CVE Vulnerabilities - 16 April 2026

A security issue in Microchip IStaX allows a low-privileged user to gain admin access to the system by exploiting a vulnerability in the cookie system. This issue affects older versions of IStaX. To f...

Using DataEase versions 2.10.20 and earlier, an attacker who has an account can access and extract sensitive information from your database by exploiting a security weakness in how the system handles ...

DataEase versions 2.10.20 and below have a security flaw that allows attackers to access sensitive data in your database. To fix this issue, update to version 2.10.21 or later. If you can't update imm...

An attacker with publish-reader access can delete any file in the SiYuan workspace by manipulating the URL to access files outside of the expected attribute view directory. This can lead to the loss o...

Froxlor's DomainZones feature does not properly validate user input for DNS record types and also allows newline characters in DNS record content. This could allow an attacker to inject malicious DNS ...

A security issue in Froxlor allows an authenticated user to inject malicious DNS records into their domain's zone file. This could lead to unauthorized changes to the domain's DNS settings. To fix thi...

Unprivileged users can register new OAuth clients despite security settings. This allows unauthorized access to sensitive data. To fix this, update your OAuth 2.1 provider to ensure client creation is...

A bug in Vite+ allows a malicious user to delete or overwrite files outside the intended cache location by providing a specially crafted version string. This can happen if a program uses the Vite+ API...

## Summary Several API endpoints in `authenticated` mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No ...

A security issue in the AirtableAgent function in Flowise allows an attacker to execute code on a victim's device by sending a carefully crafted prompt. This could lead to unauthorized access to sensi...

An attacker can inject malicious code into Airtable data retrieval in Flowise, allowing them to execute arbitrary code on the server. This is possible due to a lack of input verification when using th...

DataEase versions 2.10.20 and below have a security flaw that lets an attacker access sensitive files on the server if they have an account. This is fixed in version 2.10.21, so update to the latest v...

The Snowflake Cortex Code CLI has a security flaw in older versions (before 1.0.25) that lets an attacker run unauthorized code on your device. This can happen if you use a malicious project or reposi...

Certain actions in Zoho ManageEngine Log360 versions 13000 through 13013 can be performed without proper authentication. This means unauthorized users may be able to access sensitive features. Update ...

SiYuan versions 3.6.3 and below allow authenticated users to delete any attribute view without permission, which could break the system's database views and render workspaces unusable. This is fixed i...

A security issue in an older version of the Qmail email server may allow an attacker to execute malicious code on the server. This could potentially allow an attacker to take control of the server and...

Flowise's account registration process allows attackers to link an account to an unauthorized organization. This can happen when an attacker registers a new account, including malicious organization a...

Unauthenticated attackers can create user accounts and associate them with unauthorized organizations, potentially leading to role assignments and data access issues. This vulnerability affects Flowis...

Kyverno's apiCall feature can leak the admin token to any external server, including malicious ones, allowing them to take control of the entire cluster. This affects all Kyverno versions with apiCall...

Kyverno's apiCall feature can leak sensitive cluster data to external servers. This allows attackers to gain full control over the cluster if they obtain the admission controller's ServiceAccount toke...

If you use OmniFaces with a specific type of CDN setup, a hacker could inject malicious code into your server, potentially allowing them to take control of your server or steal sensitive information. ...

If your application uses OmniFaces' CDNResourceHandler with a wildcard mapping, an attacker can craft a request that lets them run malicious code or access sensitive information. To fix this, update t...

Statamic's REST and GraphQL APIs can be exploited to delete content, assets, and user accounts without authentication, if they are enabled on a site. Sites that have these APIs enabled without authent...

Statamic, a content management system, has a flaw that allows hackers to delete content, assets, and user accounts by manipulating certain queries. This can happen on the Control Panel with minimal pe...

Weblate's project backup feature in older versions had a security flaw that could allow hackers to execute malicious code. This has been fixed in version 5.17. If you can't update right away, limit ac...