cve-2026-10860 let a low-privileged galaxy editor delete another organisation galaxy in misp through a delete-path validation bypass
cve-2026-54256 let any authenticated backend user in wintercms target unrelated attachment records through the backend fileupload widget
cve-2026-55383 let public customer document tokens cross company boundaries in invoiceshelf through emaillog type confusion and missing expiry checks