New

CVE-2026-50559: Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities: Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using en...

CVE-2026-48794: Authelia has an Edge Case Access Control Rule Mismatch: Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may be skipped when it should match a request. ...

CVE-2026-47203: Authelia Missing Username Canonicalization in Basic Auth (LDAP): Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth (i.e via the `Authorization` header with the `Basic` scheme) on the authz verification endpo...

CVE-2026-48129: Kestra task inputFiles accepts traversal filenames for worker file writes: Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../...

CVE-2026-49346: libde265 has a heap buffer overflow in de265_image_get_buffer via SPS dimension integer overflow: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.1.0, a crafted H.265 bitstream with large SPS dimensions and 16-bit bit depth causes a signed integer overflow in `de265_image_get_buffer()` (`libde265/image.cc:128`). The overflow wraps the plane allocation size...

Updated

CVE-2026-49295: libde265 has an out-of-bounds write in process_reference_picture_set via predicted short-term RPS: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in `decoder_context::process_reference_picture_set()` (`libde265/decctx.cc:1376`). The root cause is a missing aggregate bound check on pred...

CVE-2026-49337: libde265 has an unbounded memory leak via orphaned slice headers in `read_slice_NAL`: libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` (`libde265/decctx.cc:481`) to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-cont...

CVE-2026-49344: Mercator has a Personal Identifiable Information Leak from Query Executor feature: Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. ...

CVE-2026-49339: Path traversal in getPlaylist/deletePlaylist bypasses ownership check: any authenticated user can read or delete any other user's playlist: gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `playlist.UserID`. However, `playlist.UserID` is derived from t...

CVE-2026-27878: Tempo TraceQL query with exemplar hint could result in unbounded memory usage: A TraceQL query in Grafana Tempo with a large exemplars hint value can cause the Tempo instance to allocate an excessive amount of memory, resulting in an out-of-memory crash. This could allow an authenticated user to trigger a denial of service against the Tempo service.

CISA Known Exploited Vulnerabilities

CVE-2026-20253 Splunk Enterprise: Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.

CVE-2026-48907 Widget Factory Joomla Content Editor : Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.

CVE-2026-54420 LiteSpeed cPanel Plugin: LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.

CVE-2026-20262 Cisco Catalyst SD-WAN Manager: Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools : Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.