Sentinel update: CVE records published for Arelle, Detect-It-Easy, and prior findings

This Sentinel update covers CVE records public as of May 4, 2026. CVE.org now lists fourteen Mobasi-related Sentinel records, including two additional tool disclosures and CVE assignments for earlier public findings.

New CVE-backed disclosures

Two more reviews are now reflected in the public index. Both records were assigned by VulnCheck and have upstream fixes available.

• CVE-2026-42796 - Arelle
  Unauthenticated remote code execution through the /rest/configure endpoint before 2.39.10.
• CVE-2026-43616 - Detect-It-Easy
  Path traversal during archive extraction before 3.21, allowing arbitrary file writes.

CVE assignments for prior disclosures

We also replaced advisory and pull-request links in the Sentinel index with official CVE.org record links where CVEs now exist. The Ghidra record was assigned by Austin Hackers Anonymous; the remaining records below were assigned by VulnCheck.

• CVE-2026-4946 - Ghidra annotation command execution
• CVE-2026-40036 - Unfurl unbounded zlib decompression denial of service
• CVE-2026-40035 - Unfurl Werkzeug debugger exposure
• CVE-2026-40032 - UAC placeholder substitution command injection
• CVE-2026-40031 - MemProcFS DLL/shared library hijacking
• CVE-2026-40030 - parseusbs volume path command injection
• CVE-2026-40029 - parseusbs LNK filename command injection
• CVE-2026-40028 - Hayabusa HTML report XSS
• CVE-2026-40027 - ALEAPP NQ Vault path traversal
• CVE-2026-40026 - Sleuth Kit ISO9660 SUSP out-of-bounds read
• CVE-2026-40025 - Sleuth Kit APFS keybag out-of-bounds read
• CVE-2026-40024 - Sleuth Kit tsk_recover path traversal

Current Sentinel index

The Sentinel page remains the running public index of disclosed vulnerabilities and remediation status across our reviews.