Liste Hebdomadaire des CVE Sévères

CVE-2026-42869 - SOCFortress CoPilot: Hardcoded JWT secret allows unauthenticated full admin compromise and lateral movement into all integrated SOC tools

CVE-2026-42864 - FireFighter: Unauthenticated SSRF in Raid jira_bot endpoint allows IAM credential theft

CVE-2026-34263 - Missing authentication check in SAP Commerce cloud configuration

CVE-2026-34260 - SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)

CVE-2026-45321 - Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

CVE-2026-43899 - DeepChat: Incomplete Fix for CVE-2025-55733 leads to Remote Code Execution via Markdown Links bypassing `isValidExternalUrl`

CVE-2026-42882 - oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching

CVE-2026-43900 - DeepChat: Persistent DOM XSS via HTML Entity Encoding in `` SVG Rendering (Bypass of `svgSanitizer.ts`)

CVE-2026-7428 - Insecure default administrative credentials in AlloyDB for PostgreSQL

CVE-2026-7256 - Zyxel WRE6505 Command Injection Vulnerability

CVE-2026-41489 - Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks

CVE-2026-45223 - Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection

CVE-2026-5029 - RCE in Code Runner MCP Server

CVE-2026-43912 - Vaultwarden: Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization

CVE-2026-43897 - Link Preview JS: vunerable to IPv6 and internal loopback attacks

CVE-2026-43888 - Outline: Zip Extraction Path Escape via PATH_MAX Truncation in Collection Import

CVE-2026-7790 - Unbounded chunk-size hex digits in cowlib cause quadratic CPU and memory DoS

CVE-2026-34963 - barebox EFI PE Loader Memory Safety Vulnerabilities

CVE-2026-39432 - WordPress Timetics plugin <= 1.0.53 - Broken Access Control vulnerability

CVE-2026-35227 - Improper resource management in CODESYS Modbus TCP Server

CVE-2026-34259 - OS Command Injection Vulnerability in SAP Forecasting & Replenishment

CVE-2026-43893 - exiftool-vendored: Argument injection via newline characters in tag names

CVE-2026-43886 - Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access

CVE-2026-42564 - jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact

CVE-2026-43913 - Vaultwarden: Unconfirmed Owner Can Purge Entire Organization Vault