- CVE-2026-42507 – Arbitrary inputs are included in errors without any escaping in net/textproto
- CVE-2026-44653 – LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets
- CVE-2026-44654 – LibreChat: Shared-agent editor can globally delete owner’s file records — breaks owner’s other private agents
- CVE-2026-35482 – alf.io has an Authenticated RCE via Extension Script Sandbox Escape
- CVE-2026-40108 – GLPI Vulnerable to Stored XSS in ITIL Costs
- CVE-2026-41412 – alf.io vulnerable to Arbitrary File Read and Exfil via simpleHttpClient Extension Script
- CVE-2026-42504 – Quadratic complexity in WordDecoder.DecodeHeader in mime
- CVE-2026-10719 – Open Seachest/Seachest NVMe show Format Descriptors Vulnerability
- CVE-2026-25861 – QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php
- CVE-2026-27145 – Inefficient candidate hostname parsing in crypto/x509
- CVE-2026-31942 – LibreChat has IDOR in API Keys Management that allows any authenticated user to overwrite other users’ API keys
- CVE-2026-32625 – LibreChat Exfiltrates Server Secrets via MCP Server URL Injection
- CVE-2026-10718 – Open Seachest/Seachest NVMe Trim (Deallocate) Vulnerability
- CVE-2026-10662 – ahujasid blender-mcp ZIP File server.py requests.get server-side request forgery
- CVE-2026-10688 – ahujasid blender-mcp server.py execute_blender_code code injection
