
CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
Algernon is a small self-contained pure-Go web server
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7.
CWE-1188CWE-209Algernon is a small self-contained pure-Go web server
Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7.
CWE-20CWE-426Twenty is an open source CRM
Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.
twentyCWE-79Vowpal Wabbit is a machine learning system
Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run_tests_model_gen_and_load.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pull_request trigger fires on PRs targeting any branch (branches: ['*']), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit.
vowpalwabbitCWE-1336CWE-78MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14.
CWE-89Bugsink is a self-hosted error tracking tool
Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3.
CWE-918Traccar is an open source GPS tracking system
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.
traccarCWE-863- CVE-2026-439822026-05-26
Algernon is a small self-contained pure-Go web server
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6.
CWE-22 - CVE-2026-439812026-05-26
Algernon is a small self-contained pure-Go web server
Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6.
CWE-362 An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
joomlaCWE-22An improper validation of user-supplied input leads to a local file inclusion vulnerability
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
joomlaCWE-22An improper access check allows unauthorized access to com_config webservice endpoints
An improper access check allows unauthorized access to com_config webservice endpoints.
joomlaCWE-284Improperly validated order clauses lead to a SQL injection vulnerability in com_tags
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
joomlaCWE-89Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
joomlaCWE-89Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
joomlaCWE-352Lack of output escaping leads to a XSS vector in the readmore links for com_content
Lack of output escaping leads to a XSS vector in the readmore links for com_content.
joomlaCWE-79Lack of output escaping leads to a XSS vector in the content history component
Lack of output escaping leads to a XSS vector in the content history component.
joomlaCWE-79- CVE-2026-22642026-05-26
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (...
A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy.
CWE-918 Lack of output escaping leads to a XSS vector in the multilingual associations component
Lack of output escaping leads to a XSS vector in the multilingual associations component.
joomlaCWE-79Lack of output escaping leads to a XSS vector in the feed modules
Lack of output escaping leads to a XSS vector in the feed modules.
joomlaCWE-79
Weekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.