Security Vulnerabilities
Authlib is a Python library which builds OAuth and OpenID Connect servers. In version 1.6.5 and prior, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under _state_{app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
CVSS Score
5.7
EPSS Score
0.0
Published
2026-01-08
OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0.
CVSS Score
7.6
EPSS Score
0.0
Published
2026-01-08
An issue was discovered in Nitro PDF Pro for Windows before 14.42.0.34. In certain cases, it displays signer information from a non-verified PDF field rather than from the verified certificate subject. This could allow a document to present inconsistent signer details. The display logic was updated to ensure signer information consistently reflects the verified certificate identity.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-01-08
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki - UploadWizard extension allows Cross-Site Scripting (XSS).This issue affects MediaWiki - UploadWizard extension: 1.45, 1.44, 1.43, 1.39.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-01-08
A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product.
Affected Products:
UBB-XG (Version 1.2.2 and earlier)
UDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier)
UBB (Version 3.1.5 and earlier)
Mitigation:
Update your UBB-XG to Version 1.2.3 or later.
Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later.
Update your UBB to Version 3.1.7 or later.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-01-08
A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product.
Affected Products:
airMAX AC (Version 8.7.20 and earlier)
airMAX M (Version 6.3.22 and earlier)
airFiber AF60-XG (Version 1.2.2 and earlier)
airFiber AF60 (Version 2.6.7 and earlier)
Mitigation:
Update your airMAX AC to Version 8.7.21 or later.
Update your airMAX M to Version 6.3.24 or later.
Update your airFiber AF60-XG to Version 1.2.3 or later.
Update your airFiber AF60 to Version 2.6.8 or later.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-01-08
This vulnerability allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a
malicious password parameter.
CVSS Score
9.0
EPSS Score
0.003
Published
2026-01-08
This vulnerability allows a Backup or Tape Operator to write files as root.
CVSS Score
9.0
EPSS Score
0.001
Published
2026-01-08
This vulnerability allows a Backup Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.
CVSS Score
9.0
EPSS Score
0.003
Published
2026-01-08
indieka900 online-shopping-system-php 1.0 is vulnerable to SQL Injection in master/review_action.php via the proId parameter.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-01-08