Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 6.3 CVE-2026-54901

Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking_CVE-2026-54901

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not m...

ohler55 oj < 3.17.2 CVE
MEDIUM 4.3 CVE-2026-58450

Invoice Ninja 5.13.26 – Open Redirect in Client Portal Login via intended Parameter_CVE-2026-58450

Invoice Ninja through 5.13.26 contains an open redirect vulnerability in the client portal login that allows unauthenticated attackers to redirect ...

invoiceninja invoiceninja CVE
MEDIUM 6.5 CVE-2026-58448

yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API_CVE-2026-58448

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary ...

YunaiV yudao-cloud CVE
MEDIUM 6.5 CVE-2026-58447

Invidious – Cross-User Playlist Video Deletion via Missing Ownership Check_CVE-2026-58447

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attac...

iv-org Invidious CVE
MEDIUM 6.5 CVE-2026-58446

Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint_CVE-2026-58446

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication (AUTH_USERNAME/AUTH_PAS...

presenton presenton CVE
MEDIUM 6.9 CVE-2026-57204

pypdf: Missing stream length values ignore defined limits_CVE-2026-57204

pypdf is a free and open-source pure-python PDF library. Prior to 6.13.3, a maliciously crafted PDF can cause DoS. An attacker who uses this vulner...

py-pdf pypdf < 6.13.3 CVE
MEDIUM 6.3 CVE-2026-10585

Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q&A category_CVE-2026-10585

A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary ...

GitHub Enterprise Server 3.17.0 CVE
MEDIUM 5.3 CVE-2026-56777

n8n – AST Validator Bypass in Python Code Node_CVE-2026-56777

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticat...

n8n n8n CVE
MEDIUM 5.3 CVE-2026-56399

Open WebUI – Server-Side Request Forgery via Location Redirect in /api/v1/retrieval/process/web_CVE-2026-56399

Open WebUI before 0.6.27 contains a server-side request forgery vulnerability in the /api/v1/retrieval/process/web endpoint that allows authenticat...

open-webui open-webui CVE
MEDIUM 4.8 CVE-2026-56377

ImageMagick – Policy Bypass via Incorrect Path Validation_CVE-2026-56377

ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. R...

ImageMagick ImageMagick CVE