
HIGH 8.8 CVE-2026-27957

Coolify: Authenticated RCE via command injection in CA certificate management feature_CVE-2026-27957

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated comma...

coollabsio coolify < 4.0.0-beta.464 CVE
HIGH 8.8 CVE-2026-48307

ColdFusion | Cross-site Scripting (Reflected XSS) (CWE-79)_CVE-2026-48307

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit thi...

Adobe ColdFusion CVE
HIGH 8.6 CVE-2026-48285

ColdFusion | Server-Side Request Forgery (SSRF) (CWE-918)_CVE-2026-48285

ColdFusion versions 2025.9, 2023.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security ...

Adobe ColdFusion CVE
HIGH 7.5 CVE-2026-58375

JimuReport 2.5.0 – Unauthenticated Report Export via /jmreport/auto/export_CVE-2026-58375

JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so ...

jeecgboot jimureport CVE
HIGH 8.1 CVE-2026-58372

SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys_CVE-2026-58372

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principal...

seaweedfs seaweedfs CVE
HIGH 8.1 CVE-2026-58370

Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name_CVE-2026-58370

Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is popu...

woodpecker-ci woodpecker CVE
HIGH 8.3 CVE-2026-58170

Vibe-Trading < 0.1.10 - Path Traversal in Proposal Identifier Allows Forging Live Trading Mandates_CVE-2026-58170

Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory witho...

HKUDS Vibe-Trading CVE
HIGH 7.5 CVE-2026-58169

Vibe-Trading < 0.1.10 - Loopback Trust and Missing Host Validation Enable DNS-Rebinding Authentication Bypass and Remote Code Execution_CVE-2026-58169

Vibe-Trading before 0.1.10's local API server trusts the TCP peer address to bypass the API_AUTH_KEY bearer-token check for loopback clients and pe...

HKUDS Vibe-Trading CVE
HIGH 8.8 CVE-2026-58168

DeepTutor < 1.4.10 - Insecure Default Grants Unrestricted MCP Tool Access to Non-Admin Users_CVE-2026-58168

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due...

HKUDS DeepTutor CVE